Thank you for your reply. It was actually this guide that I based the whole start-from-scratch approach on.
However, after a lot of reading today, I noticed a few things and it seems to be working well now.
-
There was a new option introduced sometime in 6.47 (which explains my confusion as to why it used to work before), under IP > IPSec > Mode Configs > Name > Use Responder DNS. By default it’s set to use ‘exclusively’. For whatever reason I couldn’t get this to work with my config and set to this it seemed to knock out DNS resolution. Setting it to ‘no’ was the first step as that I believe uses the router DNS (I’m aware of DNS leaks but not too concerned about this for me). It would be great to find out how I can use this exclusively option for VPN traffic as I have a dedicated VLAN for it, but for now it’s working with the ‘no’ option.
-
Actually setting up MSS clamping rule under IP > Firewall > Mangle:
/ip firewall mangle add action=change-mss chain=forward new-mss=1378 passthrough=yes protocol=tcp src-address-list=vpnaddress tcp-flags=syn tcp-mss=!0-1378
It was a bit of messing about to get the to the value that seems to work well for me, just by adjusting up/down slowly each time got me to here.
- For some reason one of my devices wasn’t quite working correctly even after all this and I stumbled on a workaround by member sindy: http://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/135154/1
After I added
add action=none dst-address=[my address range] src-address=0.0.0.0/0
and moved it to the top of the policy, it started working.
I hope this is of use to someone (maybe even to me if I forget :D)