I switched from OpenWrt to Mikrotik some time ago. I need to route some traffic through WireGuard tunnel. I used this article to setup the tunnel and at the first look it worked well. Of course I used default MTU (1420) for the tunnel and you probably already deduced what happened. It was a notorious MSS Discovery Issue. Most sites worked well but some opened too slow or even don’t work.
Happily it was an known issue and for example in OpenWRT there is a special option for it - mtu_fix that just fix the issue (not sure what it does under the hood but I’ve never experienced such an issue on my OpenWrt devices). Most guides for VPN with non-default MTU for OpenWrt explicitly suggests to set this option.
But despite the fact it’s a well known issue it’s really hard to find a solution for Mikrotik devices! And more important - the problem even doesn’t mentioned in the guides!
It took me several hours to find a solution on third-party resources:
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=no tcp-flags=syn protocol=tcp out-interface=wg-iface
/ip firewall mangle add chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=no tcp-flags=syn protocol=tcp in-interface=wg-iface
I just wondered how it’s possible that a well known problem is not mentioned in the official documentation. And why in Mikrotik the solution is so ill-favored.
