Hi,

In the official mikrotik wiki, talk about this rule:

/ip firewall mangle 
add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535

1-) Where do these values come from new-mss=1300?
2-) Are they generic values, or can they be adjusted to each router?
3-) How have these values been calculated?

A simple scenario:

RB850gx2 - Client # <----------> # CHR - Server L2TP+IPsec

Rule #1:

/ip firewall mangle 
add out-interface=all-ppp protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535

Result #1:
120Mb/12Mb (It's the speed contracted)
Rule #2:

/ip firewall mangle 
add out-interface=all-ppp protocol=tcp tcp-flags=syn action=change-mss new-mss=1450 chain=forward tcp-mss=1451-65535

Result #2:
45Mb/12Mb

In rule #2, the value 1450 is the value calculated from a ping from a windows machine in which it indicates that there is no fragmentation.

wispmikrotik> ping -f -l 1450 8.8.8.8

Edit:

Rule #3: (clamp-mtu)

/ip firewall mangle 
add protocol=tcp tcp-flags=syn action=change-mss new-mss=clamp-to-pmtu chain=forward

Result #3:
32Mb/9Mb

Regards.

Windows ping command sets the ICMP payload as 1450 bytes, you would need to add 28 bytes (IP and ICMP headers) to get the Mikrotik command line equivalent (1478 bytes).

Run ‘/ppp active print’ and ensure that your sessions are actually using IPSec. We use a maximum MTU of 1379:
1500 bytes

• 40 for L2TP
• 73 for IPSec (this varies due to padding, provided for the worst)
• 8 for some users originating via PPPoE home internet

Sample:

/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=*** max-mru=1379 max-mtu=1379 use-ipsec=required

PS: Cisco also strongly recommend tuning MTU to avoid packets having to be fragmented on routers, increasing CPU utilising and affecting throughput.

!!! MTU is not the same as MSS !!!

If max possible MTU is 1450 then MSS is less than that, see illustration below