Page 1 of 1
Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 7:42 am
by ADDHOTEL
Good afternoon. Please help with the following question. It costs Mikrotik hap lite. The provider provides Internet via PPOE. About half of the sites open normally, but some sites when trying to open through a browser do not receive a response to the sync packet. At the same time, if you make a ping to the same site, then everything goes through. The same sites cannot be opened from a phone or another computer through a browser. Through Chrome or other browser with VPN enabled, sites are opening smoothly. I tried to connect the cable from the provider directly - everything works fine. I also tried installing the old Dlink - everything was ok too. Please tell me what could be causing this problem. There is no restrictions at all (firewall, blacklist or others)
Re: Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 8:29 am
by normis
Use /ip firewall mangle to change MSS (maximum segment size) 40 bytes less than your connection MTU. For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1448 new-mss=1448
Re: Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 9:27 am
by JohnTRIVOLTA
Or add this rule:
/ip fi m add chain=forward protocol=tcp connection-state=new tcp-flags=syn action=change-mss new-mss=clamp-to-pmtu
Re: Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 9:49 am
by ADDHOTEL
MTU was set to 1500 by default, I selected 1460, 1430, 1380, 1300, 1280. Now I set it to 1360, the videos began to open better, but not ideally. Websites still blocked. Model Mikrotik CCR1036-8G-2S, Problem with opening websites, YouTube videos do not play, videos on Instagram do not play, pictures are not always displayed on website pages. We tried to change mangle but did not succeed
Re: Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 12:48 pm
by JohnTRIVOLTA
MTU was set to 1500 by default, I selected 1460, 1430, 1380, 1300, 1280. Now I set it to 1360, the videos began to open better, but not ideally. Websites still blocked. Model Mikrotik CCR1036-8G-2S, Problem with opening websites, YouTube videos do not play, videos on Instagram do not play, pictures are not always displayed on website pages. We tried to change mangle but did not succeed
Just try my rule
Re: Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 1:10 pm
by ADDHOTEL
Will try
Re: Mikrotik is blocking few sites
Posted: Fri Dec 08, 2023 1:19 pm
by wispmikrotik
Hi,
There is talk of adjusting the TCP MSS to avoid some path with the PMTUD broken (possible icmpv4 block).
MSS != MTU.
Leave the MTU on the ethernet interface = 1500.
Regards,
Re: Mikrotik is blocking few sites
Posted: Tue Dec 12, 2023 6:11 am
by ADDHOTEL
Thanks to all for help
Re: Mikrotik is blocking few sites
Posted: Tue Dec 12, 2023 12:37 pm
by msatter
When using PMTU you only want look at the returning packets and outgoing are not of interest. So I filter on the interface. Using an interface list settable in the second tab of interfaces.
;;; WireGuard PMTU in
chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp in-interface-list=PMTU-IN tcp-mss=!0-1232
/interface/list
add name=WireGuard
add include=WireGuard name=PMTU-IN
add interface=VPN-1 list=WireGuard
add interface=VPN-2 list=WireGuard
add interface=VPN-3 list=WireGuard
You can add to the WireGuard interface other interfaces that you want check if there are replies from outside that you have to use smaller packets.