i have an (MTU?) problem with CAPsMAN using manager forwarding mode; i already sent a mail to support@ and i'm awaiting response; thought i'd post here in the meantime.
my setup is:
CCR1036-12G-4S as CAPsMAN
mixed devices as CAP: mostly RB2011UAS-2HnD, RB2011UiAS-2HnD, RB951-2n
everything is running 6.17
i have a rather complex setup on the CCR (many vlans, many things
but the relevant info should be:
- i have a bridge called "br-dcadmin" (protocol-mode=none) with an l2mtu of 1600
- almost all the CAPs have a slave configuration called "cfg-dcadmin"
- this configuration specifies ssid/country "austria"/channel "ch-admin"/datapath "dp-admin"/security "wpa2psk" and a passphrase.
- "ch-admin": 2422Mhz, 20Mhz width, Band: 2ghz-b/g/n
- "dp-admin": bridge "br-dcadmin"
- "wpa2psk": auth type "WPA2 PSK", encryption: aes ccm, group encryption: aes ccm.
caps are properly registered with the man, get their configurations, cap interfaces on the man get added to the bridge, everything appears to be fine, EXCEPT:
when i connect with a mobile device or my windows 8.1 laptop to this network (regardless of which CAP i am connected to), i am unable to send larger packets. with that i mean that:
- i am able to acquire an ip address via dhcp
- i can standard-ping everything
- if i try to ping with larger packet sizes, it silently fails:
on windows, specifying the packet length with "-l" (thats an L) means the actual payload size. that means that under normal circumstances, you should be able to ping with 1472, because +28 IP header = 1500:
>ping -l 1472 -f 195.34.133.10
Pinging 195.34.133.10 with 1471 bytes of data:
Reply from 195.34.133.10: bytes=1472 time=27ms TTL=105
and also
>ping -l 1473 -f 195.34.133.10
Pinging 195.34.133.10 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
if i try to do the same while connected to the network, pinging with 1472 payload silently fails. even without -f (dont fragment bit)! actually, it fails with even smaller sizes, i have to go down to a payload size of 1438 (so thats 1466 brutto) for the ping to go through.
this causes all kinds of problems, as it doesnt just fragment the packets, but silently discards them somewhere. this means you can open tiny websites, but not "normal" ones, you can ping, but not receive emails with attachments, and all the usual stuff that mtu problems bring with them.
*all* my interfaces *everywhere* have an l2mtu of at least 1582 appearently. so i have no idea why this fails.
would be grateful for any insight / clues anyone might have.
is capsman tunneling *supposed* to lower the available MTU?
thanks & regards,
Markus