christf/clat-mtu issue

## clat-mtu issue

# Freifunk CLAT Issue

* We have a client c connected to a Freifunk node n
* C obtains an ipv4address 10.139.12.13 from n via dhcp
* n has an ipv4 next-node-address of 10.139.0.1
* n is connected to the rest of the freifunk infrastructure via VPN with MTU m
* The freifunk infrastructure is ipv6-only.
* n runs a clat kernel module translating ipv4 to ipv6 such that c can connect
  anywhere in ipv6-land.

# Problem #1

When C sends a packet that is larger than the MTU of the vpn tunnel, an ICMP
message (packet too big) is created at n and sent to the client.
However the client discards this packet because its source address is set to
the client's ipv4 address.

# Unsuccessful Attemts for Resolution

* place a host-route on n for the client as this:
  ip r a 10.139.12.13/32 dev local-node src 10.139.0.1 t local
  ip r a 10.139.12.13/32 dev local-node src 10.139.0.1
* Looked at iptables rewrite src-IP but that will only work on POSTROUTING, not
  in the OUTPUT Chain

# Solution part 1

Adding another clat configuration will lead to icmp packets with correct src-address however causes another issue (see below)
echo insert clat local.v4 10.139.0.1/32 local.v6 :: local.style NONE local.ea-len 0 local.psid-offset 0 remote.v4 10.139.0.1/32 remote.v6 fda9:26e:5805:bab2:5054:ff:feac:7a2/128 remote.style NONE remote.ea-len 0 remote.psid-offset 0 > control

# Problem #2

## Situation

tcpdump shows icmp packets to be created with the correct src-address on device clat:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on clat, link-type RAW (Raw IP), capture size 262144 bytes
01:03:08.039119 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5058, seq 1, length 1408
01:03:08.039192 IP 10.139.0.1 > 10.139.22.188: ICMP type-#1, length 1220

However the client does not receive the packet.
tcpdump -pni local-node icmp does not show the packet on the node

tcpdump -pni any icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
01:28:58.551763 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
01:28:58.551777 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
01:28:58.551790 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
01:28:58.551826 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
01:28:58.551894 IP 10.139.0.1 > 10.139.22.188: ICMP 8.8.8.8 unreachable - need to frag (mtu 1354), length 1220

root@3xxxx-525400ee0043:/# ip r s t clat
default dev clat proto static scope link metric 2048
10.139.0.0/17 dev local-node proto static scope link
10.139.22.188 dev local-node scope link metric 1024
root@3xxxx-525400ee0043:/# ^C
root@3xxxx-525400ee0043:/# ip ru s
0:	from all lookup local
9999:	from 10.139.0.0/17 lookup clat
10000:	from 10.139.0.1 lookup clat
20000:	from all to 10.139.0.1/17 lookup clat
32766:	from all lookup main
32767:	from all lookup default
90009:	from all iif lo lookup clat
90010:	from all iif lo lookup clat


## mtu-jool.txt
Topology:
+--------------------------+                +--------------------------+                +--------------------------+                +--------------------------+
| Client                   |                | Freifunk AP              |                | VPN GW                   |                | Exit                     |
| 10.139.x.y               |                | 10.139.0.1               |                | Jool, Stateful NAT64     |                | 10.11.12.5/30            |
|                          |                | NAT64                    |                | 10.11.12.6/30            |                | Debian Linux 4.19        |
|                          | WLAN-Verbindung|                          | Wireguard VPN  | Debian Linux 4.19        | GRE Tunnel     |                          |
| iperf3 -c 10.11.12.6 -R  +---------------->                          +----------------+                          +----------------+ iperf3 -s                |
| iperf3 -c 10.11.12.6     | MTU 1500       |                          | MTU 1374       |                          | MTU 1400       |                          |
|                          | IPv4 and IPV6  |                          | IPv6-Only      |                          | IPv4-Only      |                          |
|                          |                |                          |                |                          |                |                          |
|                          |                |                          |                |                          |                |                          |
+--------------------------+                +--------------------------+                +--------------------------+                +--------------------------+

Symptom:
* iperf3 is fast (multiple mbit, ok for this internet connection)
* iperf3 -R is slow (a few kbit)
* tcpdump on VPN GW shows icmp "need to frag" packets towards 10.11.12.5 on
* tcpdump on Exit show icmp "need to frag" packets towards 10.11.12.5
* rp_filter = 0 or all interfaces and default
* mss clamping is active: iptables -v -n -L FORWARD -t mangle
Chain FORWARD (policy ACCEPT 85M packets, 72G bytes)
 pkts bytes target     prot opt in     out     source               destination
 210K   13M TCPMSS     tcp  --  br-ffmd ffrl+   anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 187K   11M TCPMSS     tcp  --  ffrl+  br-ffmd  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 210K   13M TCPMSS     tcp  --  br-ffmd ffrl+   anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 187K   11M TCPMSS     tcp  --  ffrl+  br-ffmd  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 3395  208K TCPMSS     tcp  --  backend+ any     anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 2665  158K TCPMSS     tcp  --  any    backend+  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 2665  158K TCPMSS     tcp  --  any    backend-babel1  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
=> dito für OUTBOUND

Problem:
* no fragmentation seems to happen, packets are dropped between VPN GW and Exit and the VPN-host sends "need to frag" messages towards EXIT

Solution:
* Upgrade to jool 4.0.5

	# Freifunk CLAT Issue

	* We have a client c connected to a Freifunk node n
	* C obtains an ipv4address 10.139.12.13 from n via dhcp
	* n has an ipv4 next-node-address of 10.139.0.1
	* n is connected to the rest of the freifunk infrastructure via VPN with MTU m
	* The freifunk infrastructure is ipv6-only.
	* n runs a clat kernel module translating ipv4 to ipv6 such that c can connect
	anywhere in ipv6-land.

	# Problem #1

	When C sends a packet that is larger than the MTU of the vpn tunnel, an ICMP
	message (packet too big) is created at n and sent to the client.
	However the client discards this packet because its source address is set to
	the client's ipv4 address.

	# Unsuccessful Attemts for Resolution

	* place a host-route on n for the client as this:
	ip r a 10.139.12.13/32 dev local-node src 10.139.0.1 t local
	ip r a 10.139.12.13/32 dev local-node src 10.139.0.1
	* Looked at iptables rewrite src-IP but that will only work on POSTROUTING, not
	in the OUTPUT Chain

	# Solution part 1

	Adding another clat configuration will lead to icmp packets with correct src-address however causes another issue (see below)
	echo insert clat local.v4 10.139.0.1/32 local.v6 :: local.style NONE local.ea-len 0 local.psid-offset 0 remote.v4 10.139.0.1/32 remote.v6 fda9:26e:5805:bab2:5054:ff:feac:7a2/128 remote.style NONE remote.ea-len 0 remote.psid-offset 0 > control

	# Problem #2

	## Situation

	tcpdump shows icmp packets to be created with the correct src-address on device clat:
	tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
	listening on clat, link-type RAW (Raw IP), capture size 262144 bytes
	01:03:08.039119 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5058, seq 1, length 1408
	01:03:08.039192 IP 10.139.0.1 > 10.139.22.188: ICMP type-#1, length 1220

	However the client does not receive the packet.
	tcpdump -pni local-node icmp does not show the packet on the node

	tcpdump -pni any icmp
	tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
	listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
	01:28:58.551763 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
	01:28:58.551777 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
	01:28:58.551790 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
	01:28:58.551826 IP 10.139.22.188 > 8.8.8.8: ICMP echo request, id 5074, seq 1, length 1408
	01:28:58.551894 IP 10.139.0.1 > 10.139.22.188: ICMP 8.8.8.8 unreachable - need to frag (mtu 1354), length 1220

	root@3xxxx-525400ee0043:/# ip r s t clat
	default dev clat proto static scope link metric 2048
	10.139.0.0/17 dev local-node proto static scope link
	10.139.22.188 dev local-node scope link metric 1024
	root@3xxxx-525400ee0043:/# ^C
	root@3xxxx-525400ee0043:/# ip ru s
	0: from all lookup local
	9999: from 10.139.0.0/17 lookup clat
	10000: from 10.139.0.1 lookup clat
	20000: from all to 10.139.0.1/17 lookup clat
	32766: from all lookup main
	32767: from all lookup default
	90009: from all iif lo lookup clat
	90010: from all iif lo lookup clat
	Topology:
	+--------------------------+ +--------------------------+ +--------------------------+ +--------------------------+
	\| Client \| \| Freifunk AP \| \| VPN GW \| \| Exit \|
	\| 10.139.x.y \| \| 10.139.0.1 \| \| Jool, Stateful NAT64 \| \| 10.11.12.5/30 \|
	\| \| \| NAT64 \| \| 10.11.12.6/30 \| \| Debian Linux 4.19 \|
	\| \| WLAN-Verbindung\| \| Wireguard VPN \| Debian Linux 4.19 \| GRE Tunnel \| \|
	\| iperf3 -c 10.11.12.6 -R +----------------> +----------------+ +----------------+ iperf3 -s \|
	\| iperf3 -c 10.11.12.6 \| MTU 1500 \| \| MTU 1374 \| \| MTU 1400 \| \|
	\| \| IPv4 and IPV6 \| \| IPv6-Only \| \| IPv4-Only \| \|
	\| \| \| \| \| \| \| \|
	\| \| \| \| \| \| \| \|
	+--------------------------+ +--------------------------+ +--------------------------+ +--------------------------+

	Symptom:
	* iperf3 is fast (multiple mbit, ok for this internet connection)
	* iperf3 -R is slow (a few kbit)
	* tcpdump on VPN GW shows icmp "need to frag" packets towards 10.11.12.5 on
	* tcpdump on Exit show icmp "need to frag" packets towards 10.11.12.5
	* rp_filter = 0 or all interfaces and default
	* mss clamping is active: iptables -v -n -L FORWARD -t mangle
	Chain FORWARD (policy ACCEPT 85M packets, 72G bytes)
	pkts bytes target prot opt in out source destination
	210K 13M TCPMSS tcp -- br-ffmd ffrl+ anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	187K 11M TCPMSS tcp -- ffrl+ br-ffmd anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	210K 13M TCPMSS tcp -- br-ffmd ffrl+ anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	187K 11M TCPMSS tcp -- ffrl+ br-ffmd anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	3395 208K TCPMSS tcp -- backend+ any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	2665 158K TCPMSS tcp -- any backend+ anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	2665 158K TCPMSS tcp -- any backend-babel1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
	=> dito für OUTBOUND

	Problem:
	* no fragmentation seems to happen, packets are dropped between VPN GW and Exit and the VPN-host sends "need to frag" messages towards EXIT

	Solution:
	* Upgrade to jool 4.0.5