ssl not working with nat

si458 · June 22, 2015, 2:37pm

Hi All,

im having a strange issue with one of our routerboard’s RB750

for some reason, when a user visits an SSL website, it just seems to sit there and think about it and not work?

I have everything setup correctly, masquerade, routes,

I dont use any hotspots, webproxy, only have 3 firewall rules (accept input, accept forward, accept output)

i dont have this issue with our other 750’s or cloud routers, only this one device?

is the device faulty?
ive tried factory resets, still the same
downgrading packges, still the same

I’m just completely outta ideas?

Regards

Simon

IntrusDave · June 23, 2015, 7:25am

Hello and welcome.

In my experience, odd SSL issues like this are really difficult to troubleshoot. However, I have seen, on more than 5 different routers, that the MTU can cause this.

Make sure that you have a 1500 MTU on the whole network. Clients, switches, your router LAN/bridge, and your WAN. Twice now, I have setup an EoIP link and added it to my LAN bridge, not paying attention to the EoIP MTU. With a single port having a lower MTU (1492 in my case) it caused the whole bridge to lower to 1492. This caused websites to work just fine with http, but killed about 75% of https sites.

I hope this gives you something to work with.

si458 · June 23, 2015, 8:21am

Hi,
Thanks for the suggestion,
I have just tried updating the PPPOE link to 1500 but it made no difference
and sadly the mikrotik wont let me take it any higher than 1500
the ethernet port is already set to 1600, and other ethernet ports set to 1598
any other ideas?
Simon

IntrusDave · June 23, 2015, 4:56pm

Okay, if your WAN is PPPoE, try lowering all MTUs to 1492, including your clients.

jkarras · June 23, 2015, 7:28pm

Are you blocking ICMP outbound?

As has been mentioned you have a MTU issue. Its probably more preferred to leave general Ethernet interfaces at 1500. I assume your PPPoE connection is controlled by an ISP if so no amount of changing the local MTU will fix things. The reason is MTU changes must be made on all interfaces on the same L2 domain to be effective. Your best bet is to adjust the MSS to match your PPPoE connection MTU-40 bytes. Many of the tunnel types in ROS have a check box called “clamp MSS” to do this automatically. PPPoE interfaces are supposed to do this automatically as well. You may want to check the profile applied to the PPPoE interface and make sure the Change TCP MSS isn’t set to no.

jkarras · June 23, 2015, 7:30pm

These two links explain it a bit better than I just did.

http://forum.mikrotik.com/t/inconsistent-access-to-internet/25894/1

http://blog.ipspace.net/2013/01/tcp-mss-clamping-what-is-it-and-why-do.html

si458 · June 24, 2015, 12:34pm

Hi All,

wonderful news I fixed the issue

it appears I had the Change TCP MSS set to Default, and once I set this to YES, the connections started to work correctly

so my guess is the Mikrotik had got itself confused over the Default and NO option of the PPPOE profile ?

thanks for all suggestions and help tho, I felt completely lost!

Regards

Simon