Getting Squid and TPROXY with IPv6 working on CentOS 7

Solution 1:

I realize this is old, and I don't have a full answer to this myself, but, I'm doing something very similar to you, and have nearly identical symptoms.

First: test-ipv6.com appears to have updated itself somewhat recently to be able to handle a new type of error (it was broken earlier this year). Give it a test again.

In my case, it sent me to a URL that describes a problem that I seem to have: Path MTU Detection FAQ. They provide a URL you can use with cURL to do a PMTUD test, and then you can check your traffic using tpcdump or wireshark.

When traffic is TPROXY'd over Squid, the IPv6 Path MTU Detection is not wholly working on your host. (I'm still working on why it's not working on my host, so I have no definitive solution).

A quick description:

• ICMP is extremely important in IPv6. A lot of people want to block ICMP, and end up causing more harm than good.
• If a packet is "too large" for your connection, the packet is dropped, and an ICMP type 2 ("Packet too large") message is supposed to be sent to the originating server, asking it to reduce the packet size and resend.
• If the ICMP message doesn't make it to the server, the server keeps resending the large packet -- which is immediately dropped because it's too large.
• This has been described as a "black hole" because the packets never reach their destination.

So you may want to make sure your firewall rules are set to accept ICMPv6 messages (see RFC4890 for a list of "needed" ICMP types).

In my case, I'm allowing ICMP messages, and still have the problem. I'm not quite ready to throw in the towel and just reduce my network's MTU (which is the nuclear option).