i have 2 subnet going to the Internet throught routeros.

one subnet use pppoe to connect and other use standart connection ( ethernet).

all is OK for subnet using pppoe service.

but other subnet ( not pppoe) have problem, there is some web site they are unable to open while still open other web site.


NB: the 2 subnets are masquerade/NAT to the same public IP and use same DNS. so there is no problem of DNS, blacklist or IP source.



thanks so much for your help.

MUT problem? try

thanks guru for reply.

but i want to know why i should use MSS = 1360 ?

on the ethernet default MTU = 1500, on the PPPoE default MTU = 1480

thanks for explanation

you can try to use ping command with size and do-not-fragment set to find exact value that can be passed through the link.

OK thanks so much for your help,


now problem is solved, i just change MSS as you suggested

but i want to know why i should use MSS = 1360 ?

on the ethernet default MTU = 1500, on the PPPoE default MTU = 1480

you can play with the value =)

I have a similar problem. on two sites. using a IpSEC VPN connection. One DSL PPoE and one Broadband connection.

1) On the site using PPoE, should I change the MTU to 1492 on the WAN and PPoE interface or just the PPoE?
2) As soon as I lower one site the packets get framented to a least value when I try to ping the other site, I guess I need to use something silmilar to the MSS value but more specific to my IPSec tunnel.

The overhead on IPsec varies based on the exact specs of the tunnel - transport mode doesn't add an additional IP header, tunnel mode does (20 bytes). AH adds a 24 byte header, ESP adds between 24 to 40 bytes (header, variable IV, variable trailer). Data within the packet may be padded according to the block size of the used cipher and HMAC, this will depend on the specific packet but should max out at 4 bytes, so assume that. Implement the same size on both ends.

TY for this fast reply,

On the PPPoE side do I modify both the PPPoE client value and WAN value. Also should I lowered the MRU to the same value of the MTU? I guess to find the optimal value, to find the biggest not frag packet using the ping -l size -f?

Again thank you

Martin

Modify it on the interface the traffic would be sourced behind, otherwise too large a packet makes it in and gets fragmented at the next outbound interface.

Yes, change the MRU to match the MTU.

Yes, you can determine the value via non-fragmented pings, and you can look at your tunnel specs and from that list determine what the maximum overhead could be and start testing in the neighborhood of that value.

Ok great. Would modify both of my wan interface to the max !frag packets. Leaving my PPPoE interface to 1492. And both MRU / MTU. So I should not need to modify some MSS?

Will try this and get back.

TY again.

Martin