Hi guys, I have a Mikrotik router acting as a NAT device for a site.
Network goes like this: Edge router -> bridged wireless network -> mikrotik (nat) - Wireless AP (bridged) -> Wireless client bridge -> Router (nat) -> Client network
The sites we were having problems with were having issues with were gov.bc.ca sites also intel.com and health canada websites.. They resolve DNS fine but would not load more than the first site image. Bypassing the customers network revealed the same issue.
So I changed the max mtu size via a mangle rule to 1360. That got almost all of the sites working. We found that the health canada website still wont load tho. so I disabled the mtu resize rule and instead put in place a Clear DF bit rule. The gov.bc.ca sites still work The health canada site will not load still: http://www.hc-sc.gc.ca/
The only other rules I have are 1-1 NAT rules for thier public IP's. We have 6 DST-NAT rules and 3 SRC-NAT rules. 3 devices are just wireless bridges, so i didnt bother with src-nats for them, the other 3 are running servers, so I have SRC-NAT's for them.
nat rules and mangle rules.
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=srcnat action=src-nat to-addresses= <deleted public IP>
src-address=10.0.0.95
2 ;;; NIB OFFICE CPE SRC
chain=srcnat action=src-nat to-addresses= <deleted public IP>
src-address=10.0.0.84
3 ;;; NEC OFFICE CPE SRC
chain=srcnat action=src-nat to-addresses= <deleted public IP>
src-address=10.0.0.83
4 ;;; NEC COMP LAB CPE SRC
chain=srcnat action=src-nat to-addresses=<deleted public IP>
src-address=10.0.0.86
5 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.0.0.0/22
6 ;;; NIB OFFICE SU
chain=dstnat action=dst-nat to-addresses=10.0.0.81
dst-address= <deleted public IP>
7 ;;; NIB OFFICE AP
chain=dstnat action=dst-nat to-addresses=10.0.0.80
dst-address= <deleted public IP>
8 ;;; NEC OFFICE
chain=dstnat action=dst-nat to-addresses=10.0.0.82
dst-address= <deleted public IP>
9 ;;; NEC OFFICE CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.83
dst-address= <deleted public IP>
10 ;;; NIB NEC COMP LAB CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.86
dst-address=<deleted public IP>
11 ;;; NIB OFFICE CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.84
dst-address=<deleted public IP>
12 ;;; test nat
chain=dstnat action=dst-nat to-addresses=10.0.0.95
dst-address=<deleted public IP>
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=forward action=change-mss new-mss=1360 tcp-flags=syn protocol=tcp
fragment=no
1 chain=forward action=clear-df passthrough=yes tcp-flags=syn protocol=tcp
What do you guys think?