#Vodafone #DSLite hat mir mal wieder ein Bein gestellt: Konnte von einem Standort eines Freundes meinen heimischen Server (Vodafone-Kabel, richtiger Dual Stack) via #WireGuard nur mit einem Bruchteil der Geschwindigkeit erreichen (ca. 3 Mbit/s). War über einen längeren Zeitraum konstant gleich beschissen. In umgekehrter Richtung war es bei Transfers ähnlich.

Tja, was hat geholfen? MTU auf 1300 setzen (war auf 1420 gesetzt). Immer dasselbe, ey! 😵‍💫 Hatten wir übrigens auch so mit #OpenVPN-Verbindungen auf der Arbeit von Dual-Stack-Lite-Anschlüssen wegen Home-Office. Aber da musste auch erst mal drauf kommen... denke vernünftiges Erreichbarkeit via #IPv6 hätte auch geholfen.

⚠️ Also: Habt ihr Internet via TV-Kabel (mit DS-Lite) und eure Netzverbindung lahmt oder ist unzuverlässig? Versucht es mit einer niedrigen MTU.

#DualStackLite #Network #MTU #DualStack #Internet

So it appears like, for the last ~months, my MTU configuration was REALLY wrong

Hinted by the immich longhorn replica not rebuilding, but I also didn't know, the extreme slowness of any service using a db cluster where the master node wasn't in the same region

I had put the slowness on the shoulders of packets hopping a lot between regions, but it turns out, it was just db requests maxing past the configured MTU value, silently dropping

Now that BOTH the wireguard and flannel MTU values are set properly, everything is so damn snappy

This feels like new skin

#homelab #selfhosted #selfhosting #wireguard #mtu #vpn #mesh #longhorn #immich #flannel #devops #linux #opensource #networking

For the last ~6 months, my immich Longhorn PVC wouldn't rebuild replicas across regions, and timeout instead

Today, I figured I had misplaced my MTU configuration for the Wireguard network under k3s...

So some packets were getting dropped silently...

Woops

#kubernetes #k3s #longhorn #network #networking #wireguard #wg #mesh #homelab #selfhosted #selfhosting #mtu

Когда 50 байт ломают весь CI: охота на MTU mismatch в Docker + OpenStack

Пятница, 17:40. Билд красный, GitLab живой, curl отвечает за полсекунды — а git clone из контейнера молча висит две минуты и падает. Все инструменты говорят «всё ОК». Виновник — 50 байт, о которых никто не подумал. Разобраться

https://habr.com/ru/articles/1013208/

#mtu #gitlab_runner #docker #сеть

Well, now I feel stupid. I finally figured out why, since upgrading to Debian 13/trixie, there are some websites I couldn't connect to, but only over IPv6, they work fine on their IPv4 address.

Fucking MTU.

I'd for a long time had an IPv4 iptables rule to force the MSS (maximum segment size) on outbound packets to `1400`. But I never put in an equivalent for IPv6.

I use 'jumbo packets' on the LAN between desktop and server, which means an MTU of 4088 (for that pair of NICs). So anything forwarded out was using an MSS of 4088 as well.

The issue only showed up for *some* sites, and only for IPv6, and only on 13/trixie because:

1. 13/trixie uses openssl 3.x, not the older version, which has slightly different cipher suites etc in the default config.
2. IPv6 addressing makes packets that little bit bigger.
3. I've only ever observed the issue with MS Azure/Edge hosts.

What was happening was that the first part of the "Server Hello" after a "Change Cipher Spec, Client Hello" from my end was being lost, as the TCP level packet was too large and fragmented... but the first fragment was too large for my PPP link.

So, added an ip6tables rule to do the set-mss thing as well, and now it works.

#Linux #IPv6 #MTU #MSS #openssl #msedge #azure