I have a major problem with PMTU, the dont fragment bit, and vpn tunnels … I have customers externally on l2tp tunnels (1400-1460mtu) that cannot receive email from many of the larger senders, ie cox, hotmail, yahoo, etc. We have determined this is because the pmtu icmp type 3 code 4 packets going back to them are not making it, therefore they keep sending 1500 byte packets to us. This is fine for normal routing, but they for some reason are setting the DF bit and therefore we cannot fragment to send down the tunnel. The symptoms are hung connections, incomplete messages, delayed messages, etc.
I need the ability to clear the DF bit on packets in Mikrotik. The mangle action ‘strip ipv4 options’ does not clear that bit. Has anyone else run into this problem? Is there any way to get these packets down the tunnels without putting a cisco in front?
Mikrotik gurus - can you add another mangle option to set DF bit? Please please please please : ) Our new portable IP project is cut off at the knees because of this - and I don’t want to use anything else other than RouterOS for this if I don’t have to. : )
Can this be added in a future release as a mangle action? Just like strip ipv4 options?
In the meantime I have stuffed an EoIP tunnel down the l2tp and it works that way - but not the correct way to do things. I can’t sell that solution to the thousands we hope to.
PS - how would I configure this? Do I need to have static IPs on the tunnel endpoints to be able to put them into the policy? Do I need to create a policy for each tunnel? Can you give me an example?
Here is what I tried that didn’t seem to clear that bit:
Although 12 years have passed, I will still write the notes, since I myself was looking for an answer.
Now in “ip firewall mangle” is among the action “action = clear-df”.
Just attaching an image to show the feature in Winbox. This thread helped me figure it out.
Certain sites set the DF bit for SSL websites, and I believe we can use this mangle rule (at IP>Firewall>Mangle) to clear it and let the sites work through fragmentation. For traffic through a tunnel, you’ll want to set this as a forward rule.
If you want to test it using the Ping tool on the Mikrotik, you’ll have to add another rule for output. And of course you need to repeat this at both ends.
I hate resurrecting old threads, but recently i had the issue that I stopped being able to go to many websites ( struts.apache.org, usps informed delivery, cbs all access streaming ) .. after doing a packet captures , i notice a lot of ICMP Fragment Messages… adding this to mangle fixed my issue…
Any ideas why all of the sudden this is now an issue? But only on my tile until ( CCR1036-12G-4S ), i have a RB2011 and it works fine without issue not requiring this mangle rule?
