Having to use MSS when it doesnt make sense

RouterOS General
1

Hi all,
So I’ve been having issues with my mikrotik RB2011UAiS-RM, Im more than sure its possibly me, but at the same time, it doesnt feel it.
The problem I’ve been experiencing is that I have to configure MSS adjustments to my mangle table, which doesnt make sense. I have an FTTN NBN Connection here in Oz (vDSL2) that connects to my ISP via IPOE. That is no drama, however, if I leave it at 1500 mtu for the wan interface, Im able to browse no websites.
If I change it to 1492, it still mostly doesnt work, but if I enable MSS, it starts working!

The modem for the set up is a cisco 887VA, in straight bridge mode (no routing at all - just going from the ethernet interface to the VLAN interface - no IP MTU changes or mss adjustments made)
By rights i should just be able to sit at 1500 and be fine…anyone got any suugestions?

The Mikrotik config is:

[admin@MikroTik] > export 
# apr/21/2023 22:15:03 by RouterOS 6.49.7
# software id = 9529-BHLX
#
# model = 2011UiAS
# serial number = 608A057E45EC
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mtu=1492 name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether5 name=VLAN100 vlan-id=100
add interface=ether5 name=VLAN200 vlan-id=200
add interface=ether5 name=VLAN300 vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.64
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=3d name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 interface=ether6
/interface ethernet switch vlan
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=100
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=300
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=49.176.132.154 list=WANs
add address=192.168.1.0/24 comment=BASELAN list=LAN
/ip firewall mangle
add action=change-mss chain=forward log=yes log-prefix="mss trac" new-mss=clamp-to-pmtu out-interface=ether1-WAN passthrough=no \
    protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=ether1-WAN log=yes log-prefix="mss change in" new-mss=clamp-to-pmtu \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=2348 log=yes log-prefix=ded1 protocol=tcp to-addresses=192.168.1.163 to-ports=2348
add action=dst-nat chain=dstnat dst-port=2349 log=yes log-prefix=ded2 protocol=tcp to-addresses=192.168.1.163 to-ports=2349
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-WAN log=yes log-prefix=pmwebacces protocol=tcp to-addresses=\
    192.168.1.161 to-ports=8006
add action=dst-nat chain=dstnat dst-port=8226 log=yes log-prefix=sshtopm protocol=tcp to-addresses=192.168.1.161 to-ports=22
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/system clock
set time-zone-name=Australia/Sydney
/tool sniffer
set filter-interface=bridge1 filter-mac-address=68:05:CA:21:A8:B0/FF:FF:FF:FF:FF:FF filter-stream=yes memory-limit=1000KiB
[admin@MikroTik] >
2

Provide an output of the linux utility “tracepath” or the windows utility “mturoute”, in trace mode to some random external host.

3

I’ve been discussing with my ISP (who I also work for - and thuis Im getting a lot of traction there too) The destination is my ISP’s gateway

C:\Users\Heath Carruthers\Downloads>mturoute.exe -m 1500 49.176.128.1

  • ICMP Fragmentation is not permitted. *
  • Speed optimization is enabled. *
  • Maximum payload is 1500 bytes. *
  • ICMP payload of 1472 bytes is too big.
  • ICMP payload of 92 bytes succeeded.
  • ICMP payload of 782 bytes succeeded.
  • ICMP payload of 1127 bytes succeeded.
  • ICMP payload of 1299 bytes succeeded.
  • ICMP payload of 1385 bytes succeeded.
  • ICMP payload of 1428 bytes succeeded.
  • ICMP payload of 1450 bytes succeeded.
  • ICMP payload of 1461 bytes succeeded.
  • ICMP payload of 1466 bytes is too big.
  • ICMP payload of 1463 bytes succeeded.
  • ICMP payload of 1464 bytes succeeded.
  • ICMP payload of 1465 bytes is too big.
    Path MTU: 1492 bytes.

C:\Users\Heath Carruthers\Downloads>mturoute.exe -t -m 1500 49.176.128.1
mturoute to 49.176.128.1, 30 hops max, variable sized packets

  • ICMP Fragmentation is not permitted. *
  • Speed optimization is enabled. *
  • Maximum payload is 1500 bytes. *
    1 ± host: 192.168.1.1 max: 1500 bytes
    2 -+++++++±+± host: 49.176.128.1 max: 1492 bytes
4

Is better if you do that tests when you put back MTU 1500 on your ether1-WAN

If is still 1492 probably is the ISP limit (resell PPPoE connections?) or is not IPoE, is PPPoE.

You can do some test directly on RB:

{
ping 1.1.1.1 do-not-fragment size=1500 count=5
ping 1.1.1.1 do-not-fragment size=1492 count=5
}
5

Ah, I’ve missed the 1492 MTU on WAN.
@casperionx: if you lower the link MTU along the path to your ISP you’re not fixing anything, because your devices (PC etc) still have an MTU of 1500.
Try the test again and use -t for trace mode, after changing the WAN MTU back to 1500, as @rextended suggested above.