I have setup as follows
Alice ↔ MT ↔ another router ↔ ISP <…> Bob
I am in control of device and MT, another router (which is controlled by client probably has MTU limit of 1480.
MT is creating NATed network for Alice.
- When Alice is testing upload link (speed test, using TCP, also iperf3), i am observing speeds near zero - packets are dropped, lots of retransmissions.
- On MikroTik with packet sniffer (and analyzing them in Wireshark) I am observing ICMP packets “Fragmentation needed” arriving from “another router”.
- I am not observing ICMP packets on Alice. (Wireshark over ssh), however I am able to observe ping packets.
- With ip/firewall/mangle chain=prerouting action=log protocol=icmp in-interface=ether1 log=yes log-prefix=“”
I am logging: prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 14:49:bc:69:05:90, proto ICMP (type 3, code 4), 192.168.9.1->192.168.9.106, len 56
As I understand “Fragmentation needed” should be send down to Alice so that she can reduce fragments size? In Wireshark I noticed that ICMP is holding some TCP connection context, so that MT should be able to corelate that ICMP with TCP connection and be able to NAT it and send to Alice?
That connection-state:invalid took my attention. Maybe that is what prevents it from being NATed?
Some settings:
At the beginning I had empty firewall filter table, I’ve added some defconf rules, but it doesn’t affect anything
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related, untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 chain=input action=accept protocol=icmp log=no log-prefix=""
3 chain=forward action=fasttrack-connection hw-offload=yes log=no log-prefix=""
4 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
5 chain=forward action=accept protocol=icmp log=no log-prefix="
Nat:
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
Or maybe that ICMP packet shouldn’t be routed to Alice and MT should change MSS? If so I have another issue here.
Previously on ROS v6.x.x this mangle rule was working for me:
chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp in-interface-list=WAN log=no log-prefix=""
But after upgrading to 7.15.2 it doesn’t work well. By this I mean, I can see traffic counters being changed, but upload test are failing (showing values around zero).
setting new-mss=1400 solves problem, but clamping not. How does MT know what value to use? from that ICMP packet? or it is testing on its own?