HTTP timeout on ipv6

My problem is when I try to open on my notebook webpage from my server in local network, my 99% requests fail with timeout but 1% works correctly. To better understand I will describe my LAN network:

All devices have ipv4 and ipv6 (scope global)

  • ISP - provides single NAT ipv4 and full ipv6 scope global.
  • Router0 - ISP router which is connected by wire to Router1 and Internet
  • Router1 - is my main router in my local network. To this router are connected my all devices like smartphones, PCs, notebooks etc. by wire or wireless.
  • Server - host with Fedora Server which is connected by wire to Router1, by Apache it serve two virtualservers as and For connections (IPv4) from outside of LAN it got VPN, for connections by IPv6 it got opened ports in Router0 and Router1. DNS records are properly configured IP for v4 and v6.
  • PC - normal host with Windows, everything works good. I can open aaaa and bbbb webpage by local IPv4 and global IPv6.
    Notebook - with Fedora 33 KDE, with this device I have problem to open webpage bbbb domain on IPv6, by IPv4 it is possible. aaaa domain works normal without problems.
  • smartphones - Android devices without problems open aaaa and bbbb domain webpage.

My first conclusion was that problem is in Router1 or Server, firewall is blocking or port is closed or Apache configuration is wrong. But everything looks good, any other devices do not have any problems like notebook. So I started to test notebook.

  • connection by wire or wireless to Router1 didn’t change anything. Still aaaa domain works and bbbb do not.
  • when I connect notebook to Router0 by wire or wireless both domains works.
  • changing web browser do not help
  • connected to Router1, when I run curl -vk4 it works but when I run curl -vk6 curl hangs on Client hello:
curl -kv6
*   Trying ipv6here:443...
* Connected to (*****) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

Certificate is wildcard to by certbot.

I run livecd Fedora on notebook and above curl request work so problem is with installed Fedora. I do not know why.

Decrease MTU on the client or add a TCP MSS to PMTU clamping firewall rule for IPv6 traffic.

I tried on notebook

nmcli connection modify id wifiname 802-11-wireless.mtu 1000


firewall-cmd --direct --add-passthrough ipv6 -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It didn’t help

Verify the settings.

ip link show

The MSS clamping rule should be applied on the router.
Or, on the host system if you are using virtualization with NAT/routed networking.

ip6tables-save -t mangle

In addition, IPv6 heavily relies on ICMPv6, so make sure to allow it:

  • ICMPv6 input and output on both client and server.
  • ICMPv6 forward on routers in both directions.

I don’t think that’s problem is in router. I see slight improvement but still is horrible.
I got ICMPv6 allowed but to be sure I disabled firewall on both sides, with no effect. I sniffed with Wireshark but I do not really know how to read packets.
When there is problem with getting data I see after TLSv1 Client Hello pocket many tcp retransmission and TCP Dup ACK. No idea what is going on.