Hi,
We are facing problems uploading PDF files to web server using mikrotik and while with other routers it is ok.
We have done tests changing MTU in pppoe and changing different roules like
/ip firewall mangle
add action=change-mss chain=forward new-mss=1400 passthrough=yes
protocol=tcp tcp-flags=syn
It looks like mikrotik stop sending packets to server, we have also try it using 3 different ISP providers but problem remains.
Any sugestions please?
Thank you
Is this the only rule in chain=forward of /ip firewall mangle? If not, show a complete /ip firewall mangle export; if yes, try to reduce the new-mss to even less (1300, 1200). If the path MTU discovery is broken (e.g. because your firewall drops any icmp packets, even those with connection-state=related), the MTU bottleneck may be somewhere else than on the PPPoE so 1400 bytes may not be enough. If that helps, post your complete configuration export (see my automatic signature below for anonymisation hints), so that we could find what breaks the MTU discovery.
This is a complete configuration export , we also tried new-mss less (1300, 1200)
[admin@TEST] > export
/interface bridge
add name=LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC disabled=no frequency=auto mode=ap-bridge ssid=MikroApp
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eCee disabled=no frequency=auto mode=ap-bridge ssid=MikroApp
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=xxx use-peer-dns=yes user=x
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool3 ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=LAN lease-time=50m name=dhcp1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=wlan1
add bridge=LAN interface=wlan2
/ip settings
set icmp-rate-limit=2000
/ip address
add address=192.168.11.1/24 interface=LAN network=192.168.11.0
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes
/ip firewall mangle
add action=change-mss chain=forward new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat
/ip proxy
set cache-on-disk=yes max-cache-size=none
/ip service
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox address=xxxxxxxx
/system clock
set time-zone-name=Europe
/system identity
set name=TEST
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set pppoe-out1 disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set wlan2 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/system package update
set channel=long-term
/tool user-manager database
set db-path=flash/user-manager
OK, so no firewall filtering at all, which means no icmp dropped, plus the problem is in upload direction. So the only thing I can imagine is that the mangle rule actually doesn’t do its job - I hazily remember there were times (RouterOS versions, that is) when it reportedly didn’t. Can you double-check that using packet sniffing of traffic to&from the address of the PDF server (ideally to a file and then open the file using Wireshark)? Or, since it is a test Mikrotik anyway, can you first upgrade it to the current long-term (6.45.8****) and check whether the issue still exists?