Community discussions

MikroTik App
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

MTU / fragmentation problem

Fri Sep 16, 2022 10:20 pm

Hello All

I'm running two sites, my home which is having a Ubiquiti ER-X as router and VPN gateway plus my external site (ES), which is running a Mikrotik Router with RouterOS 7.5. The ES is doing an L2TP connection to my home which works. I had various issues with data transfers, but solved them with two mangle rules that reduce the MSS. The tunnel has an MTU of 1400 based upon the interface information on the Miktrotik.
The mangle rule is lowering this to 1320 and this seems to work for servers attached to the Mikrotik.
What doesn't work, is https or Winbox access from my home through the tunnel to the Mikrotik itself. I think the mangle rule doesn't apply to "input" traffic to the Mikrotik and only traffic through it "forward" queue.
Any ideas how I could access my Mikrotik interface through the VPN?
I have made various tests as you can see in the code. SSH access does work, until I do a command that utilizes a larger MSS, like /ip/firewall/connection/print, which will kill the SSH session.

Here some prints of the rules:
[admin@MikroTik] > /ip/firewall/filter/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    chain=input action=accept src-address-list=allowed_to_router 

 6    chain=input action=accept protocol=tcp dst-port=443,22,80 log=no log-prefix="" 

 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

10    chain=input action=accept protocol=tcp fragment=yes 

11    chain=forward action=accept protocol=tcp fragment=yes 

12    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

13    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

14    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

15    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

16    chain=forward action=accept protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.88.0/24 dst-port=443 log=no 
      log-prefix="" 

17 X  chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.1.0/24 log=no log-prefix="" 

[admin@MikroTik] > /ip/firewall/mangle/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=forward action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp in-interface=l2tp-out-ubnt log=no 
      log-prefix="" 

 4    chain=forward action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp out-interface=l2tp-out-ubnt log=no 
      log-prefix="" 
[admin@MikroTik] > 
The home network is 192.168.1.0/24 and the ES protected network 192.168.88.0/24.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU / fragmentation problem

Fri Sep 16, 2022 11:20 pm

Traffic to/from Mikrotik itself doesn't pass through chain forward - it passes through chains input and output. So place the action=change-mss rules also to these chains in mangle and you'll be good.
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Re: MTU / fragmentation problem

Sat Sep 17, 2022 1:18 am

Thanks Sindy for your reply.
This sadly doesn't work, as I'm not permitted to add a rule to the input queue:
[admin@MikroTik] > /ip/firewall/mangle/add chain=input action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp in-interface=l2tp-out-ubnt log=no log-prefix=" 
failure: tcp mss clamping not possible in prerouting and input chains
[admin@MikroTik] > 
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: MTU / fragmentation problem

Sat Sep 17, 2022 1:42 am

Well this is interesting.. /subscribed
I normally overcome MTU limitations using gre/eoip layer (and vxlan looks pretty interesting too) but that seems a bit overkill of a solution for this case
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Re: MTU / fragmentation problem

Mon Sep 19, 2022 7:02 pm

I decided to make a small drawing.
20220919_Network_Design_Home.png
Sadly I haven't yet found a solution to access the Mikrotik through my home network via the L2TP tunnel.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU / fragmentation problem

Mon Sep 19, 2022 8:32 pm

Sorry for misleading you regarding change-mss in chain input in mangle, these workarounds are normally not necessary so I am not fluent in them.

Having said that, what should normally work is Path MTU Discovery (PMTUD). A router that gets a packet too large to fit to the MTU of the outbound interface and with the Do Not Fragment bit set drops that packet and sends to the sender an ICMP message "fragmentation needed, MTU xyz"; the sender then sends a smaler packet (with less data from the payload buffer) that fits.

You've said there is a problem with large packets in the Mikrotik -> PC direction, i.e. that SSH works until Mikrotik sends a large amount of data. The Mikrotik itself routes the packet via the L2TP interface straight away, so it knows its MTU in advance, i.e. the routing process on the Mikrotik itself should not need to send the "fragmentation needed" message to the SSH server daemon running on the same Mikrotik.

At the EdgeRouter end, I would expect the MTU of the (W)LAN to be higher than the one of the L2TP tunnel, so there should also be no need to send back "fragmentation needed".

These lead me to a conclusion that the MTU of the L2TP tunnel negotiated between the EdgeRouter and the Mikrotik is too large, and as a consequence, the L2TP transport packets get fragmented (in case of L2TP, the DF bit is not inherited from the payload packets to the transport packets). Unfortunately, too many paths through internet drop non-first fragments of packets.

So try to set max-mtu and max-mru in the /interface l2tp-client settings to 1300 and see whether it helps. If it does, you can go further - if the EdgeRouter supports MLPPP, you can activate it at both ends so that the payload packets would get sliced into multiple transport ones at MLPPP level, if it doesn't, you can iteratively find the highest value of max-mtu and max-mru that works.
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Re: MTU / fragmentation problem

Mon Oct 10, 2022 6:48 pm

Hi @sindy
I finally found time to troubleshoot this more. By lowering the Max MTU and MRU to 1300 I can now finally access the Mikrotik through the VPN tunnel! :)
Thanks a lot. I didn't invest more time to increase the size, because I rarely transfer large files.

One detail though, I still have the Mangle rules active, setting the MSS to 1320. Would you suggest disabling them or lowering them to 1300 or even lower?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU / fragmentation problem  [SOLVED]

Wed Oct 12, 2022 1:53 pm

I would suggest disabling and later removing them, as they currently do nothing useful anyway. The PMTUD must be working, otherwise lowering the max-mtu and max-mru would not have helped, and the way they look like now, your change-mss rules set the MSS value to 1320 no matter what it was, which is also not a good idea - something along the path may have lowered it even more.

Who is online

Users browsing this forum: apitsos, Bing [Bot], dwnldr, eworm, moorezilla, orionren and 84 guests