So the problem is that new config is working, but very badly. I see a lot of TCP Retransmissions, sites routed via vpn take several minutes to load, and do so not always on the first try.
Except for the new routing mark the configurations of the different RouterOS versions are identical.
It is not necessary to use routing mark, if someone can suggest a better address list-based routing option I would be very grateful.
Most of the extra firewall rules people put in are not required.
What are you experiencing that forces you to adopt ‘extra’ rules?
Do you have many servers open to the public??
Thank you for the suggestion. I’ve tried to change the MSS even to 1000, but to no avail.
Funny thing: just routing from ip to ip works perfectly fine (ip routes), the problem seems to be only with mangle rule when dst-address list option is present. Quite strange.
Decided to recreate the address list completely, so now it works mostly fine. But straightforward routing still feels better when browsing.
Hate this kind of floating problems…
P.S. I am still open to suggestions how to solve this “address list-based routing” task more efficiently.
Keep in mind, changing MTU may not have an immediate effect… Connections are tracked and devices have caches of PMTUD. And also setting too low have introduce new problems.
But with @msatter this sounds like MTU issue, someplace…
Might want to post your full config. Still could be firewall, but if it was working before…mangle hasn’t changed much since V6 so not my first guess here.
I’d say using /routing/rules instead of address-list. But if what you had was working in V6, be easier to figure out the likely one thing that didn’t convert from V6 right, than redo the config…
That’s not an MTU issue, because direct routing like this works fine.
ip route/add dst-address=1.1.1.1/32 gateway=vpn
But routing through mangle (even with just dst-address option, without address lists, etc.) causing a lot of tcp retransmissions.
Seems like a bug to me, don’t you think?
Hard to know, snippets really do NOT tell us much.
e.g.
Is the VPN also in the main routing table as well, or is just in the new route-table?
When you “tried changing the MTU”, what exact did you try? Did you do ping test to verify the actual MTU? My concern is the default MTU may be different between V6 and V7.
You state re-transmissions then the question is your network sending out the request, or the other side because it did not got an acknowledgement from you?
Secondly did you see any traffic hitting the MTU rule I gave? With this one you don’t need to state a wished MTU and it will adapt to the MTU size the destination is able to handle.
Thirdly, if the other side is answering on a related IP address you are then sending out through the main gateway. This is not very likely.
As last, I connection mark traffic that should go through the VPN so I can see in connection tracking the connection. You routing mark traffic based on an address-list so there it is not needed keep connection marking active after debugging.
Another difference between v6 and v7 is that in v7 a routing mark (in IPv4) makes the router do only lookups in the specified table.
In v6 it was just a hint, and other routing rules and the main table were still in use. Not in v7.
So your alternative routing table must be complete. You may need to copy routes from the main table to the second routing table, or you may need to adapt your mangle rule to exclude certain cases form the routing mark (e.g. local addresses).
Also, make sure you don’t have the “fasttrack” rule enabled, as this method of route mangle will NOT work with fasttrack enabled.
Disable or remove the fasttrack rule in the forward chain, and reboot the router.