Community discussions

MikroTik App
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Issues with the github website.

Thu May 18, 2023 10:43 am

When I try to open the github website in my browser I get a connection timeout message.
So far github is the only website that fails to load.
I can open the website no problem when using a vpn (PIA)
I can ping the github from my computer and my router.
The DNS seems to resolve no problem.
Traceroute starts timing out on the 14th hop. The last ip before it fails is 104.44.20.54 which whois says is microsoft routing peering and dns
My config is pretty much the default one that came with the router.
The router is connected to the isp's ONU on ether 1 via pppoe.
The actual MTU for the connection shows as 1492.
I have tried altering the size of the mtu, 90 is the largest size I can ping github with. Anything larger results in a timeout.
I didn't have any problems on my previous router.
I don't have any networking experience and am totally at a loss on how to troubleshoot this.
Any help would be greatly appreciated

 model = RB5009UG+S+
# serial number
/interface bridge
add name=BR1 protocol-mode=none
auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:b4:2e:99:ee:93:f5 mac-address=\
    B4:2E:99:EE:93:F5 server=defconf
add address=192.168.88.253 client-id=1:18:60:24:ee:15:d1 mac-address=\
    18:60:24:EE:15:D1 server=defconf
add address=192.168.88.252 client-id=1:d0:50:99:d2:56:bc mac-address=\
    D0:50:99:D2:56:BC server=defconf
add address=192.168.88.250 mac-address=94:83:C4:1C:4B:E3 server=defconf
add address=192.168.88.249 client-id=1:a6:1:51:c5:f:17 mac-address=\
    A6:01:51:C5:0F:17 server=defconf
add address=192.168.88.251 client-id=1:b0:22:7a:1f:e9:af mac-address=\
    B0:22:7A:1F:E9:AF server=defconf
add address=192.168.88.242 client-id=1:ea:60:69:2b:ec:e6 mac-address=\
    EA:60:69:2B:EC:E6 server=defconf
add address=192.168.88.245 client-id=1:10:e7:c6:ad:a3:45 mac-address=\
    10:E7:C6:AD:A3:45 server=defconf
add address=192.168.88.236 client-id=1:cc:f4:11:51:44:d mac-address=\
    CC:F4:11:51:44:0D server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.253 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Tokyo
/system identity
set name=router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 295
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Issues with the github website.

Thu May 18, 2023 10:59 am

Try this one
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Re: Issues with the github website.

Thu May 18, 2023 11:33 am

Thank you for the quick response

Do I need to reboot the router for the rules to take effect?
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 295
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Issues with the github website.

Thu May 18, 2023 1:05 pm

Do I need to reboot the router for the rules to take effect?
no
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Re: Issues with the github website.

Sat May 20, 2023 4:52 am

I've added the new mangle rule but the problem with Github persists.

I have a google nest wifi router that I'm using temporarily until I can get something more flexible.
Devices connected to the primary wifi network also can't reach github, but devices connected to the guest network can access github.

Not sure if this information is in anyway relevant but thought I might as well mention it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issues with the github website.

Wed May 24, 2023 7:23 pm

So you are saying your normal ISP connection is not working for that one website???

I would say stop using github then, its obviously flawed as every other public website works........
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Re: Issues with the github website.

Tue Jun 06, 2023 2:19 am

The LINE messaging app (popular messaging app in Japan) also only works while using the guest network on the Google nest wifi or PIA VPN.
I can't find any other sites that timeout.

I spoke to my ISP and my PPPoE connetion is based on something called V6 connect. The V6 connect website says they use two different protocols DS-LITE and IPIP for ipv4 over ipv6.

Again this probably has nothing to do with the problem, but I thought it might be worth mentioning.

I'm at a complete loss on how to proceed from here.
I'm running my servers through a vpn in order to update the containers that are hosted on github.

Any suggestions for troubleshooting would be greatly appreciated.
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Re: Issues with the github website.

Wed Jun 07, 2023 9:47 am

In the end it was an MTU problem after all.
I was looking at the PPPoE inteface MTU and not the actual ether 1 MTU.
When I opened the ether 1 interface the MTU was set to 1500.
Changing it to 1492 fixed the issue with github and LINE.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Issues with the github website.

Wed Jun 07, 2023 11:09 am

That is not an advisable solution!
IPv6 has a separate MTU setting under IPV6->ND that you can set to 1492. Set the ethernet MTU back to 1500.
You can also experiment with setting the MTU of the PPPoE interface to 1500 and see if that remains after it re-connects.
If so, your ISP supports larger MTU on PPPoE. RouterOS does not try that by default.
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Re: Issues with the github website.

Wed Jun 07, 2023 3:20 pm

I have taken your advice and reset the ether 1 MTU to 1500 and changed the ipv6 MTU to 1492 via the ND interface menu.
The pppoe client Actual MTU is still showing as 1454 and I can't edit the value in winbox.
Some googling has turned up a few Japanese forum posts that say that 1454 is the correct MTU setting for my ISP. Other ISP's in Japan support up to 1500 (Sony's Nuro Hikari Network being one).
The github problem remains fixed though.

When I change the max value of the MTU in the pppoe client interface the Actual MTU shows as 1492 and I cant connect to github. If I set the max MTU to 1454 everything seems to work fine.

Is this solution OK?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Issues with the github website.

Wed Jun 07, 2023 3:29 pm

Yes that is OK, the value you should set in the IPv6->ND should be the same as the Actual MTU of your PPPoE interface while the connection is up.
When that can be only 1454 due to the ISP network, that is the correct value to use. Also put it in the Max MTU and Max MRU fields of the PPPoE interface.

In most cases, the PPPoE Max MTU is 1492 (when it is not 1500), that is why that is a number you often see.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Issues with the github website.

Wed Jun 07, 2023 3:30 pm

Out of interest, is there anyway to change the Actual MTU of the pppoe client?

Not really. It is possible to set max-mtu (and max-mru) on PPPoE-client, but that's only "negotiation input" from client's side (BTW, it is possbile to see different values for actual MTU and MRU after PPPoE link establishes; don't know why this happens though). Then client and server have to agree and lowest number is selected as MTU. Actual MTU depends on many factors, e.g. one is MTU of underlying ethernet interface ... PPPoE MTU will always be at least 8 bytes less than underlying ethernet interface MTU due to 8 bytes of PPPoE overhead. And MTU of underlying ethernet device depends both on settings on your local side as well as settings on link peer (e.g. GPON ONT) which user usually can't control. And then there might be additional overheads which further reduce MTU if ISP / infrastructure provider doesn't use jumbo packets on their infrastructure (to cater for additional overheads). So it's quite common to see actual MTU of 1480 bytes on PPPoE link, but as I explained, lower values are possible as well.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Issues with the github website.

Wed Jun 07, 2023 3:35 pm

Out of interest, is there anyway to change the Actual MTU of the pppoe client?

Not really. It is possible to set max-mtu (and max-mru) on PPPoE-client, but that's only "negotiation input" from client's side
In his case it apparently is (he asked on other forums) but in the general case a new PPPoE client in RouterOS will have blank fields for Max MTU and Max MRU, and RouterOS uses a value of 1480 as a default (should be 1492, but maybe that has changed already). It always is worth the try to put 1500 there as many networks will actually allow that, and if they do not, it will automatically be lowered (and shown as Actual MTU).
 
Spill6272
just joined
Topic Author
Posts: 7
Joined: Tue May 09, 2023 1:13 am

Re: Issues with the github website.

Wed Jun 07, 2023 3:50 pm

Maybe I haven't explained myself correctly.

When I first set up the pppoe client it showed an actual MTU of 1492.
This seemed to causes problems with GitHub (packet fragmentation??)
The pppoe client is set up on ether 1.
When I changed the ether 1 MTU to 1492 the pppoe client actual MTU changed to 1454 and the problems with GitHub resolved.
Changing ether 1 MTU back to 1500 didn't affect the actual MTU of the pppoe client, actual MTU remained 1454.
However when I tried setting the pppoe client max MTU to 1500 the actual MTU changed to 1492 and GitHub stopped working again.
No I have set the max MTU and MRU to 1454 on the pppoe client and everything seems to work.

Who is online

Users browsing this forum: No registered users and 48 guests