MTU and MSS with new internal algorithm

NenadS · May 9, 2017, 7:46pm

Hello,

Before I’ve upgraded my Mikrotik to the newest version for L2TP MTU of 1462 I had 1422 MSS (40 bytes less) in Firewall Mange and it was fine. After upgrade, I have 1416 MSS (captured with Wireshark because there is no more Mangle rules for MSS).

Could you please explain why is MMS different now?

Thanks!

idlemind · May 9, 2017, 9:35pm

What is the output of:

/interface l2tp-server server print

NenadS · May 10, 2017, 7:31am

[admin@MT] > /interface l2tp-server server print 
            enabled: yes
            max-mtu: 1462
            max-mru: 1462
               mrru: disabled
     authentication: chap
  keepalive-timeout: 30
       max-sessions: unlimited
    default-profile: default
          use-ipsec: no
       ipsec-secret: 
    allow-fast-path: no
[admin@MT] >

Also, in default profile I set “Change TCP MMS” to yes.

idlemind · May 11, 2017, 4:55am

Alright, I labbed this up and the default in the latest RC is 1450 for MTU / MRU and I’m seeing a MSS of 1404. This is like yours, 6 bytes lower than I’d expect to see. We may want to move this to the RC thread to get a more accurate explanation. I’m not seeing anything that stands out as to why.

NenadS · May 11, 2017, 6:49am

Also, in previous release (before internal algorithm for MSS presented) 6.38.5, I had different values for MSS in-interface and for MSS out-interface but both MTU and MRU had equal values of 1462.

First case:

MTU/MRU: 1450 → > MSS-out 1452> , MSS-in 1410

Second case:

MTU/MRU 1462 → > MSS-out 1452> , MSS-in 1422

As you can see MSS for in-interface is OK.

MSS-out values are equal in both cases for different MTU/MRU values and it’s wrong (I had problem with upload data to remote servers). It should be MRU - 40B if I’m not wrong.

Solution is to disable Change TCP MSS value and manually add these two rules in Mangle:

/ip firewall mangle
add action=change-mss chain=forward new-mss=1422 out-interface=all-ppp \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1423-65535
add action=change-mss chain=forward in-interface=all-ppp new-mss=1422 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1423-65535

For now I have no package drops and everything seems to work fine.

strods · May 11, 2017, 7:45am

In our built-in change-mss implementation 6 bytes are reserved just in case connection is MLPPP.

NenadS · May 11, 2017, 8:57am

Thanks for letting me know!

If I don’t use MLPPP I should disable Change TCP MSS in profile and manually add those two rules?

If I have equal values for MTU/MRU, does it mean that MSS value for in and out interfaces should be equal too?

L2TP Server has MTU/MRU 1462.

First connection shows MSS 1422 when Change TCP MSS is set to no.
Second connection shows MSS 1416 when Change TCP MSS is set to yes.

emoxam · February 15, 2024, 3:48pm

What to do with the error from the openvpn server on ubuntu ?

WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1551’, remote=‘link-mtu 1531’