ipv4 ipv6 mtu mss size

In this case we have an gre tunnel inside an ikev2 tunnel inside an pppoe tunnel :-)


Get ipv4 mss with Linux host


Size 1339 error

ping -4 -n -c 2 -M do -s 1339 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1339(1367) bytes of data.
ping: local error: Message too long, mtu=1366
ping: local error: Message too long, mtu=1366

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1027ms

Size 1338 good

ping -4 -n -c 2 -M do -s 1338 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1338(1366) bytes of data.
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.926/31.966/32.006/0.040 ms

How to calculate ipv4 mss

ICMPv4 header size ([IPv4 + ICMP] [20 +8]) = 28
MTU ([Size + ICMPv4] [1338 + 28]) = 1366
IPv4TCP header size ([IPv4 + TCP] [20 +20]) = 40
TCP-MSS ([MTU – IPv4TCP] [1366 – 40]) = 1326


Mikrotik ipv4 tcp-mss clamping example

/ip firewall mangle
add action=change-mss chain=forward new-mss=1326 passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx tcp-flags=syn tcp-mss=1327-65535
add action=change-mss chain=forward dst-address=xxx.xxx.xxx.xxx new-mss=1326 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1327-65535


Get ipv6 mss with Linux host


Size 1319 error

ping -6 -n -c 2 -M do -s 1319 www.google.com

PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1319 data bytes

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1004ms

Size 1318 good

ping -6 -n -c 2 -M do -s 1318 www.google.com
PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1318 data bytes
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.501/31.733/31.966/0.292 ms

How to calculate ipv6 mss

ICMPv6 header size ([IPv6 + ICMP] [40 +8]) = 48
MTU ([Size + ICMPv6] [1318 + 48]) = 1366
IPv6TCP header size ([IPv6 + TCP] [40 +20]) = 60
TCP-MSS ([MTU – IPv6TCP] [1366 – 60]) = 1306


Mikrotik ipv6 tcp-mss clamping example

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1306 passthrough=yes protocol=tcp src-address=xxx:xxx:xxx:xxx::xxx/120 tcp-flags=syn tcp-mss=1307-65535
add action=change-mss chain=forward dst-address=xxx:xxx:xxx:xxx::xxx/120 new-mss=1306 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1307-65535

Have fun!

linux kvm resize qcow2 Image

Here a very short howto

virsh shutdown kvm11111
qemu-img resize hd.qcow2 +10G
fdisk /dev/vda

Command (m for help): p

Command (m for help): d

Command (m for help): n

Do you want to remove the signature? [Y]es/[N]o: N

Command (m for help): w

boot a rescue image then run

e2fsck -f /dev/vda1

resize2fs /dev/vda1

Have fun!

ubuntu 18.04 netplan source routing

Hi

Here a source routing example if you have multiple networks connected on your linux host and want every ip address reachable on the internet.

network:
   version: 2
   renderer: networkd
   ethernets:
     ens3:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [81.94.xx.xx/28, "2a01:xxx:xxxx:xx::xx/64"]
       gateway4: 81.94.xx.xx
       gateway6: 2a01:xxx:xxxx:xx::x
       nameservers:
         addresses: [1.0.0.1]
     ens6:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [195.16.xxx.111/25]
       routes:
         - to: 195.16.xxx.x/25
           via: 195.16.xxx.gw
           table: 102
         - to: 0.0.0.0/0
           via: 195.16.xxx.gw
           table: 102
       routing-policy:
         - from: 195.16.xxx.111
           table: 102
         - to: 195.16.xxx.111
           table: 102

Have fun!

Debian on Barracuda NG F10 Firewall

Hi

While I was tearing down the firewall the CF-Slot jumped right into my eyes. Every Linux guy might think the same. :-)

So i debootstraped a CF-card made it bootable and right after the first try, bam, working.
The Hardware got freed from the propritary Linux OS and crappy tools and … Yes the backdoors, bugs and security holes, because you won’t get any free downloadable firmware updates. This is really annoying on Barracuda firewalls. It’s a shitty firewall. Every crappy TP-Link does the same things in production.

Have fun!