Community discussions

MikroTik App
 
lvader
just joined
Topic Author
Posts: 11
Joined: Tue Mar 27, 2018 8:10 pm

IPv6, tunnels and TCP MSS

Tue May 23, 2023 6:37 pm

Some time ago I started to notice some strange "tls timeouts" to some sites hosted at AWS or e.g. GitHub when connection is done over IPv6.
I didn't pay attention to that for a while, as those were rare occasions, but recently got curious and tried to debug.
To my surprise, I've noticed that packets over tunnel are sent with TCP MSS = 1440, even were it should be "clamp-tcp-mss" enabled by default on 6to4 interfaces. (according to https://help.mikrotik.com/docs/display/ROS/6to4 )
Anyone notices same behaviour? Something got broken in v7.x related to clamp-tcp-mss?
I fixed of course by adding line to ipv6/mangle, but it looks like clamp-tcp-mss option in 6to4 interfaces doesn't have any effect in 7.9.x:
/ipv6 firewall mangle add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=he protocol=tcp tcp-flags=syn
 
mantouboji
newbie
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm

Re: IPv6, tunnels and TCP MSS

Wed May 24, 2023 12:05 pm

maybe the chain should use forward ?

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=\
    WAN passthrough=yes protocol=tcp tcp-flags=syn

/ipv6 firewall mangle
add action=change-mss chain=forward comment="fix MTU, make HTTPS happy" \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

 
lvader
just joined
Topic Author
Posts: 11
Joined: Tue Mar 27, 2018 8:10 pm

Re: IPv6, tunnels and TCP MSS

Wed May 24, 2023 6:18 pm

in that particular case, the chain forward or postrouting doesn't matter that much. The post was more about non-functional parameter clamp-tcp-mss=yes on 6to4 interface. if it is not something that is not supposed to inject automatic mangle rules, then probably it should be documented somehow?

Who is online

Users browsing this forum: baragoon, BinaryTB, Bing [Bot], raphaps, rplant and 68 guests