Page 1 of 1

I cannot surf some sites when I use PPPoE

Posted: Mon Sep 26, 2005 11:34 pm
by nIce Cream
I cannot surf some sites when I use PPPoE.

Use '/ip firewall mangle' to change MSS (maximum segment size) to a value less 40 bytes your connection MTU. For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:

/ip firewall mangle add protocol=tcp tcp-options=syn-only action=passthrough tcp-mss=1448
How to set this up on MT 2.9?
Thanks a lot!

solution is here

Posted: Tue Sep 27, 2005 7:39 am
by piwi3910
ok i had the same problem.
here in belgium the mtu should be set to 1494 to with the mss to -40 so that woul be 1454...
i even tried the 1448 numer as mss.

but the only way i got a stable link with pppoe was by using these values.
mtu 1480 mss 1440

if i use these al sites work...
on't ask me why, i have no idea...
if i connect with a pc the mtu 1494 works but with my MT router in between i never got higher then 1480.

Posted: Tue Sep 27, 2005 1:20 pm
by nIce Cream
Change MSS

It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.

In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:

[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out action=change-mss \
\.. new-mss=1300 chain=forward
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward out-interface=pppoe-out action=change-mss new-mss=1300
[admin@MikroTik] >
Problem is, i dont know how to set mangle to change mss with this instructions (found here http://www.mikrotik.com/docs/ros/2.9/ip/mangle ). On 2.8, there was no problem setting it.

When I try to enter command described above, get this error
[admin@netalfa] > ip firewall mangle add out-interface=Panline action=change-mss \
\... new-mss=1448 chain=forward
tcp mss change works only on tcp syn packets
Thanks for your help.

Posted: Tue Sep 27, 2005 2:14 pm
by Eugene
tcp mss change works only on tcp syn packets
Seems to be fairly self-explanatory, but ...
ip firewall mangle add out-interface=ether1 action=change-mss new-mss=1448 chain=forward protocol=tcp tcp-flags=syn

Posted: Tue Sep 27, 2005 2:21 pm
by nIce Cream
Thanks man :)