Community discussions

 
russkey
just joined
Topic Author
Posts: 16
Joined: Sun Aug 17, 2014 2:42 am

In-network websites unreachable

Mon Apr 13, 2015 3:12 am

I have a pretty convoluted system set up. There are a bunch of separate mikrotiks connected to a central one with EoIP tunnels. I have things bridged and working between them, they all think they are on one single network. Works great, various network protocols fly around the system with ease.

There is one odd-ball router that is in an awkward position, though. It is sitting behind a non-bridging, dynamic IP'd modem. This router has to use L2TP to reach that primary mikrotik, though the intermediate modem network. That mostly works. I have pings going from one side of the link to the other. Everybody can ping everybody else. I can even SSH from within that strange network into my core and related networks and back.

However, when I try to access a web service on the core network from the odd-ball section using the internal IP, it fails. Says it can't reach it. I have no problems accessing the same web service if I dstnat its port to the outside of the network, but that is not ideal.

What would cause pings and SSH sessions to work, but HTTP/HTTPS requests to fail? Can't seem to find the issue. I have my firewall drop rules logging things, but nothing shows up.
 
russkey
just joined
Topic Author
Posts: 16
Joined: Sun Aug 17, 2014 2:42 am

Re: In-network websites unreachable

Tue Apr 14, 2015 3:22 am

A distilled version of the question:

What would cause an L2TP tunneled, and bridged to bridge-local, network connection to successfully ping and SSH things in the core network, but fail to access :80 or :443 websites in the core network? Where should I be looking for a problem?
 
russkey
just joined
Topic Author
Posts: 16
Joined: Sun Aug 17, 2014 2:42 am

Re: In-network websites unreachable

Tue Apr 14, 2015 5:16 pm

After some more testing it seems that all cross-bridged-link web requests fail. Ping and SSH go through the bridged links (EoIP and L2TP) successfully, but HTTP and HTTPS web requests fail. What might be causing this?
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: In-network websites unreachable

Wed Apr 15, 2015 7:59 am

It might be MTU issues. Do large pings work? Does SSH hang when you move a lot of data through the connection?
 
russkey
just joined
Topic Author
Posts: 16
Joined: Sun Aug 17, 2014 2:42 am

Re: In-network websites unreachable

Wed Apr 15, 2015 1:33 pm

It might be MTU issues. Do large pings work? Does SSH hang when you move a lot of data through the connection?
The largest pings I can get across are 1400 bytes. And I have seen the SSH connection hang when doing a
log print follow
. So that definitely sounds like the problem! How would I fix it, though? Shouldn't the connection break up large packets into fragments automatically?
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: In-network websites unreachable

Wed Apr 15, 2015 3:23 pm

That depends on the specifics of what RouterOS version and how you configured everything.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: In-network websites unreachable

Wed Apr 15, 2015 4:48 pm

The largest pings I can get across are 1400 bytes. And I have seen the SSH connection hang when doing a
log print follow
. So that definitely sounds like the problem! How would I fix it, though? Shouldn't the connection break up large packets into fragments automatically?
If the application sets the DF (don't fragment) flag in the IP header, then the device may not fragment the packet, but in stead should send an ICMP message informing the sender that the packet was discarded, by whom, and what the MTU of the next hop is.

I think most applications use DF bit because they want to use path mtu discovery.
Networks that discard all ICMP break this.
Your best bet is to use the clamp MSS feature.

In IPv6 - there is no fragmentation allowed ever, so definitely make sure your networks can either use PMTU discovery or else you can clamp the MSS yourself.

In your case, though, it seems that the server on the far end is the one with broken PMTU.
Poorly-configured load balancers at data centers will break pmtu discovery....
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
nje431
newbie
Posts: 41
Joined: Tue Sep 10, 2013 5:17 pm

Re: In-network websites unreachable

Wed Apr 15, 2015 4:53 pm

Your system sounds similar to ours in a lot of ways. Same problem we originally had when adding a L2TP link as well.

With the later ROS versions, you can let the router set the MTU by using the auto MTU feature on ALL interfaces except the bridge interface (more on that in a bit). To use auto MTU, simply "roll up" the box where you would normally set the MTU manually. On the bridge MTU, at least on 6.21, which we are using, using auto MTU breaks things. I have that set to 1500 on ours, which works smoothly.

Cheers
 
russkey
just joined
Topic Author
Posts: 16
Joined: Sun Aug 17, 2014 2:42 am

Re: In-network websites unreachable

Thu Apr 16, 2015 3:29 am

Your system sounds similar to ours in a lot of ways. Same problem we originally had when adding a L2TP link as well.

With the later ROS versions, you can let the router set the MTU by using the auto MTU feature on ALL interfaces except the bridge interface (more on that in a bit). To use auto MTU, simply "roll up" the box where you would normally set the MTU manually. On the bridge MTU, at least on 6.21, which we are using, using auto MTU breaks things. I have that set to 1500 on ours, which works smoothly.

Cheers
So we are running 6.27 here. I've set the MTU on all of the l2tp, physical, and bridges to 1400. Now huge pings are successfully going from the remote router to the core router and back. But they don't make it though the core router on to the other entities in the core. If there's a mismatch between the l2tp and the bridge mtu, it can't even get to the core router.

Not quite sure what you mean by roll up the box. What is the command line equivalent?

EDIT: enabling MRRU on the L2TP link seems to also break the large packet handling on the router-router connection.

EDIT2: I think I found the solution! Setting the max-mtu and max-mru on the L2TP link to something higher than all the other mtu's (1500 vs 1400) now allows huge pings and web requests to flow through the L2TP link successfully. This solution was found by trial and error.

Could somebody please explain what is actually happening here?
 
nje431
newbie
Posts: 41
Joined: Tue Sep 10, 2013 5:17 pm

Re: In-network websites unreachable

Thu Apr 16, 2015 4:11 am

Glad you got it working. For reference, "roll up the box", refers to the Winbox interface, and clicking the area to the right of the MTU field to close the field. I'm not a CLI expert, so I don't know the specific command.

Cheers

Who is online

Users browsing this forum: No registered users and 24 guests