I’ve got a client that is running MicroTik firewalls. This is the first time I’ve run into them so I am not that familiar with them.
They have a VPN set up between 2 sites. The users at the remote site run an application on a terminal server at the main site which prints back to a printer at the remote site. Sometimes they can print a document and it will take 5 minutes to print. The print jobs are not huge. The largest I’ve seen was 400k. Even a 100k test page will take over a minute to print.
If I ping the printer from the server I get responses around 30 ms. Nothing else seems slow across the connection. When they print locally to the printer it prints normally. I tried printing from another server at the main site and it was slow from there as well, so it seems to be the connection between the sites.
Could there be something limiting the bandwidth for print traffic across the VPN?
maybe the printer isn’t getting the PMTU messages? Ethernet MTU is 1500, and the printer is probably 1500, but the tunnel is 1440-1460 usually. If you can change the printers MTU to something like 1440 that would be a good test to see if thats what it is. It might not obey mss mtu icmp messages. If this is mikrotik on both ends using 3.x RouterOS, you can set the MRRU on both ends to 1600 and then it will handle the packet splits for you (less efficient than using the right MTU in the first place).
I contacted someone on-site and they tried telnetting to the printer, but it does not have telnet open. He was able to access the http site on the printer, but those settings were not listed there. This must be a lower end printer that does not give you access to change the MTU size.
Where do I go in Winbox to change the MTU size on the VPN?
on the ppp profile you probably need ‘change tcp mss’. if that doesnt work, turn it off, and manually enter the rules into the mangle chain - some older versions of routeros are broken when it comes to the dynamic mss rules.
which version of routeros are you running?
if on 3.x you can enable MRRU on the server and client and make them both 1600 and that might also fix it (tradeoff you are splitting packets now instead of telling the client to decrease mtu size so packets fit).
I’m a newbie on the MicroTik, so I’m not familiar with this interface at all. I may need step by step instructions for some of this. The window title says Winbox v3.30 on x86, so I’m guessing that’s the version you’re looking for.
I found if I click on PPP in the menu, then go to the Profiles tab, I’ve got Default and Default-Encryption. I double click on Default and there is an option for Change TCP MSS. It is currently set to Yes. Is this the correct place?
So, you’re saying that since it’s not working on Yes, to change it to No and set up rules in a mangle chain? That’s where you’re losing me.
also, in your mangle chain are you seeing the dynamically added ‘change mss’ rules when there is a ppp connected? you should. look at that rule and post it here, maybe we can see if its not correct.
Also, I wonder something … those dynamic rules get placed at the end of the forward chain automatically. If you have QoS and packet marking rules, and you don’t passthru, I assume these are no longer being run?
i have my problem this before and it solved one of my client using accounting system and they have 20km vpn, the trick is ask to your software developer the client software will send request from server to get the data and print in client locally not to print across server and client via vpn.
