Community discussions

MUM Europe 2020
 
darksideofthemoon
just joined
Topic Author
Posts: 3
Joined: Tue Oct 17, 2006 11:14 am

Ipsec over PPPoE problem

Tue Oct 17, 2006 11:38 am

Hallo,
I've a problem with a IPsec tunnel that a client, behind a mikrotik wireless area, build with an internet host.

Here the scenario:

(client) --- (Ric522 pppoe-client) --- (RB532a pppoe-server) --- (internet)

The VPN goes up and the client can ping the vpn server and can establish a telnet connection with an host inside the vpn network, but some other protocols doesn't works... for example Windows "remote desktop" or a webmail in https protocol.

If I disable the pppoe client and set manualy the ip address, gateway and all the other stuffs on the Ric522 all works perfectly... so I think that the problem is in the PPPoE tunnel...

The firmware of both MT routers is 2.9.30.

Some ideas?
Someone have the same problem?

Greetings.
 
User avatar
fatonk
Member
Member
Posts: 439
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Tue Oct 17, 2006 11:42 am

I think you have a problem with fragmentation, MSS MTU, try tweaking the mss and mtu. Why is working without PPPOE, because with PPPOE you have the lower MTU, and without PPPOE the MTU is 1500 bytes.

Regards.

Faton
 
darksideofthemoon
just joined
Topic Author
Posts: 3
Joined: Tue Oct 17, 2006 11:14 am

Tue Oct 17, 2006 4:17 pm

Thanks for the reply,

since now I've never modified MSS MTU... some hits? Where I must change it? in the RIC522 (client side) or in the RB532a (server side)?
And... in which interface? on the PPPoE server maybe?

/interface pppoe-server server print
[...]
max-mru=1480 max-mtu=1480
[...]

Greetings
 
User avatar
airstream
Member Candidate
Member Candidate
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Tue Oct 17, 2006 10:33 pm

Hi there. Indeed it sounds to be the MTU size, change it to something smaller than the standard PPPoE size, then test the connection against sites that wont work if your MTU is wrong. One site I know of is Hotmail.com, if you click to login and your MTU is off, the login screen will never show, just hang in the browser. Good for testing
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
fatonk
Member
Member
Posts: 439
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Wed Oct 18, 2006 9:17 am

You can configure it like this:

ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440

ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn,ack action=change-mss new-mss=1440


regards

Faton.

Who is online

Users browsing this forum: sid5632 and 81 guests