I have some problem with my mikrotik network.
The LAN is connected to Mikrotik1. Mikrotik1 have two routes to the global network: Mikrotik2 and Mikrotik3.
When i want to open sites from lan, i have a problem, some sites(like google or yandex) works, but many others(like 2ip and ping.eu) do not work, connection is established by page not loading. Traceroute and ping is workeng for all resources, i try to disable all firewall rules, but it not fix problem.
This problem come in, when i wipe all mikrotik configuration, update to 6.42.3 and make new configuration with described scheme.
I remember about “Path MTU Discovery Black Hole” problem and try to add “change mss” rules on isp interfaces of Mikrotik2 and Mikrotik3, and problem have fixes. I remove this rules and add “change mss” rule on ‘wan’ interfaces of Mikrotik1, and problem have fixes too. But…i using this isp last 3 years and have not problem like this before. And i think that i make a stupid mistake and do not notice it. May be anyone will give advice or anyone encountered with a simular problem and know the solution.
P.S. I’m bad at spelling in english, but if you know russian translited version is there.
That is a very strange setup.
Mikrotik1 have 1 more connection with another ISP, it’s a main channel. Another two(over mikrotik2 and Mikrotik3) it’s reserve.
Do you have access to all the mikrotiks?
Yes
I try to reproduce scheme with another mkt(without real isp) and it works fine. I think problem with my pbr rules, try to reconfigure it.
Well then you are a configuration master and way beyond my level of knowledge!
If you want to post your config I dont mind looking at the rules to see if there is an obvious error but I have no clue about path MTU or black holes or mss rules, sorry.
There are certain ICMP type/code that is needed for MTU Path Discovery to work properly between hosts, i.e:(ICMP) Fragmentation Needed (Type 3, Code 4)
I’m bad in creating accounts in yet another forums so although I’m fluent in Russian, I answer here (btw, to me, the word “translit” has a specific meaning of writing russian words using Latin alphabet ).
The MTU discovery issue may actually not be an issue of 'Tiks 1, 2, 3. To find out, I’d recommend you to find out the IP address of one of the affected remote servers, sniff on all three 'Tiks for traffic to/from that address and for all ICMP traffic (so filter-operator-between-entries must be set to or), and then change the MTU on the 'Tik 1’s interfaces back to 1500 and try to open a page on that server.
What you should see would be that the TCP session gets established, and the first large packet (bigger than 1400 bytes) from the client to the server leaves via one of 'Tik 2, 'Tik 3 towards the remote server and is never ACKed; instead, an ICMP packet saying “fragmentation needed” should arrive in response. If it doesn’t, the issue is outside your 'Tik network; if it does, you have to find out where it disappears on its way to the client and why.
It sounds quite insane… If you cannot publish the capture file, does the complete page code occupy more than one packet, and are all the packets carrying the page code acknowledged in opposite direction?
UPDATE:
On the mkt1 i had br interface with eth2(172.17.0.1/24) and two eoip connection. Now i remove this bridge and reconfigure ip to eth2…and it works fine without changing mtu and mss…
).