1
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 19. 01. 2021, 09:56:11 »
Pouhá změna MTU pro ND mi nepomohla. Musel jsem sáhnout i na MTU rozhraní (jak fyzických, tak virtuálních - viz. výše).
Zobrazit příspěvky
Tato sekce Vám umožňuje zobrazit všechny příspěvky tohoto uživatele. Prosím uvědomte si, že můžete vidět příspěvky pouze z oblastí Vám přístupných.
2
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 18. 01. 2021, 18:49:12 »
Tak ještě update...
ether2-5 - 1500
ether1 - 1492
vlan-848 - 1492
pppoe-metronet - 1472
ether2-5 - 1500
ether1 - 1492
vlan-848 - 1492
pppoe-metronet - 1472
3
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 18. 01. 2021, 18:22:33 »
Tak MSS Clamping bohužel nepomohl. U postrouting pravidla se sice inkrementoval packet counter, ale funkčnosti to nijak nepomohlo. U output chainu pak packet counter zůstal na nule.
I přesto se mi však podařilo problém vyřešit. Pomohlo nastavení MTU 1472 na všechny LAN rozhraní.
Pro shrnutí tedy mám:
ether1: 1500
ether2-5: 1472
pppoe-metronet: 1492
vlan-848: 1500
Děkuji všem za rady.
Pokud by se našel někdo, kdo by měl nějakou teorii o tom, proč to takto funguje, a jak by to eventuálně šlo vyřešit lépe, tak jsem jedno ucho.
I přesto se mi však podařilo problém vyřešit. Pomohlo nastavení MTU 1472 na všechny LAN rozhraní.
Pro shrnutí tedy mám:
ether1: 1500
ether2-5: 1472
pppoe-metronet: 1492
vlan-848: 1500
Děkuji všem za rady.
Pokud by se našel někdo, kdo by měl nějakou teorii o tom, proč to takto funguje, a jak by to eventuálně šlo vyřešit lépe, tak jsem jedno ucho.
4
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 17. 01. 2021, 10:20:59 »
Zapomněl jsem v commandu -6, ale výstup je stejný.
5
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 17. 01. 2021, 09:59:04 »V "/ipv6 dhcp-client" má být pool-prefix-length=64 ?Pro klienty rozdávám /64. Když jsem měl 56, tak jsem nemohl advertisovat víc prefixů, přestože advertisovaný prefix musí být /64.
Já tam mám 56.
prefix-hint=::/56 mám také.
Jake je nakonec MTU na tom vytocenem PPPoE? Je to 1492?Ano. MTU na PPPoE je 1492. Zkoušel jsem i nižší hodnoty, ale nemělo to vliv na zhoršení/zlepšení funkčnosti.
Jinak pokud Vam to dela opakovane u nektere IPv6 adresy (neno nekolika adres), muzete sem, prosim, postnout plny vypiszaseknuteho spojeni s vyuzitimKód: [Vybrat]curl -v -6 --connect-to ::[ipv6-adresa-netflixu]:443 https://hostname-netflixu/...
Rozdil mezi timhle curlem a tim vasim je, ze tenhle by mel spravne nastavit SNI hlavicky, zatimco curl -H 'Host: ...' to nedela.
Diky.
Jediný rozdíl ve výstupu je ten, že když se nezasekne, tak mi netflix vrátí správný certifikát.
➜ curl -v --connect-to ::\[2a05:d018:76c:b685:e8ab:afd3:af51:3aed\]:443 https://www.netflix.com/browse
* Connecting to hostname: 2a05:d018:76c:b685:e8ab:afd3:af51:3aed
* Connecting to port: 443
* Trying 2a05:d018:76c:b685:e8ab:afd3:af51:3aed:443...
* Connected to 2a05:d018:76c:b685:e8ab:afd3:af51:3aed (2a05:d018:76c:b685:e8ab:afd3:af51:3aed) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
Takhle to vypadá, když projde až do konce (30-50 % případů):
➜ curl -v --connect-to ::\[2a05:d018:76c:b685:e8ab:afd3:af51:3aed\]:443 https://www.netflix.com/browse
* Connecting to hostname: 2a05:d018:76c:b685:e8ab:afd3:af51:3aed
* Connecting to port: 443
* Trying 2a05:d018:76c:b685:e8ab:afd3:af51:3aed:443...
* Connected to 2a05:d018:76c:b685:e8ab:afd3:af51:3aed (2a05:d018:76c:b685:e8ab:afd3:af51:3aed) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (
:* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Los Gatos; O=Netflix, Inc.; OU=Operations; CN=www.netflix.com
* start date: Jan 13 00:00:00 2020 GMT
* expire date: Jan 13 12:00:00 2022 GMT
* subjectAltName: host "www.netflix.com" matched cert's "www.netflix.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5620479aad80)
> GET /browse HTTP/2
> Host: www.netflix.com
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 302
< server: nq_website_core-prod-release 7fbcf667-b89b-4823-91c2-f1ac133cc96e
< x-frame-options: DENY
< location: http://www.netflix.com/login?nextpage=https%3A%2F%2Fwww.netflix.com%2Fbrowse
< date: Sun, 17 Jan 2021 08:57:31 GMT
< via: 2 i-0d5c8db84109cf521 (eu-west-1)
< x-xss-protection: 1; mode=block; report=https://www.netflix.com/ichnaea/log/freeform/xssreport
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000
< x-originating-url: http://www.netflix.com/browse
< edge-control: no-cache, no-store
< cache-control: no-cache, no-store
< set-cookie: nfvdid=BQFmAAEBEP3jAxJpM4p7mnPQfDbKFcNAAsLsroG5p0G-fIJiTIF3A-OKZfPFNfOjXzhWQZEhwHIzgf_KaeCqACQxQkUCnsGvUUc4nqCvOdwZtT6SR7IXPQ%3D%3D; Domain=.netflix.com; Path=/; Max-Age=31536000
< x-netflix.nfstatus: 1_1
< set-cookie: memclid=c71b2f72-8fb7-41e0-b610-bd228c4515ef; Max-Age=31536000; Expires=Mon, 17 Jan 2022 08:57:31 GMT; Path=/; Domain=.netflix.com
< x-netflix.proxy.execution-time: 44
<
* Connection #0 to host 2a05:d018:76c:b685:e8ab:afd3:af51:3aed left intact
6
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 23:07:39 »
Tak to vypadá, že se problémy vrátily. Nezlepšilo se nic.
Příkladám, ještě zbytek konfigurace IPv6. Nevim jestli nemůže být problém tam. Jsem IPv6 nováček.
Všechno až na ten jediný advertisovaný prefix mikrotik nastaví sám podle IPv6 prefixu získaného přes DHCPv6.
Addresses:
Address From Pool Interface Advertise
- LD fe80::7/64 pppoe-metronet no
- LD fe80::c6ad:34ff:fe33:7af2/64 vlan-848 no
- LD fe80::c6ad:34ff:fe33:7af2/64 ether1 no
- LD fe80::c6ad:34ff:fe33:7af3/64 bridge no
-D xxxx:yyyy:zzzz:ww00::/64 metronet-pool bridge yes
Routes (trochu mě tam mate ta unreachable route):
Dst. Address Gateway Distance
- DAS ::/0 pppoe-metronet reachable 1
- DASU xxxx:yyyy:zzzz:ww00::/56 1
- DAC xxxx:yyyy:zzzz:ww00::/64 bridge reachable 0
Zbytek statické konfigurace:
/ipv6 address
add address=::/64 advertise=yes disabled=no eui-64=no from-pool=metronet-pool interface=bridge no-dad=no
/ipv6 dhcp-client
add add-default-route=no dhcp-options="" disabled=no interface=pppoe-metronet pool-name=metronet-pool pool-prefix-length=64 prefix-hint=::/56 request=prefix use-peer-dns=no
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=bridge managed-address-configuration=no mtu=1492 other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
Příkladám, ještě zbytek konfigurace IPv6. Nevim jestli nemůže být problém tam. Jsem IPv6 nováček.
Všechno až na ten jediný advertisovaný prefix mikrotik nastaví sám podle IPv6 prefixu získaného přes DHCPv6.
Addresses:
Address From Pool Interface Advertise
- LD fe80::7/64 pppoe-metronet no
- LD fe80::c6ad:34ff:fe33:7af2/64 vlan-848 no
- LD fe80::c6ad:34ff:fe33:7af2/64 ether1 no
- LD fe80::c6ad:34ff:fe33:7af3/64 bridge no
-D xxxx:yyyy:zzzz:ww00::/64 metronet-pool bridge yes
Routes (trochu mě tam mate ta unreachable route):
Dst. Address Gateway Distance
- DAS ::/0 pppoe-metronet reachable 1
- DASU xxxx:yyyy:zzzz:ww00::/56 1
- DAC xxxx:yyyy:zzzz:ww00::/64 bridge reachable 0
Zbytek statické konfigurace:
/ipv6 address
add address=::/64 advertise=yes disabled=no eui-64=no from-pool=metronet-pool interface=bridge no-dad=no
/ipv6 dhcp-client
add add-default-route=no dhcp-options="" disabled=no interface=pppoe-metronet pool-name=metronet-pool pool-prefix-length=64 prefix-hint=::/56 request=prefix use-peer-dns=no
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=bridge managed-address-configuration=no mtu=1492 other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
7
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 17:58:50 »
Zkusil jsem vypnout všechny drop pravidla, ale situace se nijak nezměnila.
8
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 17:55:33 »
Firewall mám v defaultní konfiguraci. ICMPv6 tedy povolené je. Ping z internetu na PC normálně funguje. Na PC mám ip6tables prázdné.
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" !connection-bytes !connection-limit !connection-mark !connection-rate connection-state=invalid !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority !protocol !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=input comment="defconf: accept ICMPv6" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority protocol=icmpv6 !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=no in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=no
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=no src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=no dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=no hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority protocol=icmpv6 !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=no in-interface-list=!LAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" !connection-bytes !connection-limit !connection-mark !connection-rate connection-state=invalid !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority !protocol !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=input comment="defconf: accept ICMPv6" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority protocol=icmpv6 !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=no in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=no
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=no src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=no dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=no hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-limit !headers !hop-limit \
!icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !priority protocol=icmpv6 !random !src-address !src-address-list !src-mac-address !tcp-flags !time !tls-host
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=no in-interface-list=!LAN
9
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 17:23:40 »
...zasekne na TLS handshaku.
10
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 17:02:01 »
Na VLAN mám 1500, na PPPoE jsem dal 1492, na ND taky 1492, ale stejně mám pocit, že to není ono. Už je to tedy mnohem lepší, a netrvá mi čtvrt hodiny dostat se na netflix. Nicméně když z terminálu zkusím pětkrát zavolat curl (viz. výše), tak se to třeba dvakrát až třikrát za
11
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 12:48:14 »
Zatím to vypadá funkčně, ale to občas vypadalo i při špatném MTU. Budu to chvíli testovat a uvidím.
Ještě jsem si všiml, že mám hodnotu L2 MTU všude o 2 nižší oproti vám. Nemohlo by to taky dělat problémy?
Ještě jsem si všiml, že mám hodnotu L2 MTU všude o 2 nižší oproti vám. Nemohlo by to taky dělat problémy?
12
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 12:35:49 »A teď vidím že máte /interface vlan MTU 1492.
Já tam mám 1500.
Takže na PPPoE klienta mám dát Max MTU 1454, a na VLAN + všechny ethernety dát 1500?
13
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 12:14:07 »
Tak koukám, že pppoe-metronet si vždycky nastaví MTU o 20 nižší, než má vlan-848. V tom případě tedy nevím co kam nastavit, a jestli případně sahat na L2 MTU.
14
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 16. 01. 2021, 11:32:48 »
Mám MikroTik RB750Gr3. Za ním je klasicky terminátor od cetinu.
Je klidně možné, že to bude způsobovat MTU. Mám v něm trochu zmatek. Ve smlouvě mám uvedeno 1492, které jsem nastavil pro vlan-848, ale pppoe-metronet si ho automaticky nastaví na 1472. Pak jsem na ether1 nechal defaultních 1500. Mám tedy všude dát 1472, aby to sedělo s PPPoE klientem, nebo 1492, což říká technická specifikace metronetu? A mám ho případně nastavit i na ostatní rozhraní (ether2-5)?
Přikládám konfiguraci:
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 default-route-distance=1 dial-on-demand=no disabled=no interface=vlan-848 keepalive-timeout=10 max-mru=auto max-mtu=auto mrru=disabled name=pppoe-metronet password=metronet profile=default \
service-name="" use-peer-dns=no user=metronet
/queue interface
set pppoe-metronet queue=no-queue
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=ether1 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1492 name=vlan-848 use-service-tag=no vlan-id=848
/queue interface
set vlan-848 queue=no-queue
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F2 mtu=1500 name=ether1 orig-mac-address=C4:AD:34:33:7A:F2 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F3 mtu=1500 name=ether2 orig-mac-address=C4:AD:34:33:7A:F3 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F4 mtu=1500 name=ether3 orig-mac-address=C4:AD:34:33:7A:F4 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F5 mtu=1500 name=ether4 orig-mac-address=C4:AD:34:33:7A:F5 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F6 mtu=1500 name=ether5 orig-mac-address=C4:AD:34:33:7A:F6 rx-flow-control=off speed=1Gbps tx-flow-control=off
Je klidně možné, že to bude způsobovat MTU. Mám v něm trochu zmatek. Ve smlouvě mám uvedeno 1492, které jsem nastavil pro vlan-848, ale pppoe-metronet si ho automaticky nastaví na 1472. Pak jsem na ether1 nechal defaultních 1500. Mám tedy všude dát 1472, aby to sedělo s PPPoE klientem, nebo 1492, což říká technická specifikace metronetu? A mám ho případně nastavit i na ostatní rozhraní (ether2-5)?
Přikládám konfiguraci:
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 default-route-distance=1 dial-on-demand=no disabled=no interface=vlan-848 keepalive-timeout=10 max-mru=auto max-mtu=auto mrru=disabled name=pppoe-metronet password=metronet profile=default \
service-name="" use-peer-dns=no user=metronet
/queue interface
set pppoe-metronet queue=no-queue
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=ether1 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1492 name=vlan-848 use-service-tag=no vlan-id=848
/queue interface
set vlan-848 queue=no-queue
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F2 mtu=1500 name=ether1 orig-mac-address=C4:AD:34:33:7A:F2 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F3 mtu=1500 name=ether2 orig-mac-address=C4:AD:34:33:7A:F3 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F4 mtu=1500 name=ether3 orig-mac-address=C4:AD:34:33:7A:F4 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F5 mtu=1500 name=ether4 orig-mac-address=C4:AD:34:33:7A:F5 rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:33:7A:F6 mtu=1500 name=ether5 orig-mac-address=C4:AD:34:33:7A:F6 rx-flow-control=off speed=1Gbps tx-flow-control=off
15
Sítě / Re:Netflix po IPv6 od Metronetu
« kdy: 15. 01. 2021, 22:26:14 »
Tak nový poznatek... některé servery fungují, a některé zase ne.
Např.
curl --verbose -H "Host: www.netflix.com" https://\[2a05:d018:76c:b681:5a95:861e:c138:970\]
zamrzne na TLSv1.3 (OUT), TLS handshake, Client hello (1), ale
curl --verbose -H "Host: www.netflix.com" https://\[2a05:d018:76c:b683:97f0:bb9a:ddc:96b8\]
projde v pohodě.
// EDIT: Tak občas projdou obě, občas ani jedna. Traceroute avšak vždy projde poměrně daleko (na hop 14 - dál už má netflix asi vypnuté ICMP).
Např.
curl --verbose -H "Host: www.netflix.com" https://\[2a05:d018:76c:b681:5a95:861e:c138:970\]
zamrzne na TLSv1.3 (OUT), TLS handshake, Client hello (1), ale
curl --verbose -H "Host: www.netflix.com" https://\[2a05:d018:76c:b683:97f0:bb9a:ddc:96b8\]
projde v pohodě.
// EDIT: Tak občas projdou obě, občas ani jedna. Traceroute avšak vždy projde poměrně daleko (na hop 14 - dál už má netflix asi vypnuté ICMP).
