Can't access some websites using IPv6 tunnel from LAN

Question

My router (running Ubuntu Linux) is dual-stack, dual ethernet. The router's WAN interface is configured with IPv4 PPPoE to my ISP. Hurricane Electric gives me an IPv6 tunnel which is working on the router. The router's LAN interface is connected to a PC running Ubuntu Linux. This is also configured as dual stack.

From the router, there is no issue. I can ping any public IPv4 or IPv6 address on the internet, and visit any website (I have tested this using elinks).

From the PC, I can also ping any IPv4 or IPv6 address on the internet. However, there are several websites (for example, https://wiki.archlinux.org) which time out using any browser (e.g. Firefox, Chrome etc.), unless I disable IPv6 on the PC.

What kind of issue would be causing this?

Edit: I just tested again using elinks on the PC. It did eventually work after aboute a minute of "SSL negotiation". I suppose this could be the browser timing out on IPv6 and then choosing IPv4 instead.

Answer 1

The most common issue leading to the symptoms you describe is a misconfigured firewall somewhere on the path causing PMTU discovery to fail.

You can try tweaking the MTU setting on the tunnel itself. I believe the correct MTU setting for running 6in4 over PPPoE is 1476. Remember that you need to adjust the MTU setting on both ends of the tunnel. You can also experiment with lower values for the MTU setting on the tunnel. But don't go lower than 1280, which is the lowest value permitted by the IPv6 standard.

If changing the MTU on the tunnel doesn't help, you can try using ip6tables to lower the MSS on all TCP SYN packets forwarded through the router. I believe this command should work for that:

ip6tables -A FORWARD -p tcp --tcp-flags SYN SYN -j TCPMSS --set-mss 1220

I believe 1220 is the most reliable value to be using for the MSS.