For now only one computer is assigned to the VPN tunnel.
I have an All-in-1 subscription with the Dutch provider Ziggo.
All work well, except…
When I load a page from this provider, the hyperlinks do not work. The mouse arrow won’t change into a hand.
Also I can not send/receive e-mail messages. Somehow is hang somewhere.
When I de-assign the computer and go directly to the same provider page the hyperlinks work. The mouse arrow change directly into a hand when I hover the hyperlink buttons… and I can successfully send/receive e-mails.
I also have installed the iOS NordVPN app on my iPhone and have no issues at all.
Tests with different Mangle Rules have no positive effect at all.
The rules I have tried and not working rules are disabled and left them just for reference.
/ip firewall mangle
add action=change-mss chain=forward comment="MSS 1374 for IKEv2 Rx, could be lower in your case (default 1460, safe value 1280)" ipsec-policy=in,ipsec new-mss=1374 passthrough=yes protocol=tcp tcp-flags=sync
add action=mark-connection chain=prerouting comment=!53 new-connection-mark=NordVPN passthrough=no port=!53 protocol=udp src-address-list=NordVPN dst-address-list=!geen-vpn
add action=mark-connection chain=prerouting comment=!53,995,993,587 new-connection-mark=NordVPN passthrough=no port=!53,995,993,587 protocol=tcp src-address-list=NordVPN dst-address-list=!geen-vpn
add action=mark-packet chain=postrouting comment="- mark VoIP DSCP 46 - RTP packets" dscp=46 new-packet-mark=voip-rtp passthrough=no
add action=mark-packet chain=postrouting comment="- mark VoIP DSCP 26 - SIP packets" dscp=26 new-packet-mark=voip-sip passthrough=no
The first line only handles IPSEC traffic coming in and change the MSS for that specific traffic. Other MSS/PMTUD lines can all be disabled. You don’t have to worry about ports and addresses because your two lines below have to first have to trigger IPSEC before the first line changes the returning traffic MTU. RouterOS is not catching the traffic returning correctly and adapt the MTU so it has to be done manually.
I took me a long time to find this and Mikrotik put me on the track to this by mentioning the 1460 MTU after looking at the capture files I sent them. All the other MSS/PMTUD is handled by RouterOS. You had it already but at the bottom what could explain the pass-though=yes.
At the end of both connection-mark lines you find dst-address-list=!geen-vpn which is the address-list of sites not working through VPN and the list is composed by you manually.
You can test if you have the correct MTU by sufing to www.antary.de and see if the page is loaded without any delays or use Wireshark.
Update:
I had first to adapt my DNS resolver to be able to visit www.ziggo.nl and found that it does a CNAME to footprint.net. I can only find that footprint.net is from Level3 so it is for now on the CNAME blocklist with me. The page loads fine (through NordVPN) and I can click anything so it must be the MTU and try the safe value of 1280 if that works. If yes then work you way up in steps.
Thank you very much for your reply, the explanation and examples. I apricated this.
I don’t know what is changed, but just before I merge your Mangle Rules examples with my’s, I re-check if the Ziggo pages will load without delay and other issues and what do you think… no issues at all.
For all security and to wipeout any if’s and but’s I rebooted the router.
Despite things work now I will use your recommendations.
For now I will do more tests and will let you know the results.
Till now we only tackled TCP packets by setting a fixed MTU size for those packets. Sindy found the better solution than that by adding a line to /ip ipsec policy.
When using solution you can do away with the MSS line in mangle and the client will receive finally the packet stating to lower the MTU.
This line moved above the dynamic lines in /ip ipsec policy, and now my sniffer line gives Destination unreachable (Fragmentation needed). Never been so pleased to read te word unreachable before.
This is the line that add to /ip ipsec policy. Replace 192.168.88.0/24 by your own local IP range if you are using a different range:
Thank you and Sindy of course very much for the better solution.
I have removed the mangle rule:
add action=change-mss chain=forward comment="MSS 1374 for IKEv2 Rx, could be lower in your case (default 1460, safe value 1280)" ipsec-policy=in,ipsec new-mss=1374 passthrough=yes protocol=tcp tcp-flags=syn
BTW: I don’t think this is a Mikrotik issue, but can you login into your Disney+ account… if you have one?
Now I can reach Disney+ but can’t login. I have tried 8 different NL servers.
After login I get this message: “Service niet beschikbaar. Disney+ is niet beschikbaar op jouw locatie”
Can you login? Which NL server do you use?
I am using satellite so need for that stuff. Mostly you need to setup a client on your device, not the router, to use those services. And of course you have support by NordVPN on this.
i searched by stepping on some ducks and the gave me this link: