EOIP over PPTP browsing issues

Hello everybody,

I’ve setup an EOIP tunnel over a PPTP connection between 2 MT devices (450g’s).
I’ve bridged the tunnel to eth2 on one side and eth5 on the other.

This links my home to my office (large windows lan).

this is what works:

1. ping from my home to work and vice-versa (work->home).
2. name resolution (using ping).
3. nslookup against and dns server located in my work lan.

what doesn’t seem to work:

1. internet browsing. Some times it seems to work, but mostly it doesn’t. Parts of websites don’t load (not the same on each refresh), sometimes it loads only the title. Overall i cannot successfully browse any website.
2. smb browsing and copying. Sometimes i can browse shares normally, but sometimes it times-out. File Copying is strange. Foar a few seconds i had 1.5mbyes/sec, but it crashed ->0b/s…

I’ve sniffed the packets on one internal webserver, and the source ip seems to be ok (the address of the laptop i am using at home–dhcp address from dhcp server at work lan).

I’ve tried to simplify MT configuration, but at least the ‘concentrator’ device has to have a lot of configuration (masquarade, firewall, nat, pptp…)

What should i investigate? how should i investigate?

Thanks all.

The MTU is correct? try to ping from one side to other with don’t fragment and 1500 packets!

All settings default.

Should i have changed that?

I’ll try your suggestions later today.

you definitely has to decrease the MTU on the inner tunnels.

Also, one suggestion, if you bridge both ends of pptp tunnel you do not need the eoip tunnel anymore, so you do not hit this fragmentations problem.

I neet the eoip tunnel because i want the same broadcase domain.

I’ll probably evolve toward ipsec later, but for now i want to use pptp (it’s easier to setup).

Do you mean to bridge pptp connection to eth port on MT?

BTW. Toward what value sould i set MTU? On pptp connection or eoip connection?

i’ve tested the connection setup up to 1350mtu.

it seems to work ok.

i’ve changed the mtu:

1. on eth port
2. on tunnel
3. on bridge
   on both routers with the same value 1350 (pptp has 1460mtu by default).

i’ve changed windows 7 mtu using netsh.

how can i overcome this limitation? maybe vpls? i’d like a simple solution.

or is it smth that i am missing. without manually setting windows mtu the link is not usable.
i’ve triad bridging the pptp connection to eth port but i cannot select pptp interface in the add port dialog.

anyone?

please, i need some advice.

thanks.

I kinda solved it.

I’ve folowed Butch Evans’s instructions on bridging pptp connections.
It didn’t work initially; after a few days i’ve managed to make it work.

I had to enable ‘ip firewall’ on the bridges and create 2 mangle rules to change mss to (mtu-40). I’ve calculated mtu using ping (from winbox & windows).
I suspect ‘change tcp mss’ setting on the pptp profile page sould have done the trick, but it didnt.


It seems to work. Copying a large file eats 20-50%cpu in a 433ah for 1.3->1.8mbytes/sec (the limit at home i think).

Thanks all here & Butch Evans for the blog post

Hi cata02,
I have the same issue than you.

I linked 2 MT routers with a pptp because of nat issue on one side of the tunnel.
Then i setup a eoip over the pptp tunnel
Finally i bridged the eoip with the lan.
I can ping, can get the dhcp from the master router but i can not browse.
It seems that packets bigger than 1450 are drop insted of being fragmented.

I left default MTU values for ethernet, eoip (1500) and pptp (1460)
How did you solve the issue?

Thanks in advance.

Sorry for resurrecting this old topic. Same problem here. Can’t seem to get packet with size larger than 1398 bytes to pass thru.
One of the Mikrotiks is running old OS (2.x) while the other is 5.8 (latest). Wonder if that could be the problem.

I have same problem also. I’m between two rb2011 made ​​eoip tunnel. Tunnel working properly, I can ping other side, but when I try to ping without fragment, packets greater than 1250 can not pass.

This doesn’t really sound the same as the instances in the thread. What is maximum non-fragmented MTU between the two systems before to try EoIP?

i have the same problem…

i’ve tried with eoip over pptp and pptp with bridging… ping ok, dns ok, but websites or smb wont work…

ping with 1300 works.. with 1400 not…

i’ve tried many variations of mtu settings and nothing works…
i need help!

my setup:
CCR as main
RB2011UAS as client
i need the same network on booth sides!

LAN:192.168.101.0/23

CCR:

ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                
 0   ;;; Config IP
     192.168.88.1/24    192.168.88.0    ether12                                                                                                  
 1   ;;; !!!! -- R O U T E --  NET -- !!!! Fiber UPC
     91.118.x.x/30   91.118.x.x   ether1 Fiber Uplink                                                                                      
 2   ;;; CCR IP
     91.118.x.x/24    91.118.x.x    vlan20 WAN                                                                                               
 3   192.168.100.254/23 192.168.100.0   LAN Bridge                                                                                              
 4 D 192.168.103.1/32   192.168.103.2   VPN Wels

/interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU
 0  R  ether1 Fiber Uplink                 ether       1500  1590      10226
 1  RS ether2                              ether       1500  1590      10226
 2   S ether3                              ether       1500  1590      10226
 3   S ether4                              ether       1500  1590      10226
 4   S ether5                              ether       1500  1590      10226
17  R  LAN Bridge                          bridge      1350 65535
19  R  Team VLAN                           bond        1500
20  R  VPN Wels                            pptp-in     1460
21  RS eoip-tunnel10                       eoip        1350 65535
25  RS vlan10 LAN                          vlan        1500
28  R  vlan20 WAN                          vlan        1500

/interface bridge> print
Flags: X - disabled, R - running 
 0  R name="LAN Bridge" mtu=1350 l2mtu=65535 arp=enabled 
      mac-address=D4:CA:6D:8E:70:AD protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=D4:CA:6D:8E:70:AD max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

[/code]

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE         BRIDGE            PRIORITY  PATH-COST    HORIZON
 0    vlan10 LAN         LAN Bridge          0x80         10       none
 1    eoip-tunnel10     LAN Bridge          0x80         10       none

/interface eoip> print
Flags: X - disabled, R - running 
 0  R name="eoip-tunnel10" mtu=1350 l2mtu=65535 mac-address=00:00:5E:80:00:01 
      arp=enabled local-address=0.0.0.0 remote-address=192.168.103.2 
      tunnel-id=10

/interface pptp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap1,mschap2
  keepalive-timeout: 30
    default-profile: VPN colocation

/interface pptp-server> print detail        
Flags: X - disabled, D - dynamic, R - running 
 0   R name="VPN Wels" user="colocation-wels" mtu=1460 mru=1460 
       client-address="80.123.xxx.xxx" uptime=4m58s 
       encoding="MPPE128 stateless"

/ppp profile> print
Flags: * - default 
 0   name="VPN colocation" remote-ipv6-prefix-pool=(unknown) use-ipv6=default 
     use-mpls=default use-compression=default use-vj-compression=default 
     use-encryption=yes only-one=default change-tcp-mss=default address-list=""

/ppp secret> print
Flags: X - disabled 
 #   NAME                SERVICE CALLER-ID   PASSWORD     PROFILE             REMOTE-ADDRESS 
 0   colocation-wels   pptp                       xxxxxxx          VPN colocation    192.168.103.2

RB2011UAS

ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; LAN
     192.168.101.252/23 192.168.100.0   bridge-lan                               
 1   ;;; WAN
     80.123.xxx.xxx/30  80.123.xxx.xxx  ether1-gateway                           
 2 D 192.168.103.2/32   192.168.103.1   VPN-Wien

interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU
 0  R  ether1-gateway                      ether       1500  1598       4074
 1  R  ether2                              ether       1500  1598       4074
 2  RS ether3                              ether       1500  1598       4074
 3  RS ether4                              ether       1500  1598       4074
 4   S ether5                              ether       1500  1598       4074
 5  RS ether6                              ether       1500  1598       2028
 6  RS ether7                              ether       1500  1598       2028
 7   S ether8                              ether       1500  1598       2028
 8   S ether9                              ether       1500  1598       2028
 9   S ether10                             ether       1500  1598       2028
12   S wlan1                               wlan        1500  2290
13  R  VPN-Wien                            pptp-out    1460
14  R  bridge-lan                          bridge      1350  1598
15  RS eoip-tunnel10                       eoip        1350 65535

/interface bridge> print
Flags: X - disabled, R - running 
 0  R name="bridge-lan" mtu=1350 l2mtu=1598 arp=enabled 
      mac-address=00:00:5E:80:00:02 protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:0C:42:AF:85:04 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0 X  ether3                  bridge-lan               0x80         10       none
 1 X  ether4                  bridge-lan               0x80         10       none
 2 X  ether5                  bridge-lan               0x80         10       none
 3    ether6                  bridge-lan               0x80         10       none
 4 I  wlan1                   bridge-lan               0x80         10       none
 5 X  ether7                  bridge-lan               0x80         10       none
 6 X  ether8                  bridge-lan               0x80         10       none
 7 X  ether9                  bridge-lan               0x80         10       none
 8    ether2                  bridge-lan               0x80         10       none
9    eoip-tunnel10           bridge-lan               0x80         10       none

/interface eoip> print
Flags: X - disabled, R - running 
 0  R name="eoip-tunnel10" mtu=1350 l2mtu=65535 mac-address=00:00:5E:80:00:02 
      arp=enabled local-address=0.0.0.0 remote-address=192.168.103.1 
      tunnel-id=10

/interface pptp-client> print
Flags: X - disabled, R - running 
 0  R name="VPN-Wien" max-mtu=1460 max-mru=1460 mrru=disabled 
      connect-to=91.118.xxx.xxx user="colocation-wels" password="xxxx" 
      profile=VPN colocation keepalive-timeout=60 add-default-route=no 
      dial-on-demand=no allow=pap,chap,mschap1,mschap2

/ppp profile> print
Flags: * - default 
 0   name="VPN colocation" use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=yes only-one=default 
     change-tcp-mss=default address-list=""