Community discussions

 
karliek1
just joined
Topic Author
Posts: 5
Joined: Fri Apr 28, 2017 5:48 pm

EOIP Tunnel on LTE not forwarding HTTP

Fri Apr 28, 2017 6:00 pm

Good day
I have a curious problem, I have a mikrotik RB411U connected to and adsl line and an EOIP tunnel running across to our company premises some 1000km's away. this worked as there is only 2 pc's and one printer in the office, I have now moved this mikrotik over to a fritzbox 6840 LTE, so in essence only the fritzbox model has changed. (The adsl has a fritzbox 7272) my problem is such that everything works as they can connect to the network, authenticate and print, but here is the catch they cannot scan documents to email or I cannot connect from the office to the printer web interface. I can telnet ssh to the printer just not web interface, they can print through our print server to that same printer, but scanning stopped working. All these functions worked on the normal adsl line. both sides have static ip and for testing purposes I have disabled the fritzbox firewall (exposed host) the other side is a metrolan directly connected to the mikrotik.

Any suggestions as to what can block this traffic. users at the other side can browse through our EOIP tunnel to the proxy server so it is not port 80 that is blocked, All I can think of is something on the Ricoh all in one is to old.
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: EOIP Tunnel on LTE not forwarding HTTP

Fri Apr 28, 2017 10:21 pm

Are you encrypting the EoIP tunnel by chance?
 
karliek1
just joined
Topic Author
Posts: 5
Joined: Fri Apr 28, 2017 5:48 pm

Re: EOIP Tunnel on LTE not forwarding HTTP

Tue May 02, 2017 9:58 am

Hi
Ni I have removed the encryption totally, the only difference is that we have moved over from ADSL to LTE, the working Mikrotik's have been moved over and the tunnel ip have changed, that is it.

It must be something on the LTE network, my question is that it should not affect a tunnel inside tcp/ip.

Regards
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: EOIP Tunnel on LTE not forwarding HTTP

Tue May 02, 2017 10:12 am

Hi
Ni I have removed the encryption totally, the only difference is that we have moved over from ADSL to LTE, the working Mikrotik's have been moved over and the tunnel ip have changed, that is it.

It must be something on the LTE network, my question is that it should not affect a tunnel inside tcp/ip.

Regards
It shouldn't. I guess I wouldn't be surprised. Was it doing this when encryption was turned on? Are you able to browse over the EoIP tunnel from a system that doesn't use a proxy server? Are you using the MikroTik proxy server? Could it be disabled to test access?
 
karliek1
just joined
Topic Author
Posts: 5
Joined: Fri Apr 28, 2017 5:48 pm

Re: EOIP Tunnel on LTE not forwarding HTTP

Tue May 02, 2017 10:19 am

everything is the same, on the adsl I can connect to printer http port, it can print and scan, when I move the same mikrotik over to the LTE and change the tunnel ip on both sides printing still works but http and scanning stops working, so the only thing that change is the 2x tunnel ip's on both sides and the fritzbox as the 7272 model cannot do LTE. I am going to change to ipip tunnel with routing to see if the problem is still there.
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: EOIP Tunnel on LTE not forwarding HTTP

Tue May 02, 2017 10:21 am

If you don't need to stretch layer 2 between both locations I'd definitely recommend IPIP or GRE.
 
karliek1
just joined
Topic Author
Posts: 5
Joined: Fri Apr 28, 2017 5:48 pm

Re: EOIP Tunnel on LTE not forwarding HTTP

Tue May 02, 2017 10:24 am

the only reason I did it was because it only involved only 2x pc and one printer. not much traffic. but I will try the GRE / ipip route and see, it just though that nothing can interfere with the eoip tunnel as it is encapsulated and immune to external factors.
 
p3rad0x
Long time Member
Long time Member
Posts: 603
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:

Re: EOIP Tunnel on LTE not forwarding HTTP

Wed May 03, 2017 5:39 pm

I think you are having some kind of MTU issue maybe, is HTTPS sites working properly?

You can try and add a mangle rule to change the tcp mms for all connections to 1448 or something like that.
There you go then you touched something ;-) : it only takes a change in wind direction to screw with your nat :-)
 
karliek1
just joined
Topic Author
Posts: 5
Joined: Fri Apr 28, 2017 5:48 pm

Re: EOIP Tunnel on LTE not forwarding HTTP

Wed May 03, 2017 5:48 pm

I have played around with the MTU and used various settings but still no luck. ideally what must the MTU be 1530 or 1500
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: EOIP Tunnel on LTE not forwarding HTTP

Wed May 03, 2017 7:23 pm

MTU can be a tricky item. First you need to determine your starting point. If you are traversing the Internet or just using default settings on an Ethernet network it is likely 1500.

Typically your L2 MTU will be 1514 or slightly larger. This is commonly a separate value from your layer 3 MTU. In Cisco land the ip mtu command sets the layer 3 MTU and adjusts the layer 2 MTU appropriately.

A quick list to get us started

Ethernet = 14 bytes
Plain GRE = 4 bytes (no key or sequence numbering, each item would add 4 bytes for 8 and 12 respectively)
IPv4 Header = 20 bytes
IPv6 Header = 40 bytes

IPSec gets a lot more tricky. Each option adjusts the size of the header. By and large my recommendation for an IPSec setup (tunnel or transport mode) using IPv4 outside and inside of it will be 1400 bytes. It's a catch all that should work for all configurations that have a base MTU of 1500 bytes.

https://cway.cisco.com/tools/ipsec-overhead-calc/ This is an excellent tool from Cisco for calculating MTU values, it in particular dives into MTU values for various kinds of IPSec settings. It's access is restricted. I'm not sure which level exactly but as a Cisco partner I have access.

http://baturin.org/tools/encapcalc/ A free MTU tool but it doesn't include IPSec information.

Ok, let's specifically dive into tunneling and how these headers stack up.

MikroTik GRE MTU
MikroTik-Forums_MTU-Lets-Play_GRE_1.png
Looking at the above packet we see the anatomy of how it was built. We see the Ethernet header outside of all of our layer 3+ headers. We see the outside IPv4 header (20 bytes), a GRE header without any keys or sequencing (4 bytes), another IPv4 header (20 bytes) representing the inside IPv4 information and lastly the data which in this case is an ICMP packet. So in total we add 4 + 20 which equals 24. The largest we can set MTU for this connection if we have a base layer 3 MTU of 1500 is 1474. We don't count the outermost IPv4 header.

MikroTik EoIP MTU
MikroTik-Forums_MTU-Lets-Play_EoIP_1.png
You'll see that this packet looks very similar. The exception is that an Ethernet header is squashed in between the GRE and inside IPv4 header adding an additional 14 bytes of overhead. This time the calculation is 4 + 14 + 20 which equals 38. The largest we can set MTU for this connection if we have a base layer 3 MTU of 1500 is 1462.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 6 guests