Hi guys, I have a Mikrotik router acting as a NAT device for a site.

Network goes like this: Edge router -> bridged wireless network -> mikrotik (nat) - Wireless AP (bridged) -> Wireless client bridge -> Router (nat) -> Client network

The sites we were having problems with were having issues with were gov.bc.ca sites also intel.com and health canada websites.. They resolve DNS fine but would not load more than the first site image. Bypassing the customers network revealed the same issue.

So I changed the max mtu size via a mangle rule to 1360. That got almost all of the sites working. We found that the health canada website still wont load tho. so I disabled the mtu resize rule and instead put in place a Clear DF bit rule. The gov.bc.ca sites still work The health canada site will not load still: http://www.hc-sc.gc.ca/

The only other rules I have are 1-1 NAT rules for thier public IP's. We have 6 DST-NAT rules and 3 SRC-NAT rules. 3 devices are just wireless bridges, so i didnt bother with src-nats for them, the other 3 are running servers, so I have SRC-NAT's for them.

nat rules and mangle rules.

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 chain=srcnat action=src-nat to-addresses= <deleted public IP>
src-address=10.0.0.95

2 ;;; NIB OFFICE CPE SRC
chain=srcnat action=src-nat to-addresses= <deleted public IP>
src-address=10.0.0.84

3 ;;; NEC OFFICE CPE SRC
chain=srcnat action=src-nat to-addresses= <deleted public IP>
src-address=10.0.0.83

4 ;;; NEC COMP LAB CPE SRC
chain=srcnat action=src-nat to-addresses=<deleted public IP>
src-address=10.0.0.86

5 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.0.0.0/22

6 ;;; NIB OFFICE SU
chain=dstnat action=dst-nat to-addresses=10.0.0.81
dst-address= <deleted public IP>

7 ;;; NIB OFFICE AP
chain=dstnat action=dst-nat to-addresses=10.0.0.80
dst-address= <deleted public IP>
8 ;;; NEC OFFICE
chain=dstnat action=dst-nat to-addresses=10.0.0.82
dst-address= <deleted public IP>
9 ;;; NEC OFFICE CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.83
dst-address= <deleted public IP>
10 ;;; NIB NEC COMP LAB CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.86
dst-address=<deleted public IP>
11 ;;; NIB OFFICE CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.84
dst-address=<deleted public IP>
12 ;;; test nat
chain=dstnat action=dst-nat to-addresses=10.0.0.95
dst-address=<deleted public IP>


Flags: X - disabled, I - invalid, D - dynamic
0 X chain=forward action=change-mss new-mss=1360 tcp-flags=syn protocol=tcp
fragment=no

1 chain=forward action=clear-df passthrough=yes tcp-flags=syn protocol=tcp

What do you guys think?

bump

I had vpn'd to the mikrotik and could not reproduce the problem. perhaps this is a time to live problem?

upped the ttl to 63. still no luck.


any ideas?

upped ttl to 200 with no affect.

Im going to assume there is an issue with the wireless AP or bridge behind it since i can vpn to the MT and not reproduce the problem.

TTL means hop count - how many routers can a packet traverse on its path. It is unfortunately named but has nothing to do with actual time frames.

Ok so i finally got a guy onsite there, as it turns out, the sites would load properly no problem if i disabled wireless security on the Ubiquity AP. With WEP or WPA encryption on the sites would fail to load. No security = no problem.