I've got a unique problem. I basically am using a PC for a router with routerOS 4.5 right now. I bridge ether1-4 and use ether5 as my WAN. I am pushing about 60-80mbit right now nothing fancy just straight routing.

Everything has worked well but some particular websites don't like the mikrotik and will time out sessions. If I plug my laptop into the dmz outside the mikrotik the web sessions will not time out.

This is for a library system web system that logs you out after 15 mins. But I watch the connection drop in the connection tracking after a few seconds. But it is only for this site and a couple others. So the other side loses its session and assumes you have to log back in. But no other ISP in town has this happen. Only when it is behind this mikrotik. I swear they are dropping me on their side. But according to their tech support it claims this:
--
Q1. Why does the e-Library OPAC system keep showing the message "Session has timed out. Please click OK to start a new OPAC session."?
A: Each OPAC session is set at 15 minutes. The system displays this message after 15 minutes of inactivity. If this message is shown after less than 15 minutes of inactivity, it is because the system switches to a server load balance. For users who connect through a proxy, if a different IP address is used in the same session, the server load balance will not be able to identify the same session based on a IP address. That is when a Session Timeout message appears before it is time for the session to time out. When that happens, contact your network administrator or enter http://webcat1.tpml.edu.tw or http://webcat2.tpml.edu.tw in the address bar of your browser.
--
I do not use a proxy, and I've used a public IP so it is straight routing with only one forward chain rule in the firewall just to see..

Bizarre.. any ideas why could be doing this?

The conntrack timeouts are all about what they should be according to the manual. I am not doing anything fancy except for some port 25 blocking (the anti spam rules Butch put together)

ALso it isnt in taiwan this was the only good information I could find that could help with this problem. This is a library web software that is used around the world.

But I've had other issues with other sites like this as well. So it has me pretty confused.

So I go over to one of my other routers that is almost identical in every way except is running 4.9 and I don't have this problem. So I guess I better update the firmware..

I'm hesitant about upgrading to RC5 though because I've seen some bugs reported.

I only do some straight routing and anti spam for the most part. I should be safe to go to rc5 for now you think?

Depends on your definition of safe, your business requirements, SLAs, and change management procedures.

Where I work putting a release candidate on a production machine is a no-no.

Yeah. I think so too.. but I think it was because I thought the most recent stable version looks like its an earlier release than the one I have!!

I just realized they are using a back assward numbering of their versions.

This is odd.

I updated to 4.14 and it still times out. Not as often but it still does.

Anyone else want to give it a try with their Mikrotiks?

Go to http://216.138.208.195/uhtbin/cgisirsi/ ... /60/1180/X

Browse around for a good 5-10 mins you will eventually be given this error message.

Session has timed out. Please click OK to start a new OPAC session

And you don't even have to log in to get the timed out session.

I tried it, got the timeout message right at the beginning, started a new session browsed around fine for 21 minutes, then let it sit for about 12 minutes, then continued browsing around, then went to lunch. After coming back to lunch, the browser was on some home page of the site. There was a frequently updating side-scrolling message at the bottom about someone adding things to a shelf.

So things seemed fine here. It went through an x86 router with 5.0beta4 doing NAT, and then an x86 router with 4.13 and then an x86 router with 4.10.

Thanks for trying it out. Which routerOS version were you running?

I can't figure out why it is only this one PC. My other mikrotik router is fine.

Do you have any mangle rules at all? Are you natted?

The only difference between my two routers is one has only 2 ethernet cards running 4.9 so there is no bridge, just a forward rule. The PC I'm having trouble with is r unning 4.14 with a 4 port routerboard ethernet card that is bridged for the LAN, with the single on board as the WAN. It has static routing and a basic firewall only natting some IP's. But I'm not using natted IP's I'm using straight public ip's so it is only using the forward chain..

ugh!

Are you using a WAN link with a small MTU/MSS at the site that has problems?

Have you tried adjusting the MTU and MSS as shown in the wiki FAQ?

I've set my lan and wan ports MTU from 1500 to 1492 to test and it didn't help. My other mikrotik router is at 1500 and it works fine. So I don't think its an MTU based issue. I'll have to look up MSS though.

That depends on the link - if you have a cable modem at one site and an ADSL link at the other the WAN link MTU and MSS would be different.

No I've got straight fiber at both locations.. both can be 1500..

That depends on the link - if you have a cable modem at one site and an ADSL link at the other the WAN link MTU and MSS would be different.

Isn't there mtu discovery that takes place? If we are large at 1500 and their end is lower wont the negotiation on size take place?

Depends on whether everyone along the path is playing nicely with ICMP. http://www.znep.com/~marcs/mtu/ is an old but OK write up.

But since you have fiber the issue isn't on your end, so there's nothing you can do about if MTU discovery / MSS is indeed the issue - which it might not be. It was just an idea given that you hadn't described your physical access before.

Though I guess it wouldn't hurt to try this:
http://wiki.mikrotik.com/wiki/Manual:Ro ... _Questions

I cannot surf some sites when I use PPPoE.
Use /ip firewall mangle to change MSS (maximum segment size) 40 bytes less than your connection MTU. For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:

If you think there's a chance that you're traversing routers that could introduce this problem from the site that is having issues to the destination. Not a permanent fix, but as an experiment.

Yeah I saw that article. I'll give it a try and see if it fixes the issue. It is just odd that I have a second Mikrotik router with an identical setup but does not have this issue.

Welp that didn't work either.

I'm starting to think its the other side that doesn't like our IP range or something. When I plug in outside my router I use a public IP outside the router, and the other router that does work is a completely different subnet.

Thanks for trying it out. Which routerOS version were you running?
...
Do you have any mangle rules at all? Are you natted?

It went through an x86 router with 5.0beta4 doing NAT, and then an x86 router with 4.13 and then an x86 router with 4.10.

Windows vista pc with private ip -> x86 routeros 5.0beta4 natting private to public -> x86 routeros 4.13 -> x86 routeros 4.10 -> internet

There are no mangle rules, MTU is 1500 all the way from the pc to the internet (meaning: at the point it leaves our AS). After it leaves our AS i'm not sure what happens to it, but I happen to know the next upstream layer-3 router is a high end cisco.