I have discovered a strange issue with oversized packets - some services which uses UDP transport sometimes (rather rarely) doesn't work properly in some cases. Especially VPN (not initiated nor terminated on Mikrotik - just going through a MT box in router mode) connections ware not sometimes able to work. The strange thing is that most of the time the problem doesn't appear (i.e. discovering of the problem source was not easy at all).

All our mikrotik boxes on client's side run a simple firewalling rules (to stop SSH scanners and to allow only IPs assigned to client(s)). We use no connection tracking, etc. After the firewall is stopped the Mikrotik starts to respond to ping packets larger then MTU and VPNs are working too.

So it looks like Mikrotik kernel is not reassembling fragments prior to checking the packet against firewall rules. Is there any real reason for it (limited memory ??). I think 2.9.xx ROS is based on 2.4 linux kernel which should reassemble fragments before it sends them to firewalling rules...

There are thousands of MT boxes in our network all with similar firewall settings. Some of the boxes does reply on ping with large packets some of them don't (and it is not dependent on RouterBoard type nor ROS version - there are boxes with identical hardware and ROS which behave diferently. Sometimes it may happen the same box after a reboot will behave differently...). It looks like a problem with packet defragmentation code or so....

Should I really use connection tracking (I don't like it - it is CPU expensive) to solve the problem?

yes, fragments packets cannot be used with firewall without connection tracking. Seems dumb really, it should just route them no matter what, even if they are frag'd. Maybe you can create a rule that uses the fragment checkbox and allow them ? I havent really experimented enough to know that.

Sam