I have a lab with L3VPN between two CHR 7.4.1.
Client 1 - (vrf A) CHR 1 (vrf main) - internet - (vrf main) CHR 2 (vrf A) - Client 2
Everything works fine except TCP. When I test troughput with iperf3, I got less than 1mb, but on UDP it`s about 300mb.
Some investiagtion showed that the problem is only with TCP and MPLS. If I write static routes between vrfA and main - iperf3 shows 300mb as expected.
If I run iperf with flag "set-mss 500" I see 2 types of packets: small (500+) and doubled(1000+). first type of packets pass via tunnel fine, but if packet length is more than MSS on session between clients - I see drops on GRE TX. In the same time I`m able to throw ICMP/UDP packets more than 1000bytes without any problems.
All features like fasttrack are disabled, firewall doesn`t contain any rules.
Code: Select all
[admin@MikroTik] > /ip/firewall/export
/ip firewall mangle
add action=change-mss chain=forward new-mss=1300 out-interface=nr_gre_1_1-3_2 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65000
[admin@MikroTik] >
[admin@MikroTik] > /ip/address/print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.19.31/23 192.168.18.0 ether1
1 192.168.16.180/23 192.168.16.0 ether2
2 172.19.0.1/32 172.19.0.1 nr_dummy_vrf
3 172.18.11.21/32 172.18.11.21 nr_loop_1_1-2_1
4 10.11.32.1/24 10.11.32.0 nr_gre_1_1-3_2
5 172.18.11.32/32 172.18.11.32 nr_loop_1_1-3_2
[admin@MikroTik] > /ip/vrf/print
Flags: X - disabled; * - builtin
0 name="transit" interfaces=ether2,nr_dummy_vrf
1 * name="main" interfaces=all
[admin@MikroTik] > /interface/gre/print
Flags: X - disabled; R - running
0 R name="nr_gre_1_1-3_2" mtu=auto actual-mtu=1434 local-address=192.168.19.31 remote-address=212.x.x.x keepalive=2s,8 dscp=inherit
clamp-tcp-mss=yes dont-fragment=inherit ipsec-secret="password" allow-fast-path=no
[admin@MikroTik] > /routing/bgp/export
# aug/16/2022 16:38:14 by RouterOS 7.4.1
# software id =
#
/routing bgp connection
add address-families=ip,vpnv4 as=65001 disabled=no hold-time=4s keepalive-time=1s local.address=172.18.11.32 .role=ebgp multihop=yes name=nr_bgp_1_1-3_2 \
output.filter-chain=med_primary .redistribute=static remote.address=172.18.32.11 .as=65002 router-id=nr_id
/routing bgp vpn
add export-route-targets=1:1 import-route-targets=1:1 label-allocation-policy=per-vrf route-distinguisher=1:1 vrf=transit
[admin@MikroTik] > /mpls/export
# aug/16/2022 16:38:24 by RouterOS 7.4.1
# software id =
#
/mpls interface
add disabled=no interface=ether1
add disabled=no interface=nr_gre_1_1-3_2
/mpls ldp
add lsr-id=172.19.0.1 transport-addresses=172.19.0.1
/mpls ldp interface
add accept-dynamic-neighbors=yes hello-interval=1s hold-time=4s interface=ether1 transport-addresses=172.18.11.21
add accept-dynamic-neighbors=yes hello-interval=1s hold-time=4s interface=nr_gre_1_1-3_2 transport-addresses=172.18.11.32
I`ve tried to play with MSS, with tunnels type, but not successful.
Also bttest between CHRs shows me expected 300mb, so the problem happens only with transit traffic