MikroTik

Frankly I'm still sure it is my own misunderstanding of MTU along the path, but looks like I need some magic spell to fix it, so I decided to ask:

I have two MT routers in different locations (no direct link between, only via WAN), and we migrate from one location to another. We'd like to keep the same LAN addresses in new location, too. The idea was to create virtual L2 link between routers so we can share the same LAN subnet in both LANs, then move devices from one location to another one by one.

So I set up EoIP link between these routers (for simplicity let's say there is no IPSec, just a EoIP as pure L2 link). As indented, I added these eoip-tunnel's to bridges on both router (LAN IPs are on these bridges, and in both locations we use the IPs from the same LAN subnets), after that hosts behind first router were able to see second router and hosts behind it (at least pings went ok).

But when I try to set up default gateway for host at first location to IP of the router at second location (so default gateway become behind of eoip tunnel) it won't work. I try to set mangle rule for eoip tunnel to change MTU but got error that I have to set up that rule on master interface which is bridge, which is not what I want.

MTU of WAN link is 1500, MTU of eoip tunnel is 1458. Where should I add the rule to fix the issue?

Where should I add the rule to fix the issue?

I don't think this is easily doable.

I would simply set MTU of your EoIP tunnel to 1500 and made sure the fragmentation is allowed. That of course (potentially) means some performance penalties, but we are talking about a temporary setup anyways, right?

I would simply set MTU of your EoIP tunnel to 1500 and made sure the fragmentation is allowed. That of course (potentially) means some performance penalties, but we are talking about a temporary setup anyways, right?

Have done this, no luck: eoip MTU is 1500, "Dont fragment" set to "no", "Clamp TCP MSS" is checked, allow fast path is unchecked (all this is on both sides), but web sites still won't open via this link.

May I should play with "Clamp"?

You're going to have to give more detailed diagnostic information than "web sites still won't open" if you want a useful response. What troubleshooting have you tried and what was the outcome?

You're going to have to give more detailed diagnostic information than "web sites still won't open" if you want a useful response. What troubleshooting have you tried and what was the outcome?

I did some tests and I saw packets arrived broken.
But as a result, looks like all issues were introduced with FastTrack. Before I disabled fasttrack rules on firewall I was able o see changes made by me won't actually change anything in traffic.

My idea was this: as I mark connection as fasttrack, all following processing will be done until the connection end without any chance to change anything. So even when I change tunnel MTU etc in fact the connection it won't affect the connection.

Sounds silly but as I disabled fasttrack the problem went away.

You're going to have to give more detailed diagnostic information than "web sites still won't open" if you want a useful response. What troubleshooting have you tried and what was the outcome?

I did some tests and I saw packets arrived broken.
But as a result, looks like all issues were introduced with FastTrack. Before I disabled fasttrack rules on firewall I was able o see changes made by me won't actually change anything in traffic.

My idea was this: as I mark connection as fasttrack, all following processing will be done until the connection end without any chance to change anything. So even when I change tunnel MTU etc in fact the connection it won't affect the connection.

Sounds silly but as I disabled fasttrack the problem went away.

My recent tests, and previous posts from Mikrotik support, suggest to me that the normal behaviour of EoIP is that you can't get 1500 true MTU if the tunnel is layer 2 bridged on both ends instead of routed?

EDIT: Ignore what I said above. I'm glad I found this thread, yes it does actually work, I apparently misunderstood an old post from two years ago thinking it wouldn't, was a problem with my configuration when I tested it.