Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Post Reply
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 10:52 am

Hi everyone. I was wondering if there is anyway i can pass 1700 size over the L2TP/IPSec tunnel. I can pass over 1700 to other networks but not this. Ether5 is the uplink to WISP's LHG. Currently the maximum size i can pass is 1370 through the tunnel but i can pass 1490 outside the tunnel. From the fixed fiber ISP i can pass 1700 without issue (even tried 2000 and worked).


WISP Configuration (uplink to WISP LHG)
Code: Select all
# apr/13/2023 10:19:23 by RouterOS 6.48.6
# software id = 6FBK-EBKY
#
# model = RB952Ui-5ac2nD
# serial number = 71A*****
/interface l2tp-server
add name=l2tp-ad***** user=ad*****
/interface bridge
add name=br-wlan
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "Uplink to Airtel Net"
/interface l2tp-client
add connect-to=ns1.ck****.com disabled=no max-mru=1370 max-mtu=1370 name=\
    l2tp-to-bbone0 use-ipsec=yes user=ad****
/interface eoip
add disabled=yes local-address=10.2.1.153 mac-address=02:EB:39:4F:10:36 mtu=\
    1500 name=eoip_to_HQ remote-address=10.2.1.152 tunnel-id=17
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
    no_country_set disabled=no distance=indoors frequency=auto \
    frequency-mode=manual-txpower mode=ap-bridge scan-list=2412,2437,2462 \
    security-profile=profile1 ssid=HOME-WIFI station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge scan-list=\
    5180,5200,5220 security-profile=profile1 ssid=HOME-WIFI station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,3des \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=L2TP ranges=10.3.1.2-10.3.1.254
add name=dhcp_pool_wlan ranges=192.153.50.10-192.153.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=2h \
    name=defconf
add address-pool=dhcp_pool_wlan disabled=no interface=br-wlan lease-time=2h \
    name=wlan_dhcp
/ppp profile
add change-tcp-mss=yes local-address=10.3.1.1 name=L2TP remote-address=L2TP \
    use-encryption=yes
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=7******
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether1
add bridge=br-wlan interface=wlan1
add bridge=br-wlan interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set default-profile=L2TP enabled=yes max-mru=1700 max-mtu=1700 \
    one-session-per-host=yes
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.2/24 interface=ether5 network=192.168.1.0
add address=192.153.50.1/24 interface=br-wlan network=192.153.50.0
/ip dhcp-client
add disabled=no interface=ether5 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.153.50.0/24 gateway=192.153.50.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=forward comment=\
    "Allow forward good connection states" connection-state=\
    established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
    connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
    connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5
add action=dst-nat chain=dstnat dst-port=90 protocol=tcp to-addresses=\
    10.3.1.2
add action=dst-nat chain=dstnat dst-port=11111 protocol=tcp to-addresses=\
    10.3.1.2
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip route
add distance=1 dst-address=10.2.1.152/32 gateway=l2tp-to-bbone0
add distance=1 dst-address=192.153.10.0/30 gateway=l2tp-ad*****
/ip service
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=ad*****l2tp profile=L2TP remote-address=10.3.1.2 service=l2tp
/snmp
set contact=admin@c******.com enabled=yes trap-community=\
    7t******* trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=adu-1.PA-8820POLIS.ck****.com
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx
/system routerboard settings
set auto-upgrade=yes protected-routerboot=enabled reformat-hold-button=5s
/tool romon
set enabled=yes


Fixed Fiber configuration (uplink to ISP cpe)
Code: Select all
# apr/13/2023 10:39:19 by RouterOS 6.49.7
# software id = B8BE-SCNF
#
# model = RB941-2nD
# serial number = D1*****
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink from PTCPE" loop-protect=on
set [ find default-name=ether2 ] comment=CCTV loop-protect=on
set [ find default-name=ether3 ] disabled=yes loop-protect=on
set [ find default-name=ether4 ] disabled=yes loop-protect=on
/interface l2tp-client
add connect-to=213.7.231.xx disabled=no max-mru=1700 max-mtu=1700 name=\
    l2tp-to-bbone0 use-ipsec=yes user=ad****
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=wifi-profile supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
    disabled=no frequency=auto mode=ap-bridge security-profile=wifi-profile \
    ssid=CHOME-AP wps-mode=disabled
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp_pool_wlan ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool_wlan disabled=no interface=wlan1 lease-time=2h \
    name=dhcp-wlan
/snmp community
set [ find default=yes ] disabled=yes
add addresses=10.2.1.1/32 name=nnd******
/interface l2tp-server server
set default-profile=L2TP max-mru=1700 max-mtu=1700 use-ipsec=yes
/ip address
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.150.20.1/30 interface=ether2 network=192.150.20.0
add address=192.168.10.1/24 interface=wlan1 network=192.168.10.0
add address=172.168.88.1/24 interface=ether2 network=172.168.88.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.100.30.2 list=l2tp-to-bbhq
/ip firewall filter
add action=accept chain=forward comment=\
    "Allow forward good connection states" connection-state=\
    established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
    connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
    connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
    connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    n02tobbhq passthrough=yes src-address-list=l2tp-to-bbhq
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,none \
    out-interface=l2tp-to-bbone0
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=40011 protocol=tcp to-addresses=\
    192.150.20.2
add action=dst-nat chain=dstnat dst-port=40080 protocol=tcp to-addresses=\
    192.150.20.2
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip route
add disabled=yes distance=1 gateway=10.2.1.1 routing-mark=n02tobbhq
add disabled=yes distance=2 routing-mark=n02tobbhq type=unreachable
add distance=1 gateway=192.168.2.1
/ip service
set telnet disabled=yes
set ftp address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set www address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set ssh address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set api disabled=yes
set winbox address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set api-ssl disabled=yes
/ppp profile
add change-tcp-mss=yes local-address=10.10.1.1 name=L2TP remote-address=*2 \
    use-encryption=yes
/ppp secret
add disabled=yes name=adu1hqck*****com profile=L2TP service=l2tp
/snmp
set contact=admin@c*****.com enabled=yes trap-community=\
    nn***** trap-target=213.7.231.xx trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=adu-1.PA-8010ANDGER7.ck*****.com
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx secondary-ntp=213.7.231.xx
/tool e-mail
set address=mail.ck*****.com from=r1@ck*****.com port=587 start-tls=yes \
    user=r1@ck*****.com
/tool netwatch
add down-script="tool e-mail send to=ch****@hotmail.com subject=adu-1.\
    PA-8010ANDGER7.ck*****.com start-tls=yes body=CCTV_on_ether2_of_adu-1.P\
    A-8010ANDGER7.ck*****.com_is_UNREACHABLE." host=192.100.30.2 interval=\
    10m up-script="tool e-mail send to=ch****@hotmail.com subject=adu-\
    1.PA-8010ANDGER7.ck*****.com start-tls=yes body=CCTV_on_ether2_of_adu-1\
    .PA-8010ANDGER7.ck*****.com_is_UP."


Server configuration over Fixed Fiber (Uplink to bridged ISP cpe)
Code: Select all
# apr/13/2023 10:48:20 by RouterOS 7.8
# software id = GID6-7H3W
#
# model = RB5009UG+S+
# serial number = HE*****
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink to CTCPE" l2mtu=1550 mtu=\
    1550
set [ find default-name=ether2 ] comment=\
    "Downlink to adu-2.hq.ck*****.com" loop-protect=on
set [ find default-name=ether3 ] comment="Downlink to AP-1" loop-protect=on
set [ find default-name=ether4 ] comment=CCTV loop-protect=on
set [ find default-name=ether5 ] comment=sw-8p loop-protect=on
set [ find default-name=ether6 ] disabled=yes loop-protect=on
set [ find default-name=ether7 ] disabled=yes loop-protect=on
set [ find default-name=ether8 ] comment=Failover disabled=yes loop-protect=\
    on
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ovpn-server
add name=ovpn-ck user=ch****
/interface l2tp-server
add name=l2tp-adu-1.PA-8010ANDGER7 user=ad****
add name=l2tp-adu-1.PA-8820POLIS user=ad****
add name=l2tp-adu-2.hq user=ad****
add name=l2tp-ad**** user=ad****
add disabled=yes name=l2tp-ad**** user=ad****
add name=l2tp-hb535 user=ad****
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-ctfiber user=user
/interface wireguard
add listen-port=13231 name=wg-server
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
set [ find default=yes ] name=L2TP
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=OVPN-Pool ranges=10.1.1.2-10.1.1.254
add name=L2TP-Pool ranges=10.2.1.2-10.2.1.100
add name=ether3_pool ranges=192.168.20.2-192.168.20.254
add name=ether2_pool ranges=192.168.10.2-192.168.10.254
add name=ether5_pool ranges=192.168.40.2-192.168.40.6
add name=vlan30 ranges=192.100.30.2
add name=dhcp_pool6 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=ether3_pool interface=ether3 lease-time=2h name=ether3_dhcp
add address-pool=ether5_pool interface=ether5 lease-time=2h name=ether5_dhcp
/ppp profile
set *0 change-tcp-mss=default
add local-address=10.1.1.1 name=OVPN remote-address=OVPN-Pool use-ipv6=\
    default
add local-address=10.2.1.1 name=L2TP remote-address=L2TP-Pool
set *FFFFFFFE change-tcp-mss=default use-encryption=default
/queue simple
add max-limit=52M/205M name=ether3_200/50 target=ether3
/snmp community
set [ find default=yes ] disabled=yes
add addresses=172.168.188.0/29 name=d*****
/system logging action
add email-start-tls=yes email-to=ch******@hotmail.com name=email \
    target=email
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set default-profile=L2TP enabled=yes max-mru=1730 max-mtu=1730 \
    one-session-per-host=yes use-ipsec=required
/interface ovpn-server server
set certificate=OVPN-SERVER cipher="blowfish128,aes128-cbc,aes192-cbc,aes256-c\
    bc,aes128-gcm,aes192-gcm,aes256-gcm" default-profile=OVPN enabled=yes \
    port=61194 protocol=udp redirect-gateway=def1 require-client-certificate=\
    yes
/interface wireguard peers
add allowed-address=10.1.2.2/32 interface=wg-server persistent-keepalive=25s \
    public-key="u5*********="
add allowed-address=10.1.2.3/32 interface=wg-server persistent-keepalive=25s \
    public-key="3hu*************="
/ip address
add address=192.168.20.1/24 comment=DHCP interface=ether3 network=\
    192.168.20.0
add address=172.168.188.1/29 comment=Fasttrack interface=ether2 network=\
    172.168.188.0
add address=192.168.8.250/24 comment=Failover interface=ether8 network=\
    192.168.8.0
add address=192.100.30.1/30 comment=CCTV interface=ether4 network=\
    192.100.30.0
add address=192.168.40.1/29 comment=DHCP interface=ether5 network=\
    192.168.40.0
add address=10.1.2.1/24 interface=wg-server network=10.1.2.0
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.1
add address=192.168.40.0/29 dns-server=1.1.1.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,8.8.8.8
/ip dns static
add address=213.7.231.xx name=ns1monitoring.ck*****.com
add address=38.242.199.97 name=ns2monitoring.ck*****.com
add address=38.242.199.97 name=mail.ck*****.com
add address=172.168.188.1 name=bbone0.ck*****.com
add address=10.2.1.150 name=adu-1.PA-8010ANDGER7.ck*****.com
add address=10.2.1.151 name=adu-1.PA-8820POLIS.ck*****.com
add address=192.100.30.2 name=cctv.ck*****.com
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "Allow fasttrack on 172.168.188.0/30" hw-offload=yes src-address=\
    172.168.188.0/29
add action=accept chain=forward comment=\
    "Allow forward good connection states" connection-state=\
    established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
    connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
    connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
    connection-state=invalid
add action=accept chain=input comment="Port Scanner Block" disabled=yes \
    protocol=tcp src-address=172.168.188.0/24
add action=accept chain=input disabled=yes protocol=tcp src-address=\
    10.100.1.0/24
add action=add-src-to-address-list address-list="Ports Scanner Attacks" \
    address-list-timeout=1d chain=input disabled=yes dst-port=\
    62222,60080,60090 protocol=tcp
add action=drop chain=input disabled=yes dst-port=62222,60080,60090 protocol=\
    tcp src-address-list="Ports Scanner Attacks"
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1700 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=!0-1700
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.168.188.0/29
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.100.30.0/30
add action=masquerade chain=srcnat src-address=192.168.40.0/29
add action=masquerade chain=srcnat src-address=192.168.8.0/24
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.1.2.0/24
add action=masquerade chain=srcnat src-address=10.2.1.0/24
add action=dst-nat chain=dstnat comment=DCOS dst-address=213.7.231.xx \
    dst-port=1-40000 protocol=tcp to-addresses=172.168.188.3 to-ports=1-40000
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=53 \
    protocol=udp to-addresses=172.168.188.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=1194 \
    protocol=udp to-addresses=172.168.188.3 to-ports=1194
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=123 \
    protocol=udp to-addresses=172.168.188.3 to-ports=123
add action=dst-nat chain=dstnat comment=WoL dst-address=213.7.231.xx \
    dst-port=7 protocol=udp to-addresses=172.168.188.3 to-ports=7
add action=dst-nat chain=dstnat comment=CCTV dst-port=65000 protocol=tcp \
    to-addresses=192.100.30.2
add action=dst-nat chain=dstnat dst-port=65090 protocol=tcp to-addresses=\
    192.100.30.2
add action=redirect chain=dstnat comment="DNS Server" dst-port=53 protocol=\
    tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-ctfiber routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=10.3.1.1/32 gateway=l2tp-ad**** \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.3.1.2/32 gateway=l2tp-ad**** \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.153.10.0/30 gateway=\
    l2tp-ad**** pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.150.20.0/30 gateway=\
    l2tp-adu-1.PA-8010ANDGER7 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.152.30.0/30 gateway=l2tp-adu-2.hq \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 port=60021
set www address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 disabled=yes port=\
    60080
set ssh address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 port=62222
set api disabled=yes
set winbox address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 port=60090
set api-ssl disabled=yes
/ppp secret
add name=ch**** profile=OVPN service=ovpn
add name=ad**** profile=L2TP service=l2tp
add disabled=yes name=ad**** profile=L2TP service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.150 service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.151 service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.152 service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.153 service=l2tp
/snmp
set contact=ch******@hotmail.com enabled=yes location=HQ \
    trap-community=d***** trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=bbone0.ck*****.com
/system logging
add action=email topics=critical
add action=email disabled=yes topics=interface
add action=email topics=firewall
/system ntp client
set enabled=yes
/system ntp client servers
add address=213.7.231.xx
add address=172.168.188.3
/tool e-mail
set address=mail.ck*****.com from=r1@ck*****.com port=587 tls=starttls \
    user=r1@ck*****.com
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=pppoe-ctfiber
/tool graphing resource
add
/tool netwatch
add disabled=yes down-script="interface set ether5 disable=no" host=\
    213.7.231.xx interval=1s type=simple up-script=\
    "interface set ether5 disable=yes"
add disabled=yes down-script="tool e-mail send to=ch******@hotmail.com s\
    ubject=Uplink_from_CPE_DOWN start-tls=yes body=Uplink_from_CPE_is_DOWN" \
    host=213.7.231.xx interval=10s type=simple up-script="tool e-mail send to=\
    ch******@hotmail.com subject=Uplink_from_CPE_UP start-tls=yes body=U\
    plink_from_CPE_is_UP"
Last edited by chrisk on Thu Apr 13, 2023 9:42 pm, edited 1 time in total.
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 1:30 pm

Ping results


Code: Select all
ping 10.2.1.1 src-address=10.2.1.153 do-not-fragment size=1450
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0                                                         packet too large and cannot be fragmented
    0 10.2.1.153                                576  64 0ms   fragmentation needed and DF set
    1                                                         packet too large and cannot be fragmented
    1 10.2.1.153                                576  64 0ms   fragmentation needed and DF set
    sent=2 received=0 packet-loss=100%

ping 1.1.1.1 src-address=192.168.88.1 do-not-fragment size=1490
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 1.1.1.1                                  1490  57 71ms
    1 1.1.1.1                                  1490  57 38ms
    sent=2 received=2 packet-loss=0% min-rtt=38ms avg-rtt=54ms max-rtt=71ms
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 2:00 pm

Likely the provider is blocking fragmented packets. If the maximum MTU on the WAN link is 1490 (rather an odd figure), I would expect the maximum for a L2TP/IPsec tunnel with AES and SHA256 to be 1388 before fragmentation occurs.
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 3:09 pm

Likely the provider is blocking fragmented packets. If the maximum MTU on the WAN link is 1490 (rather an odd figure), I would expect the maximum for a L2TP/IPsec tunnel with AES and SHA256 to be 1388 before fragmentation occurs.
It seems that WISP support fragmented packets.


Code: Select all
ping 10.2.1.1 src-address=10.2.1.153 size=2000
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.2.1.1                                 2000  64 125ms
    1 10.2.1.1                                 2000  64 110ms
    2 10.2.1.1                                 2000  64 172ms
    3 10.2.1.1                                 2000  64 137ms
    sent=4 received=4 packet-loss=0% min-rtt=110ms avg-rtt=136ms max-rtt=172ms
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 3:28 pm

Correcting ping. Seems you are right, i should contact the WISP, right?

Code: Select all
ping 1.1.1.1 src-address=192.168.88.1 size=1600
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 1.1.1.1                                                 timeout
    1 1.1.1.1                                                 timeout
    sent=2 received=0 packet-loss=100%
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 4:13 pm

Yes.

The performance of fragmented packets across the internet is often worse than non-fragmented. For TCP adjusting the tunnel MTUs and using MSS clamping so each packet contains the maximum possible payload plus protocol and tunnel overheads to fit in the final MTU whilst avoiding fragmentation is the optimal solution. For payload data which cannot be shrunk, e.g. EoIP, it is better to handle fragments inside the tunnel (so tunnel MTU + overheads <= WAN MTU) rather than outside. With bad MTU settings you could actually end up with fragmentation both inside and outside the tunnel generating three WAN packets for each payload packet.
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 4:22 pm

Thanks again for your prompt reply and help @tdw. I appreciate your time!
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 6:51 pm

I just figured that the server side also does not fragment packets, could this be related? The other fixed fiber client ISP support fragmentation.
Code: Select all
bbone0.ckrcontrol.com] > ping 1.1.1.1 size=1600
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 1.1.1.1                                                      timeout
    1 1.1.1.1                                                      timeout
    sent=2 received=0 packet-loss=100%
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 7:03 pm

I just figured that the server side also does not fragment packets, could this be related? The other fixed fiber client ISP support fragmentation.
Code: Select all
bbone0.ckrcontrol.com] > ping 1.1.1.1 size=1600
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 1.1.1.1                                                      timeout
    1 1.1.1.1                                                      timeout
    sent=2 received=0 packet-loss=100%
Contacted server side ISP and claims that they do not block fragmented packets. Must be something with my configuration then? Any advise, please?
Top
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Thu Apr 13, 2023 7:22 pm

After disable and re-enable fasttrack on server side. It seems to be working. Any idea why that happens?


Code: Select all
ping 10.2.1.1 src-address=10.2.1.153 size=1700 do-not-fragment
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.2.1.1                                 1700  64 27ms
    1 10.2.1.1                                 1700  64 24ms
    2 10.2.1.1                                 1700  64 25ms
    sent=3 received=3 packet-loss=0% min-rtt=24ms avg-rtt=25ms max-rtt=27ms

Code: Select all
ping 10.2.1.153 src-address=10.2.1.1 do-not-fragment size=1700
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 10.2.1.153                               1700  64 48ms622us
    1 10.2.1.153                               1700  64 53ms978us
    2 10.2.1.153                               1700  64 36ms355us
    sent=3 received=3 packet-loss=0% min-rtt=36ms355us avg-rtt=46ms318us max-rtt=53ms978us
Top
Post Reply

Who is online

Users browsing this forum: disksweep, untrue and 52 guests
  4. RouterOS
  5. Beginner Basics