I’m running routerOS 7.20.2. I have a L2TP VPN and a TCP MSS adjust rule on my output traffic to change the MSS on Syn packets. When the Btest tool runs, the server sends packets of size 2848. The MSS is set to 1410 inside the tunnel. I believe btest is ignoring the MSS on SYN packets.
You might want to post your firewall configuration.
At high-level, my guess be your MSS adjust is happening on forwarded traffic, but btest is a local process so it goes via output. So firewall may be missing that, but IDK.
Thank you for replying.
WAN MTU is 1500
L2TP tunnel MTU is 1450
Here are my mangle rules:
/ip firewall mangle
add action=change-mss chain=forward new-mss=1410 protocol=tcp tcp-flags=syn
tcp-mss=1411-65535
add action=change-mss chain=output new-mss=1410 passthrough=no protocol=tcp
tcp-flags=syn tcp-mss=1411-65535
Actually, the problem is a bit more involved. As @Amm0 said, locally originated traffic goes through output.
When the mss is changed, it instructs the other side that you’re willing to receive a lower max size of packet. It presumably obeys this.
For your router to send lower than max size packets, it has to receive a packet with the mss adjusted, which would inform it that the other side is only willing to accept smaller packets. MSS is not symmetric!
For this to happen, currently the other side has to have an output change-mss rule as well.
The other solution would of course be for Mikrotik to allow clamping mss in input or prerouting. Actually iptables and all other router manufacturers allow this. I wrote about this to support, but they somehow fail to see how/why this would be useful when you only control one side of a tunnel.
My understanding is that when I change the MSS on an an output SYN packet, that instructs the other side receiving that SYN to set the MSS to that number. However, the other side is sending the oversized packets (I’m running receive only Btest from the client that has the mangle rules I pasted above / collecting logs on input from the same).
Sorry, I spoke too soon.
I’ve also noticed in the past that there is some strange behavior (bug?) regarding this specifically with btest. I never took the time to properly hunt it down.
No worries, thanks for the replies