Community discussions

MikroTik App
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Trying to Understand MSS Clamping - Not Working?

Sun Apr 21, 2019 2:27 pm

Searching MSS in this forum returned 45 pages of results, didn't find anything relevant that I hadn't already tried.

I was running 6.42.12, upgraded to 6.43.14, and now stable, 6.44.2.

My topology...

I have two Mikrotik routers, a RB760iGS. Ether1 connects to my CCR1016-Ether1 through my managed switch. Ether4 connects to a DSL modem. Ether5 to a Cable modem. Ether4 and Ether5 are both set as DHCP (both have MTU of 1500). Ether1 has a public static IP from a /30 subnet..

My internet is done from a VPN provider that routes me a public IP block over a L2TP connection. The DSL or Cable modem connects to the L2TP service then routes a larger IP block to my CCR1016 using the second usable of the /30. PING/ICMP traffic is allowed

I have random sites that have issues, as far as I can tell it seems to be MTU/MSS issues..

The L2TP is showing Actual MTU of 1470, I am sure this used to show 1460, not that it really matters..

I've tried to use a 'Change MSS' mangle rule,
Chain: Forward (and a second for Output)
Out Interface: L2TP VPN
TCP MSS: ! 0-1420
TCP Flags: syn
Action: Change MSS
New TCP MSS: 1420


I've tried TCP MSS: 1421-65535 instead of !0-1420, I've also tried values 1440, 1400, 1380, even 1300.. But certain traffic still does not work.
One site I was reading said do the Change MSS mangle rule in both directions, in and out, I tried this but the L2TP-In rule was showing 0 packets (which is what I expected).

I've tried setting the CCR1016's Ether1 interface to a 1400 MTU, hoping the built-in(?) automatic MSS adjustment would do it... No effect. I matched the RB760iGS Ether1 also to 1400, no change.

If I manually set the host's network interface to 1400 MTU, everything works great.

This seems like the simple/traditional MTU/MSS issue but I can't seem to correct it. What am I missing? Any suggestions?

Thank you
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Trying to Understand MSS Clamping - Not Working?  [SOLVED]

Sun Apr 21, 2019 3:16 pm

When i need some ppp based VPN i use multilink feature instead clamp mss ! You must set the MRRU = 1600 for example on both sides - try it !
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Trying to Understand MSS Clamping - Not Working?

Sun Apr 21, 2019 3:40 pm

When i need some ppp based VPN i use multilink feature instead clamp mss ! You must set the MRRU = 1600 for example on both sides - try it !
Multi-link using both the Cable and DSL is an upcoming project. I only have control of my side though. VPN provider controls the service.. It is another Mikrotik router though.

Trying this change now.
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Trying to Understand MSS Clamping - Not Working?

Sun Apr 21, 2019 3:43 pm

You must set the MRRU = 1600 for example on both sides - try it !
I think this is the answer. On the host that I can consistently re-create the issue on, it seems to have fixed it. :) *offers digital beer*
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Trying to Understand MSS Clamping - Not Working?

Sun Apr 21, 2019 4:28 pm

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492.

This is fairly easy to test. Just turn off the VPN to go directly out to the Internet and ping something like 8.8.8.8 with the DF bit set and a total packet size of 1492 and 1493. If both of those work then progress up to 1500. Depending on your OS the size of ping differs.

It's also possible your provider isn't handling path MTU discovery correctly or because of your incorrect MTU rule their own TCP MSS clamping rules are setting TCP traffic to be to large.

Some websites have set themselves to 1280 for MTU to avoid or hide issues for users that are behind broken configurations. Additionally even if you've set everything correctly and your VPN provider has too I've seen cases were certain servers are misconfigured and are unable to properly perform path MTU discovery. This is typically because of a firewall configured with poor policy. This last situation is the only case I condone TCP MSS clamping which leaves any UDP traffic broken. I also recommend contacting the owners of the site to them about the issue.
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Trying to Understand MSS Clamping - Not Working?

Tue Apr 23, 2019 8:33 am

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492.

This is fairly easy to test. Just turn off the VPN to go directly out to the Internet and ping something like 8.8.8.8 with the DF bit set and a total packet size of 1492 and 1493. If both of those work then progress up to 1500. Depending on your OS the size of ping differs.

It's also possible your provider isn't handling path MTU discovery correctly or because of your incorrect MTU rule their own TCP MSS clamping rules are setting TCP traffic to be to large.

Some websites have set themselves to 1280 for MTU to avoid or hide issues for users that are behind broken configurations. Additionally even if you've set everything correctly and your VPN provider has too I've seen cases were certain servers are misconfigured and are unable to properly perform path MTU discovery. This is typically because of a firewall configured with poor policy. This last situation is the only case I condone TCP MSS clamping which leaves any UDP traffic broken. I also recommend contacting the owners of the site to them about the issue.
Yes, here in the 'White North' too for DSL.. This incumbent's DSL service isn't PPPoE like almost every other DSL service I've dealt with, that is why I mentioned the 'WAN' type and MTU..

Dealing with this issue for quite some time now.. Tried many different settings to fix it. MRRU is not a direction that any search results took me in, but it fixed it and it is still fixed..

Next can of worms is using both ISPs to make connections to the VPN provider to bond the connections together like MLPPP would.. Looking for higher upload speeds.. But this is working for now.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Trying to Understand MSS Clamping - Not Working?

Tue Apr 23, 2019 10:48 pm

You mention DSL for Internet. Here in the states I still see the majority of them putting the MTU drop for PPP towards the customer. If that's the case you will want to set the interface MTU facing the DSL provider to 1492.

This is fairly easy to test. Just turn off the VPN to go directly out to the Internet and ping something like 8.8.8.8 with the DF bit set and a total packet size of 1492 and 1493. If both of those work then progress up to 1500. Depending on your OS the size of ping differs.

It's also possible your provider isn't handling path MTU discovery correctly or because of your incorrect MTU rule their own TCP MSS clamping rules are setting TCP traffic to be to large.

Some websites have set themselves to 1280 for MTU to avoid or hide issues for users that are behind broken configurations. Additionally even if you've set everything correctly and your VPN provider has too I've seen cases were certain servers are misconfigured and are unable to properly perform path MTU discovery. This is typically because of a firewall configured with poor policy. This last situation is the only case I condone TCP MSS clamping which leaves any UDP traffic broken. I also recommend contacting the owners of the site to them about the issue.
Yes, here in the 'White North' too for DSL.. This incumbent's DSL service isn't PPPoE like almost every other DSL service I've dealt with, that is why I mentioned the 'WAN' type and MTU..

Dealing with this issue for quite some time now.. Tried many different settings to fix it. MRRU is not a direction that any search results took me in, but it fixed it and it is still fixed..

Next can of worms is using both ISPs to make connections to the VPN provider to bond the connections together like MLPPP would.. Looking for higher upload speeds.. But this is working for now.
Interesting, did you rule out MTU for the DSL connection as the cause, ideally with DF based test packets (ICMP)? I'd hate to see MRRU hiding the real reason it's broken underneath. That said it could be the specific test web-sites you're looking at have broken path MTU discovery too or that the provider is clamping MSS above what you're clamping it at (changing it after the fact).
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Trying to Understand MSS Clamping - Not Working?

Tue Apr 23, 2019 11:36 pm

Yes I did the ping tests with DF. Also switching to the cable modem had no effect.

But yes, it is possible that some websites have broken path MTU discovery.

The issue was very noticeable with some SSL/TLS services, but when I found a HTTP server doing it too, I knew something else was going on.

Then that HTTP download would have issues on one host but not another, on the same LAN..

What is the MRRU doing? Right now,
 ping 8.8.4.4 -f -l 1442
is the largest I can send not fragmented. My initial understanding was that the MRRU setting would allow the full 1500 packets. Or do I need to get in touch with my VPN provider for this?

Otherwise, I am still confused why that fixed the websites that were having issues.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Trying to Understand MSS Clamping - Not Working?

Thu Apr 25, 2019 9:24 am

Yes I did the ping tests with DF. Also switching to the cable modem had no effect.

But yes, it is possible that some websites have broken path MTU discovery.

The issue was very noticeable with some SSL/TLS services, but when I found a HTTP server doing it too, I knew something else was going on.

Then that HTTP download would have issues on one host but not another, on the same LAN..

What is the MRRU doing? Right now,
 ping 8.8.4.4 -f -l 1442
is the largest I can send not fragmented. My initial understanding was that the MRRU setting would allow the full 1500 packets. Or do I need to get in touch with my VPN provider for this?

Otherwise, I am still confused why that fixed the websites that were having issues.

I'd be curious what your VPN provider has to say - allowing a MRRU of 1600 would allow packets to be broken up at the PPP layer that otherwise couldn't be fragmented. This would assume you want to receive packets that have a total size of 1600 bytes. Based on a MTU / MRU for the interface of 1470 it would seem that either the provider or your MikroTik thinks it has 1510 available. The MRRU setting then allows packets greater than your 1500 MTU to be broken up and delivered. The lack of true 1500 MTU is because of the overhead of the underlying packet. Testing from your router with an interface IP of 1470 on the L2TP side your router will emit a "Too Big" message back to you above that.

Something hinky seems to be going on with your VPN. I'd expect it to negotiate smaller (to say 1500 / 1460) but that's just me.
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Trying to Understand MSS Clamping - Not Working?

Thu Apr 25, 2019 9:48 am


I'd be curious what your VPN provider has to say - allowing a MRRU of 1600 would allow packets to be broken up at the PPP layer that otherwise couldn't be fragmented. This would assume you want to receive packets that have a total size of 1600 bytes. Based on a MTU / MRU for the interface of 1470 it would seem that either the provider or your MikroTik thinks it has 1510 available. The MRRU setting then allows packets greater than your 1500 MTU to be broken up and delivered. The lack of true 1500 MTU is because of the overhead of the underlying packet. Testing from your router with an interface IP of 1470 on the L2TP side your router will emit a "Too Big" message back to you above that.

Something hinky seems to be going on with your VPN. I'd expect it to negotiate smaller (to say 1500 / 1460) but that's just me.
I asked them a couple hours ago to add MRRU 1600 to their router for my profile, see what they come back with tomorrow, hopefully it is doable. :)

Otherwise, yes, I am sure it was showing 1460 a couple weeks ago.

The lack of true 1500 MTU is because of the overhead of the underlying packet. - Yes, the VPN overhead/encapsulation.

I will be very happy if I can get back to 1500 MTU.. lol
 
volkirik
Member Candidate
Member Candidate
Posts: 208
Joined: Sat Jul 23, 2016 2:03 pm

Re: Trying to Understand MSS Clamping - Not Working?

Sat Dec 12, 2020 6:21 pm

actually it is not solved... clamp TCP MSS still not working...

MRRU is not supported by my ISP so I add 2 forward rules (one for incoming traffic and another one for outgoing traffic) and clamp-to-pmtu manually.

dunno what mechanism Mikrotik use for clamping TCP MSS at interfaces but it is not working.
 
kevinds
Long time Member
Long time Member
Topic Author
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Trying to Understand MSS Clamping - Not Working?

Mon Dec 14, 2020 5:55 am

actually it is not solved... clamp TCP MSS still not working...

MRRU is not supported by my ISP so I add 2 forward rules (one for incoming traffic and another one for outgoing traffic) and clamp-to-pmtu manually.

dunno what mechanism Mikrotik use for clamping TCP MSS at interfaces but it is not working.
A proper MTU testing/discovery tool would be nice.. I used to use Netazyler from Berkeley, which tested MTU among it's many tests, but it has been gone for awhile now.
 
volkirik
Member Candidate
Member Candidate
Posts: 208
Joined: Sat Jul 23, 2016 2:03 pm

Re: Trying to Understand MSS Clamping - Not Working?

Fri Apr 14, 2023 8:48 pm

add clamping rule in firewall for TCP-SYN and then
add accept rule for SYN so they are excluded from FASTTRACK'ing
IMHO
Last edited by volkirik on Sun Apr 23, 2023 4:21 pm, edited 2 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Trying to Understand MSS Clamping - Not Working?

Mon Apr 17, 2023 12:01 am

...one wrote three years later...

Let's hope that in almost three years they have solved it, instead of waiting for what you wrote...

Who is online

Users browsing this forum: akakua, artone, Bing [Bot], CGGXANNX, mvz71, yakovz and 85 guests