Hello,
I have a behavior that I do not understand of my router. All of site work fine except for some websites.
for example duckduckgo.com(52.142.124.215) is inaccessible via my router.
I tested without going through this router, that is to say that I connect directly with my laptop on the cable and it works perfectly.
I looked at the dns resolution it’s ok.
I didn’t see any route that could redirect to a bad route.
I made traceroute something seems strange.
The first capture is a direct connection from my laptop and it’s ok
The second capture is via Mikrotik.
Something is strange for me in my trace route(mtr). Looks the last line, it doesn’t seem to go all the way. I have a limit to the number of hop ?
I do not understand what could give me this problem and moreover most of the sites work well.
I don’t know how to troubleshoot.
Via Mikrotik
laptop → mikrotik(192.168.88.1) → tunel(WireGuard)(10.254.0.1)->VPS(WireGuard Server)(141.95.1.220)-> internet
Direct :
laptop() → tunel(WireGuard)(10.254.0.2)->->VPS(WireGuard Server)(141.95.1.220)-> internet
I have the same issue with netflix.com, the common point is the number of lines that is returned in the “mtr” command (my trace route) which is more than 20 lines
is it a hop limitation ?
Hi,
it was a network encapsulation problem on the wireguard tunnel on mikrotik. First of all, I am not a network specialist.
For my troubleshooting, I did a tcpdump on my server, router, and laptop with a successful test and a failed test. I compared the results. I saw a strange thing on some lines I found “unreachable - need to frag (mtu 1420)”. I searched the internet and found out that it was an mtu problem with wireguard. I tried to change the mtu value on my interface nothing changes. So I kept searching and read the documentation about TCPMSS (Maximum Segment Size). I understood my problem. My case it was a broken PMTUD, then I have to decrease the MSS of the packets that pass through the VPN link. This solved my problem.
Interesting I had issues with folks using my ISP WAN through wireguard where they logged onto a site on the web but then the site sent them to another place for a different level of authentication and the MTU was buggering things up.
I solved this by playing with the MTU until the issue was resolved for me it was setting an MTU of 1500 on both Wireguard interfaces (vice the default 1420)
