Mikrotik is blocking few sites
Good afternoon. Please help with the following question. It costs Mikrotik hap lite. The provider provides Internet via PPOE. About half of the sites open normally, but some sites when trying to open through a browser do not receive a response to the sync packet. At the same time, if you make a ping to the same site, then everything goes through. The same sites cannot be opened from a phone or another computer through a browser. Through Chrome or other browser with VPN enabled, sites are opening smoothly. I tried to connect the cable from the provider directly - everything works fine. I also tried installing the old Dlink - everything was ok too. Please tell me what could be causing this problem. There is no restrictions at all (firewall, blacklist or others)
Re: Mikrotik is blocking few sites
Use /ip firewall mangle to change MSS (maximum segment size) 40 bytes less than your connection MTU. For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1448 new-mss=1448
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1448 new-mss=1448
-
-
JohnTRIVOLTA
Member
- Posts: 404
- Joined:
- Location: BG/Sofia
Re: Mikrotik is blocking few sites
Or add this rule:
/ip fi m add chain=forward protocol=tcp connection-state=new tcp-flags=syn action=change-mss new-mss=clamp-to-pmtu
/ip fi m add chain=forward protocol=tcp connection-state=new tcp-flags=syn action=change-mss new-mss=clamp-to-pmtu
Re: Mikrotik is blocking few sites
MTU was set to 1500 by default, I selected 1460, 1430, 1380, 1300, 1280. Now I set it to 1360, the videos began to open better, but not ideally. Websites still blocked. Model Mikrotik CCR1036-8G-2S, Problem with opening websites, YouTube videos do not play, videos on Instagram do not play, pictures are not always displayed on website pages. We tried to change mangle but did not succeed
-
-
JohnTRIVOLTA
Member
- Posts: 404
- Joined:
- Location: BG/Sofia
Re: Mikrotik is blocking few sites
Just try my ruleMTU was set to 1500 by default, I selected 1460, 1430, 1380, 1300, 1280. Now I set it to 1360, the videos began to open better, but not ideally. Websites still blocked. Model Mikrotik CCR1036-8G-2S, Problem with opening websites, YouTube videos do not play, videos on Instagram do not play, pictures are not always displayed on website pages. We tried to change mangle but did not succeed
-
-
wispmikrotik
Member Candidate
- Posts: 144
- Joined:
Re: Mikrotik is blocking few sites
Hi,
There is talk of adjusting the TCP MSS to avoid some path with the PMTUD broken (possible icmpv4 block).
MSS != MTU.
Leave the MTU on the ethernet interface = 1500.
Regards,
There is talk of adjusting the TCP MSS to avoid some path with the PMTUD broken (possible icmpv4 block).
MSS != MTU.
Leave the MTU on the ethernet interface = 1500.
Regards,
Re: Mikrotik is blocking few sites
When using PMTU you only want look at the returning packets and outgoing are not of interest. So I filter on the interface. Using an interface list settable in the second tab of interfaces.
You can add to the WireGuard interface other interfaces that you want check if there are replies from outside that you have to use smaller packets.
Code: Select all
;;; WireGuard PMTU in
chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp in-interface-list=PMTU-IN tcp-mss=!0-1232Code: Select all
/interface/list
add name=WireGuard
add include=WireGuard name=PMTU-IN
add interface=VPN-1 list=WireGuard
add interface=VPN-2 list=WireGuard
add interface=VPN-3 list=WireGuard