Post AZ5IRWIcYdU8TDCvsu by mjg59@nondeterministic.computer
 (DIR) More posts by mjg59@nondeterministic.computer
 (DIR) Post #AZ5Cqp9WzzGGSQdexk by mjg59@nondeterministic.computer
       2023-08-25T08:02:12Z
       
       0 likes, 0 repeats
       
       Oh good lord finally figured out why Hulu wasn't working for me over Wireguard and apparently Fastly just ignores PMTU packets so the moment I get a packet that's larger than Wireguard's MTU of 1420 bytes the connection stalls with Fastly just retransmitting the over large packet until everything times out. Using iptables to modify the MSS makes everything work but urrrrrrrgh
       
 (DIR) Post #AZ5DaGbFnWFUcAH4ls by PCOWandre@jauntygoat.net
       2023-08-25T08:10:12Z
       
       0 likes, 0 repeats
       
       @mjg59 remind me which year it is? *still* breaking PMTU?
       
 (DIR) Post #AZ5DkGCY8MsgH5U6LI by leftpaddotpy@hachyderm.io
       2023-08-25T08:10:34Z
       
       0 likes, 0 repeats
       
       @mjg59 god. this exact phenomenon has happened to me more times than it should.
       
 (DIR) Post #AZ5DucrsiNPLTBlAtk by mjg59@nondeterministic.computer
       2023-08-25T08:12:15Z
       
       0 likes, 0 repeats
       
       @ariadne Hm, can't find a generic way to do that :(
       
 (DIR) Post #AZ5EGmSXjdXvaUTLA8 by klausman@mas.to
       2023-08-25T08:18:00Z
       
       0 likes, 0 repeats
       
       @mjg59 Wait, we're still doing PMTU breakage? Is it 2010?
       
 (DIR) Post #AZ5FBwtLcWloRuGmyO by mjg59@nondeterministic.computer
       2023-08-25T08:28:46Z
       
       0 likes, 0 repeats
       
       @ariadne Sadly only seems to be valid for gre tunnels
       
 (DIR) Post #AZ5FUEQVAJV02pUlRw by manawyrm@chaos.social
       2023-08-25T08:31:46Z
       
       0 likes, 0 repeats
       
       @mjg59 yeah, MSS clamping is sadly very mandatory. for both IPv4 and IPv6 to make things worse :/ Router Advertisements and DHCP can also both announce a max MTU, depending on your network setup that might also increase the user experience :)
       
 (DIR) Post #AZ5G0gUeLgJQMKuUFc by womble@infosec.exchange
       2023-08-25T08:37:45Z
       
       0 likes, 0 repeats
       
       @mjg59 I had a poor experience with fastly's NOC in their early days, and swore never to use them. Glad to see my decision appears to have been the correct one.
       
 (DIR) Post #AZ5HTOPok084dxu2We by ixs@mastodon.bawue.social
       2023-08-25T08:53:49Z
       
       0 likes, 0 repeats
       
       @mjg59 are you clamping on the outgoing interface (eth0) of your WireGuard router?Or the wg0 interface of your client?
       
 (DIR) Post #AZ5IRWIcYdU8TDCvsu by mjg59@nondeterministic.computer
       2023-08-25T09:04:37Z
       
       0 likes, 0 repeats
       
       @ixs I'm clamping in the forward rule on the remote Wireguard endpoint, but it would presumably work on the entry point as well.
       
 (DIR) Post #AZ5QBm3F1XYqK915rE by jeroen@secluded.ch
       2023-08-25T10:30:55Z
       
       0 likes, 0 repeats
       
       @mjg59 many streaming platforms use MTU also as a way to detect tunnels and thus likely wrong geoloc, thus be aware.Most CDNs and large content farms ignore PMTU due to their load balancers not properly handling it, they instead MSS low or just do configure their interfaces just below PPPoE sizes so that those "normal customers" work. QUIC deployment, which initially did not support MTU!=1500, but at least in spec does now; will be fun to deploy with it going over UDP though.... ;) [no MSS]
       
 (DIR) Post #AZ5WhjoLUJXaMqfqtc by _hic_haec_hoc@fosstodon.org
       2023-08-25T11:44:10Z
       
       0 likes, 0 repeats
       
       @mjg59 had the same problem, and came to the same solution, last spring, but not before spending way too much of my time trying to figure out why some random websites weren't working while others had no problems :/
       
 (DIR) Post #AZ5d0S1iQviERBEZs0 by steve@mastodon.nexusuk.org
       2023-08-25T12:54:49Z
       
       0 likes, 0 repeats
       
       @mjg59 2005 called and wants its MSS clamping back...
       
 (DIR) Post #AZ5iIaT6HlfNbOVi0e by jebelkrong@mastodon.sdf.org
       2023-08-25T13:53:18Z
       
       0 likes, 0 repeats
       
       @mjg59 good find. Thanks!
       
 (DIR) Post #AZ5kAlWLVd9vTKQVay by tedmielczarek@mastodon.social
       2023-08-25T14:15:14Z
       
       0 likes, 0 repeats
       
       @mjg59 ah there was just recently a discussion around this on the company Slack. I am extremely not on the NetOps side of things but I think there was an explanation, although I don't think it'll help you.
       
 (DIR) Post #AZ5ox8p8ZVIHShXTTU by seanleach@hachyderm.io
       2023-08-25T15:08:06Z
       
       0 likes, 0 repeats
       
       @mjg59 want to send me details at sean at fastly.com and we can see what's up?
       
 (DIR) Post #AZ8J6ItFtrrcEIfbcW by mjg59@nondeterministic.computer
       2023-08-26T19:56:02Z
       
       0 likes, 0 repeats
       
       @seanleach dropped you an email, thanks!
       
 (DIR) Post #AZSon5To53Mp5yPByr by roguesys@infosec.exchange
       2023-09-05T17:25:41Z
       
       0 likes, 0 repeats
       
       @mjg59 interesting that using a Tailscale exit I didn’t run into this with Hulu. Haven’t looked into whatever “magic” Tailscale might auto-configure here, though