I have a CCR1016-12G running on 6.15.
Setup is easy, ether1 connected to the Internet. As requested by the ISP I have set the MTU to 1460. ether3 is connected to the LAN.
There is one IPSec VPN connection over the Internet.
When I try to ping from the router it handles ICMP DF packets correctly.
But when I try to ping from the inside (ether3) with "dont-fragment" - when a packet that is too large one of two things happen:
- if the packet is destined to the Internet it is just dropped.
- if the packet should be sent through the VPN connection the ICMP need fragmentation packet is sent on the VPN instead of back to the sender.
Without DF the router will fragment the packets correctly.
I have tested most of this on RG751 running same RouterOS - the behaviour is correct there.
[admin@router] /ip> /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1460 1590 10226 D4:CA:6D:74:2E:C0
1 X ether2 ether 1500 1590 10226 D4:CA:6D:74:2E:C1
2 R ether3 ether 1500 1590 10226 D4:CA:6D:74:2E:C2
/ip firewall nat
add chain=srcnat dst-address=172.16.0.0/12 src-address=172.31.99.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=172.31.99.0/24
add action=masquerade chain=srcnat out-interface=ether12 to-addresses=0.0.0.0
/ip firewall mangle
add action=change-mss chain=forward new-mss=1300 out-interface=ether1 protocol=tcp tcp-flags=syn
Any idea on this?