If I try access webfig of RB4011 over L2TP/IPSEC link I get
"Internet Explorer cannot read this webpage format
HTTP 406 " (with IE8)
or “Error 406: Not Acceptable” (with FF75).
Accessing it from the same LAN, where RB4011, is fine.
Accessing it with Winbox over VPN is fine.
VPN client receives IP address from the same subnet as LAN host.
RB4011 is not even VPN endpoint (yet), it’s just the host on the LAN.
Webfig logon page displays briefly but then turns to Error 406: Not Acceptable.
Please see screenshots below.
Why does it behave like that?
To me, the most likely reason would be an MTU issue, where the request packet from your browser gets truncated. Does the 406 pop up immediately or after some time?
The “VPN client” is the Windows system itself or another Mikrotik? If Windows itself - I suspect the MTU issue to be in the PC->Tik direction, so changing it on the bridge has no effect, as it affects the MTU in the opposite direction (if it does at all, i.e. if you connect the client via the bridge). So I’d rather use a TCP MSS clamping rule in mangle output, which affects the MSS advertised to the PC client when the TCP session to the web server is initiated.
If it helps, it makes sense to dig into why normal PMTU doesn’t work, or at least to modify the ppp profile so that the interface name would be dynamically added to an interface list so that the rule could refer to that list - the rule above stops working when the L2TP connection ends and will not start working again when the connection re-establishes because the ephemeral interface has the same name all the time but a different ID to which the rule actually refers.
'Tik is not VPN server just yet, but rather another host on the LAN.
I reduced MTU for VPN connectoid on Windows client to 1198, but still get 406.
Should I try packet sniffer?
