lot of sites dont load on the first try

RouterOS Beginner Basics
1

Hello everyone!

A lot of sites dont load at all, i have to retry 1-10 (it varies) times for it to load. Afterwards it seems to work for some time, then have to do this ritual again. Sometimes, the sites dont load correctly, like if javascript/css could not be loaded. Affected sites for example: mail.proton.me, drive.proton.me, forum.mikrotik.com, etc. All the devices experience this, not unique to my linux computer.

Device: MikroTik Chateau LTE6 ax Dual-Band Wi-Fi 6 LTE router (copied from the shop where i bought it)
Using a sim card, and the latest firmware, 7.15.2
Settings are the default. I only changed the wifi SSID & password, admin password, made static ip for two devices, and use a domain name for one (nas).

Before this device, i had a dongle, which worked flawlessly, before it gave in.
Few days ago i had reset the router, and for ~24 hours i havent encountered this not loading issue.

2

This sounds like an MTU problem. Are you using a VPN?

There should be a mangle rule that clamps the TCP MSS to the MTU. Sometimes it’s automatic if you have a PPP-based link.

3

No, i am not using a VPN.
So what you are saying is this?

IP > Firewall > Mangle > Add New
Chain: prerouting
Protocol: tcp
TCP MSS: 1460-65535

And thats it? At first glance it might have worked.

4

This one will look at any sync packets (three for each connection) and adapt automatically to the length the other side can handle. Looking only at packets larger than 1380 bytes.

add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes packet-size=!0-1380 protocol=tcp tcp-flags=syn

More info: https://help.mikrotik.com/docs/display/ROS/Mangle#Mangle-ChangeMSS

5

Generally, yes. The low number (in your example, 1460) just needs to be below the threshold of whatever is blocking larger packets upstream.

6

Tried this, lowered 1460 → 1380, then 1300 still got errors like this, then even tried with 1200, and it was worse.

Then this:

add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes packet-size=!0-1380 protocol=tcp tcp-flags=syn

But still encontering this issue, but the bytes / packets was 0 on this rule on the firewall dashboard.

7

Another thought, Partially working ipv6 can cause similar problems.

Try turning off ipv6 on the router.

From winbox
ipv6 settings tick the disable ipv6 box and wait a short while.
(May need to reboot PC if want it to update faster)

8

That command is not reasonable. It makes no sense looking at packet length, because SYN packets are not full sized packets anyway.
The command to use is:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
9

Still no success.

Disabled ipv6, IPv6 > Settings > Disable IPv6 is checked.

IPv6 is still disabled and used this:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn

Packets go through this chain, but the not loading issue is still present.

10

Yet another possibility is broken dns.

If on windows open a command prompt,
type nslookup

And try a few sites (including some you haven’t recently used)
does it return immediately with a result?

Is the dns server nslookup is using correct?

11

Tried the nslookup (linux), and it returned everything correctly. ex. nslookup skylords-reborn.fandom.com which i havent visited before, and it returned both IPv4 and 6 adresses. Then opened the page in the browser, and had to do the usual routine of hitting refresh until it loads.

12

Does your provider support IPv6?
Do you see IPv6 addresses locally on the client? (e.g. “ipconfig /all” in Windows or “ip addr” in Linux)
Can you ping to pingable servers in IPv6?

13
  1. No, afaik my provider does not support IPv6, this site says so: https://test-ipv6.com/
  2. Yes I do, i can ping my PC from my laptop with IPv6.
  3. No I cant. nslookup google.com and I get two addresses. I can ping the IPv4 but not the IPv6.

One thing i just noticed, but on my laptop havent noticed this issue yet (its a new one, havent used it much yet, and it is connected through wifi.) The not loading issue is less frequent on my phone, but still occurs. However on my desktop linux PC which is connected through ethernet cable, it happens everyday. Last time i had to run the update command multiple times for it to reach the servers.

One example Proton Drive loaded instantly on the laptop, i could refresh without an issue, but on the PC i had to refresh i think 2 times for it to load.

Edit: Maybe i talked too soon. 30minutes after writing this post, i just encountered this issue on the laptop as well. This forum id not load, nor github. Had to retry like 10 times.

14
  1. Did you ping on an address that starts with fe80: ?
    In that case it is no problem.
    But when there is another IPv6 address internal to your network and not working via your ISP, that may be your problem.
15

Yes i pinged the IPv6 address which start with that.


What do you mean by this? I dont think i use any other IPv6 addresses.
If this helps, IPv6 > Settings: I have ‘Disable IPv6’ and ‘IPv6 Forward’ checked.

16

Well, the reason I bring this up is that when you have a partly working IPv6 configuration (addresses are defined but routing does not work) you may observe the behavior that you complain about…
But apparently it is something else.
Almost impossible to debug such issues from remote.

17

In another thread @mkx mentioned that adjust mss will probably not work if the connection is fasttracked.
You could try and disable the fasttrack rule briefly.