davorin
September 22, 2019, 8:06am
1
Good morning
I thought this deserves an own thread now as I was able to setup an IPsec tunnel to intranet replacing individual ipsec clients on my hosts.
I can ping hosts in the intranet but when I want to access a https web page it won’t either load or just load very slow…
In the forum here I found this rule to add to /ip firewall mangle:
chain=forward action=change-mss new-mss=1280 passthrough=yes tcp-flags=syn protocol=tcp dst-address-list=intranet
in-interface-list=LAN tcp-mss=!0-1280 log=no log-prefix=""
But to no joy…accessing same page through the hosts ipsec client is just fine…
Have you disabled fasttrack for ipsec? Could you share your configuration (/export hide-sensitive)?
davorin
September 22, 2019, 9:34am
3
Kuul..that was really it
Read once before but was focused on MTU size…used this firewall rule replacing the original fasttrack:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
So I guess I can remove the mangle rules for setting MSS?
trykes
September 22, 2019, 10:12am
4
When I had this HTTPS freezes as well, I also blamed fasttrack first, but disabling it didn’t help.
Still, my fasttrack rule looks like this just in case:
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark log=no log-prefix=""
The problem was that ICMP “fragmentation needed” packets generated on Mikrotik had source IP of tunnel’s endpoint, got encrypted with IPsec according to policy and sent over the tunnel instead of being directly routed to into my LAN.
So as I said in the other thread, try moving the policy up.
trykes
September 22, 2019, 10:20am
5
Or is it already running fine, I didn’t get it very well
davorin
September 22, 2019, 10:43am
6
Well it runs better…seems to be different when using different devices to connect to.,..
Maybe I have to upgrade my live firewall to the same OS level as my test firewall…
davorin
September 22, 2019, 12:55pm
7
Really weird…
Get SFTP download speeds of around 0.4MBits/sec from the Intranet…
A second IPsec tunnel for Amazon prime is much better…can run 3 simultaneous videos through it now…
Changed the fasttrack rule so it only accepts “no-mark” packets…this should include all non ipsec tunnels…
davorin
September 22, 2019, 1:19pm
8
Now even weirder (o;
Getting now also much better performance from the office…
Can it be it takes a while for the firewall rules to be active?
davorin
September 22, 2019, 8:33pm
10
Have a mangle rule in place to set MTU to 1280 for al traffic going intranet…
For Amazon I don’t have one in place as video stream doesn’t have to go through an ipsec tunnel…
