Community discussions

MikroTik App
 
LuizMeier
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Tue Sep 25, 2012 11:57 pm
Location: Curitiba, PR - Brasil

TCP Clamp or clamp-to-pmtu

Mon Dec 26, 2016 7:37 pm

Hello!

We have a structure of about 50 sites connected to our HQ. Every branch office has 2 tunnels: one EoIP running over ISP's MPLS and a L2TP tunnel for redundancy in case of problems with MPLS.
We have also an OSPF enviroment running in this layout with no problems. All sites have a RB 2011.

The thing is that since some days ago we began to have some problems loading HTTPS websites. This is caused by our Firewall, since we started to check the packets via flow-based and not proxy anymore.
We've done some tests and discovered that we could go around the problem adjusting our MTU. After some researching, I've seen that Mikrotik allows me to change the MTU automatically via the flag "Clamp TCp MSS" in the interface itself or via Mangle rule throug the clamp-to-pmtu action.

I would like your help to understand the concept of both of them, if I need to use both togheter or just one of them. If I understood it correctly, the TCP Clamp MSS flags the syn packet and put the MTU of the interface with the value I want. Period.
The clamp-to-pmtu relies on the mtu discovery, which is icmp based and not that reliable in days like now as it were in the past.

Any light would be appreciated.

Thanks in advance.
 
LuizMeier
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Tue Sep 25, 2012 11:57 pm
Location: Curitiba, PR - Brasil

Re: TCP Clamp or clamp-to-pmtu

Thu Dec 29, 2016 3:58 pm

I'm starting with EoIP. Mikrotik's documentation says I should set the L3 MTU in EoIp interface to 1500. I did it and added the rule to clamp to pmtu via mangle.

I'm seeing, in the beggining of the conversation, the hosts saying they will use a MSS of 1460, which seems pretty well counting on 40 bytes to TCP and IP headers. Where is the 42 bytes of EoIP's overhead going? I'm assuming the MSS should be MTU - 42 (EoIP overhead) - 40 (TCP and IP overheads).

Just in case: using the Clamp TCp MSS flag in the EoIP tunnel it keeps the same, 1460. Once I have L2TP(which don't have this falg) and EoIP, I prefer to adjust MSS via mangle for organization.

Is this right? I would like to use MSS and MTU to get the best of the network. Below is my mangle rule. With this configuration all the packets with syn flag passing through my eoIP tunnel gets the mss changed to 1418. Should it be higher?
MTUPath says my MSS should be 1472

Thanks in advance.
/ip firewall mangle
add action=change-mss chain=forward in-interface=eoip-barigui new-mss=1418 protocol=tcp \
    tcp-flags=syn
add action=change-mss chain=forward new-mss=1418 out-interface=eoip-barigui protocol=tcp \
    tcp-flags=syn

Who is online

Users browsing this forum: sinisa and 96 guests