I have an EoIP tunnel between a Mikrotik RB4011iGS+RM and a Mikrotik CCR1009-7G-1C-1S+PC device.
There is a “Clamp TCP MSS” option at the EOIP settings page in winbox. Even if I set it, I also have to add another “change MSS” (with 1250 MSS) rule under Firewall/Mangle to have properly working TCP connections via the EOIP tunnel.
Based on the documentation, I tought “Clamp TCP MSS” would be enough to turn on at the EOIP settings but this is not the case.
What do you think, can it happen this is a bug in RouterOS?
I would like to have small MSS (1250) only in the tunnel not for all the network.
I started to work on this as I found my tunnel too slow: I expected near to 1Gbps but it is just cca 100 Mbps. I tested it with samba file copy, apache http/https get request and scp copy. All with 20-25GB big file.
Be aware that if you add an EoIP interface with an MTU<1500 to a bridge it will impact any traffic between local bridge ports too, usually breaking things.
Yeah, actually there is a warning in the documentation: MTU should be 1500 in the EOIP tunnel. if I set it to auto it gets somewhere between 1500 and my 1300. If set it to 1500 manually it doesn’t work.
If tunnel would have 1500 MTU tunnel should do fragmentation because of the PPPoE internet connection.
My LAN bridge is set to 1500 MTU manually. Can it cause problem?
Not sure if I understand the question correctly, but:
OP did not mention EoIP tunnel MTU size in OP, so with that, if the tunnel MTU was set at 1500, then the “Clamp TCP MSS” in EoIP config will clamp the MSS at 1460, which might not be low enough.
@OP:
You can specify out interface as the tunnel interface in the mangle rule which will then only change the MSS for traffic going out the tunnel, i.e.
I can’t set out interface to the tunnel:
“in/out-interface matcher not possible when interface (eoip-tunnel-xxx) is slave - use maser instead (brdige1)”
On bridge1 I have vlan tags also and I use it so far in the mangle rule as out interface.
The Clamp tcp mss option has NEVER worked in RouterOS - period!!
I have always had to create a special mangle rule to solve the problem which affects SSL websites randomly since they cannot renegotiate TCP MSS. The websites that fail are usually the sites that block ICMP which prevents path discovery.
Unbelievable how many years (>10) this has been a problem and that nobody at Mikrotik has fixed it yet and yes - all the way up to the most current version of RouterOS.
It works for me. I did several packet captures, which confirm, that it works.
But it has constraints:
TCP-MSS-clamping will only work with untagged native IPv4 traffic passing through the EoIP interface. As soon as it is encapsulated (802.1q, 802.1ad or PPPoE) it won’t work and you have to manually set up mangle rules.
Note that any problem you attempt to fix using TCP MSS clamping is actually caused by an error somewhere else.
Usually the error is that people “drop all ICMP” in their firewall, after advice from clueless “experts” like Steve Gibson.
ICMP plays a crucial role in the internet, in this case as part of path MTU detection, and dropping it will break things.
Clamping TCP MSS works as a workaround for these issues, but it is better when the root problem is solved. Fix the firewalls.
Ah gotcha!
So this is the reason why TCP-MSS-clamping was not working in my EoIP tunnel: I have a VLAN trunk inside my EoIP tunnel. I have several separated VLANs in my network. I had to setup a mange rule manually for this purpose which works well.
I guess, from this point of view, it doesn’t matter I have a PPPoE connection toward my ISP outside of my EoIP tunnel. It influence only the MTU inside and outside of the EoIP tunnel.
