Beginner issue with static routes

Hello,

new here, new with networking, serious problems with static routes on RB5009. Basic setup is two routers in same subnet 10.100.104.0/24, one for internet access (the RB5009 which is also default route on clients), second for VPN to various private IPs (physically directly on untagged eth3). Goal is to have static routes from RB5009 to the second router. An as I believe similiar config has been working for 5 years on OpenWRT.

• Pinging addresses within the routed networks works flawlessly at network speed without packages being lost.
• If static route is added in client OS (Win10/11) via route add, everything is working flawlessly.
  => So I suppose the second router as well as the servers in the VPN-networks are working.
  BUT, and here is the problem: When accessing a webpage only via RB5009-route, the TLS-handshake is lasting about 20s.
• Wireshark on client side unveils multiple TCP-retransmissions (obviously after timeouts), multiple Client Hellos, x Cipher changes. I’m definitely not a Wireshark expert, so there might be much more. I once saw ICMP redirects, so I disabled in /ip/settings, no effect.
• /tool/sniffer unveils no results (maybe wrong settings, or the hw-offloading on bridge is not as disabled as I thought?)

Gemini hinted on MSS-Clamping, so I changed a lot without effect.

I’m clueless.

Part of the config, I skipped the Wireguard part as well as the IPv6 part as the clients are IPv4 only, ready to supply more if necessary:

/interface bridge
add admin-mac=F4:1E:57:C9:EA:32 auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether8 name=pppoe-out1 user=XXXXXXXXX

/interface vlan
add interface=bridge name=lan vlan-id=104
add interface=bridge name=mgmt vlan-id=88
add interface=bridge name=tel vlan-id=77
add interface=bridge name=wlan vlan-id=66

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="all interfaces allowing access to router" name=\
    allow-input-to-mikrotik

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether2 pvid=992
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=66
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=66
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=66
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1 pvid=990
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=\
    991
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether3 pvid=104

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether3 vlan-ids=104
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether4,ether5,ether6 \
    vlan-ids=66
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=77
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=88

/interface list member
add interface=lan list=allow-input-to-mikrotik
add interface=mgmt list=allow-input-to-mikrotik
add comment=wan-interface interface=ether8 list=WAN
add interface=pppoe-out1 list=WAN

/ip address
add address=10.100.104.111/24 interface=lan network=10.100.104.0
add address=192.168.66.111/24 interface=wlan network=192.168.66.0
add address=192.168.77.111/24 interface=tel network=192.168.77.0
add address=192.168.44.111/24 interface=ether7 network=192.168.44.0
add address=192.168.88.111/24 interface=mgmt network=192.168.88.0

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

/ip firewall address-list
add address=192.168.66.235 list=unifi-ap
add address=192.168.66.240 list=unifi-ap

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "INPUT to MikroTik for list allow-input-for-mikrotik: mgmt, LAN" \
    in-interface-list=allow-input-to-mikrotik
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="DHCP on UDP/67 all but WAN" dst-port=\
    67 in-interface-list=!WAN protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "unifi-aps to unifiserver: allow UDP/10001" dst-address=10.100.104.8 \
    dst-port=10001 protocol=udp src-address-list=unifi-ap
add action=accept chain=forward comment=\
    "unifi-aps to unifiserver: allow UDP/3478" dst-address=10.100.104.8 \
    dst-port=3478 protocol=udp src-address-list=unifi-ap
add action=accept chain=forward comment=\
    "unifi-aps to unifiserver: allow TCP/8080" dst-address=10.100.104.8 \
    dst-port=8080 protocol=tcp src-address-list=unifi-ap
add action=accept chain=forward dst-address=10.100.104.8 protocol=icmp \
    src-address-list=unifi-ap
add action=accept chain=forward comment="unifiserver to aps: allow" \
    dst-address-list=unifi-ap src-address=10.100.104.8
add action=accept chain=input comment="DNS on TCP/53 all but WAN" dst-port=53 \
    in-interface-list=!WAN protocol=tcp
add action=accept chain=input comment="DNS on UDP/53 all but WAN" dst-port=53 \
    in-interface-list=!WAN protocol=udp
add action=drop chain=input
add action=drop chain=forward comment="drop all from DMZ not to WAN" \
    in-interface=ether7 out-interface-list=!WAN
add action=drop chain=forward comment="drop all from WLAN not to WAN" \
    in-interface=wlan out-interface-list=!WAN
add action=accept chain=forward in-interface-list=LAN out-interface=wlan
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.44.44 to-ports=1080
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.44.44 to-ports=1443

/ip route
add disabled=no dst-address=10.100.7.0/26 gateway=wireguard-pitten \
    routing-table=main suppress-hw-offload=no
add check-gateway=none comment=E-Card-Services disabled=no distance=1 \
    dst-address=10.128.0.0/9 gateway=10.100.104.112 routing-table=main scope=\
    10 suppress-hw-offload=yes target-scope=10
add comment=E-Card-Services disabled=no distance=1 dst-address=84.38.112.0/20 \
    gateway=10.100.104.112 routing-table=main scope=10 suppress-hw-offload=\
    yes target-scope=10
add comment=E-Card-Services disabled=no distance=1 dst-address=172.16.0.0/12 \
    gateway=10.100.104.112 routing-table=main scope=10 suppress-hw-offload=\
    yes target-scope=10

I dont understand…so you have one RB5009, connected to the internet and it handles most of your regular home traffic?
THen you have a second RB5009 for VPN traffic?
WHY? you only need one device to do both…

Thank you for your reply, I forgot to mention that the VPN-router is being maintained by the VPN provider and has its own ADSL connection exclusively for the VPN.

Hi,
It likely means you have triangle/asymmetric routing happening.

Packet goes from your PC to your 5009 to VPN 5009 to other end,
return packet goes from other end to VPN 5009 to your PC, so your 5009 doesn’t see return traffic
and stateful firewall gets upset.

A good way of checking is to change the following rule:

add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid

And make it only apply if the packet is coming from the WAN interface in-interface=WAN, (or disable it completely)
If it then works this is likely the problem.

You could just leave it at that, but it is somewhat expensive CPU wise on the 5009.
(It can’t fast track these packets)

You can add a DHCP Option 121 with some static routes (and the default route) to the 5009 DHCP Server so (modern) dhcp clients will
get the route over the VPN via DHCP.
Setting this up is a bit manual…

Some other options are:

Use raw firewall rules on your 5009 to allow the traffic, bypassing stateful handling.

Put the VPN device on another network segment/ip range and route properly/fully via your 5009.
May increase load on your 5009 but also gives you more control over which traffic can traverse the VPN.
Also allows for fasttrack possibility, so might be better.

Thank you very much for your replies; restricting invalid filtering did the trick.
I’d really like to show my appreciation for your time and expertise, maybe you can provide an appropriate way?

I hesitate putting the VPN router to a different subnet as I have no configuration options. The provider only changes the IP address on request. RIPv2 should be available in learning mode, but a nmap -sU scan showed ports 520 and 521 to be closed and a test configuration from my 5009 didn’t work. Of course srcnat would be an option, but I’m fine with not dropping invalid packets.

Thank you very much!