winbox trouble only over one ISP

alex_rhys-hurn · June 25, 2014, 12:26pm

Hi folks,

We manage many Mikrotik Routers for many customers. We access them remotely over the internet using winbox, ssh and webmin. In some cases we also access them via winbox over an IPIP/IPSEC tunnel.

Here is my problem, when I use winbox over my ISP called JTL the winbox session will login and open, but all winbox windows are empty, then approx 60 seconds pass and the session disconnects. All sessions using ssh and webmin work flawlessly.

When I use winbox over my second ISP (Zuku) there are no problems at all.

What type of traffic does winbox generate (packet size etc) so that I can work with my ISP to allow this traffic? It used to work when using that ISP.

On my end I have disabled ALL firewall filters on our RB1000

Any thoughts much appreciated.

Best,
Alex

rickfrey · June 25, 2014, 2:37pm

Try pinging with 1500 bytes. That will tell you if you are having an MTU problem with that particular ISP.

alex_rhys-hurn · June 25, 2014, 3:30pm

Hi,

Many thanks for your reply. My pings:

ping 8.8.8.8 -l 1452

Pinging 8.8.8.8 with 1452 bytes of data:
Reply from 8.8.8.8: bytes=64 (sent 1452) time=151ms TTL=44

So the largest I can send is 1452 anything larger wont work. Its a PPPoE Dial up passive fibre optic ISP link. Mikrotik makes two dynamic change-mss rules with a value of 1440

What does all this mean?

Alex

alex_rhys-hurn · June 25, 2014, 3:32pm

Pinging through the other ISP gives me a maximum size of 1472, and winbox is working with that.

Also I notice for the link which does not work with winbox, when I use winbox with that link but through an IPSEC Tunnel winbox works fine.

Alex

rickfrey · June 25, 2014, 4:14pm

It means that the ISPs between you and the end point have not all accounted for the loss of MTU in the path. Try adding this code to you router and see if it resolves the problem. If not, we can look at some other causes.

/ ip firewall mangle 
 add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1300 new-mss=1300

alex_rhys-hurn · June 25, 2014, 4:24pm

Thanks again for your help.

Here is the output of my mangle rules:

 /ip firewall mangle> pr detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=change-mss new-mss=1300 passthrough=yes tcp-flags=syn protocol=tcp tcp-mss=!0-1300 
[admin@MikroTik] /ip firewall mangle>

Dont ask me why mikrotik doesnt display the dynamic rules there. It should shouldnt it? Should I file a bug for that? Screenshot attached.

The change you suggest has made no difference to ping size and also the Winbox session still does not work.

What other suggestions do you have?

Best,
Alex

My system:

RB493G ROuterOS 6.15

rickfrey · June 27, 2014, 2:33pm

Hi Alex,
Yes, the dynamic rules should be displayed, that is probably a bug. Can you run a packet capture of it while it is failing? That will probably the best clues as to what is going on. Will you also post your configs from both routers?