strange problem on RouterOs

piatthi · March 18, 2010, 4:53pm

i have 2 subnet going to the Internet throught routeros.

one subnet use pppoe to connect and other use standart connection ( ethernet).

all is OK for subnet using pppoe service.

but other subnet ( not pppoe) have problem, there is some web site they are unable to open while still open other web site.

NB: the 2 subnets are masquerade/NAT to the same public IP and use same DNS. so there is no problem of DNS, blacklist or IP source.

thanks so much for your help.

Chupaka · March 18, 2010, 11:09pm

MUT problem? try

/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn tcp-mss=1361-65535 action=change-mss new-mss=1360

piatthi · March 19, 2010, 7:13am

thanks guru for reply.

but i want to know why i should use MSS = 1360 ?

on the ethernet default MTU = 1500, on the PPPoE default MTU = 1480

thanks for explanation

janisk · March 19, 2010, 9:03am

you can try to use ping command with size and do-not-fragment set to find exact value that can be passed through the link.

piatthi · March 19, 2010, 9:26am

OK thanks so much for your help,

now problem is solved, i just change MSS as you suggested

Chupaka · March 19, 2010, 2:09pm

you can play with the value =)

Rockyboa · March 19, 2010, 2:38pm

I have a similar problem. on two sites. using a IpSEC VPN connection. One DSL PPoE and one Broadband connection.

On the site using PPoE, should I change the MTU to 1492 on the WAN and PPoE interface or just the PPoE?
As soon as I lower one site the packets get framented to a least value when I try to ping the other site, I guess I need to use something silmilar to the MSS value but more specific to my IPSec tunnel.

fewi · March 19, 2010, 2:46pm

The overhead on IPsec varies based on the exact specs of the tunnel - transport mode doesn’t add an additional IP header, tunnel mode does (20 bytes). AH adds a 24 byte header, ESP adds between 24 to 40 bytes (header, variable IV, variable trailer). Data within the packet may be padded according to the block size of the used cipher and HMAC, this will depend on the specific packet but should max out at 4 bytes, so assume that. Implement the same size on both ends.

Rockyboa · March 19, 2010, 3:34pm

TY for this fast reply,

On the PPPoE side do I modify both the PPPoE client value and WAN value. Also should I lowered the MRU to the same value of the MTU? I guess to find the optimal value, to find the biggest not frag packet using the ping -l size -f?

Again thank you

Martin

fewi · March 19, 2010, 3:37pm

Modify it on the interface the traffic would be sourced behind, otherwise too large a packet makes it in and gets fragmented at the next outbound interface.

Yes, change the MRU to match the MTU.

Yes, you can determine the value via non-fragmented pings, and you can look at your tunnel specs and from that list determine what the maximum overhead could be and start testing in the neighborhood of that value.

Rockyboa · March 19, 2010, 3:49pm

Ok great. Would modify both of my wan interface to the max !frag packets. Leaving my PPPoE interface to 1492. And both MRU / MTU. So I should not need to modify some MSS?

Will try this and get back.

TY again.

Martin