I cannot surf some sites when I use PPPoE

nIce_Cream · September 26, 2005, 8:34pm

I cannot surf some sites when I use PPPoE.

Use ‘/ip firewall mangle’ to change MSS (maximum segment size) to a value less 40 bytes your connection MTU. For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:

/ip firewall mangle add protocol=tcp tcp-options=syn-only action=passthrough tcp-mss=1448

How to set this up on MT 2.9?
Thanks a lot!

piwi3910 · September 27, 2005, 4:39am

ok i had the same problem.
here in belgium the mtu should be set to 1494 to with the mss to -40 so that woul be 1454…
i even tried the 1448 numer as mss.

but the only way i got a stable link with pppoe was by using these values.
mtu 1480 mss 1440

if i use these al sites work…
on’t ask me why, i have no idea…
if i connect with a pc the mtu 1494 works but with my MT router in between i never got higher then 1480.

nIce_Cream · September 27, 2005, 10:20am

Change MSS

It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.

In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:

[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out action=change-mss
.. new-mss=1300 chain=forward
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward out-interface=pppoe-out action=change-mss new-mss=1300
[admin@MikroTik] >

Problem is, i dont know how to set mangle to change mss with this instructions (found here http://www.mikrotik.com/docs/ros/2.9/ip/mangle ). On 2.8, there was no problem setting it.

When I try to enter command described above, get this error

[admin@netalfa] > ip firewall mangle add out-interface=Panline action=change-mss
... new-mss=1448 chain=forward
tcp mss change works only on tcp syn packets

Thanks for your help.

Eugene · September 27, 2005, 11:14am

tcp mss change works only on tcp syn packets

Seems to be fairly self-explanatory, but …

ip firewall mangle add out-interface=ether1 action=change-mss new-mss=1448 chain=forward protocol=tcp tcp-flags=syn

nIce_Cream · September 27, 2005, 11:21am

Thanks man