Community discussions

MikroTik App
 
User avatar
halacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Jul 06, 2017 5:45 pm
Location: Hungary

EoIP Tunnel Clamp TPC MSS

Sun Feb 07, 2021 2:31 pm

Hi,

I have an EoIP tunnel between a Mikrotik RB4011iGS+RM and a Mikrotik CCR1009-7G-1C-1S+PC device.

There is a "Clamp TCP MSS" option at the EOIP settings page in winbox. Even if I set it, I also have to add another "change MSS" (with 1250 MSS) rule under Firewall/Mangle to have properly working TCP connections via the EOIP tunnel.

Based on the documentation, I tought "Clamp TCP MSS" would be enough to turn on at the EOIP settings but this is not the case.
What do you think, can it happen this is a bug in RouterOS?

I would like to have small MSS (1250) only in the tunnel not for all the network.
I started to work on this as I found my tunnel too slow: I expected near to 1Gbps but it is just cca 100 Mbps. I tested it with samba file copy, apache http/https get request and scp copy. All with 20-25GB big file.

Thanks & br,
Halacs
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: EoIP Tunnel Clamp TPC MSS

Tue Feb 09, 2021 10:40 pm

Clamp mss in EoIP will only clamp it based on tunnel mtu size, it doesn't know what the mss size is end to end
Last edited by CZFan on Wed Feb 10, 2021 11:01 am, edited 1 time in total.
 
User avatar
halacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Jul 06, 2017 5:45 pm
Location: Hungary

Re: EoIP Tunnel Clamp TPC MSS

Tue Feb 09, 2021 11:35 pm

I have set 1300 MTU on the EoIP tunnel. Additional rule set MSS to 1250.

Reason behind 1300/1250 MTU if a PPPoE internet connection with VLAN tagged LAN plus a NAT in front of the tunnel because of the dynamic public IP.

Am I right that, in this case, if MTU of the tunnel would be set to 1250 then I could remove the extra rule?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1124
Joined: Tue Jun 23, 2015 2:35 pm

Re: EoIP Tunnel Clamp TPC MSS

Wed Feb 10, 2021 1:59 am

@CZFan

and what Clamp mss in EoIP does?
 
tdw
Forum Guru
Forum Guru
Posts: 1556
Joined: Sat May 05, 2018 11:55 am

Re: EoIP Tunnel Clamp TPC MSS

Wed Feb 10, 2021 3:42 am

I have set 1300 MTU on the EoIP tunnel. Additional rule set MSS to 1250.
Be aware that if you add an EoIP interface with an MTU<1500 to a bridge it will impact any traffic between local bridge ports too, usually breaking things.
 
User avatar
halacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Jul 06, 2017 5:45 pm
Location: Hungary

Re: EoIP Tunnel Clamp TPC MSS

Wed Feb 10, 2021 9:13 am

Be aware that if you add an EoIP interface with an MTU<1500 to a bridge it will impact any traffic between local bridge ports too, usually breaking things.
Yeah, actually there is a warning in the documentation: MTU should be 1500 in the EOIP tunnel. if I set it to auto it gets somewhere between 1500 and my 1300. If set it to 1500 manually it doesn't work.
If tunnel would have 1500 MTU tunnel should do fragmentation because of the PPPoE internet connection.
My LAN bridge is set to 1500 MTU manually. Can it cause problem?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: EoIP Tunnel Clamp TPC MSS

Wed Feb 10, 2021 12:43 pm

@CZFan

and what Clamp mss in EoIP does?
Not sure if I understand the question correctly, but:

OP did not mention EoIP tunnel MTU size in OP, so with that, if the tunnel MTU was set at 1500, then the "Clamp TCP MSS" in EoIP config will clamp the MSS at 1460, which might not be low enough.

@OP:
You can specify out interface as the tunnel interface in the mangle rule which will then only change the MSS for traffic going out the tunnel, i.e.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1250 out-interface=eoip-tunnel1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1251-65535
 
User avatar
halacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Jul 06, 2017 5:45 pm
Location: Hungary

Re: EoIP Tunnel Clamp TPC MSS

Wed Feb 10, 2021 3:53 pm

I can't set out interface to the tunnel:
"in/out-interface matcher not possible when interface (eoip-tunnel-xxx) is slave - use maser instead (brdige1)"

On bridge1 I have vlan tags also and I use it so far in the mangle rule as out interface.
 
bobatkins
just joined
Posts: 13
Joined: Fri Sep 25, 2015 11:58 pm
Location: Los Angeles, CA

Re: EoIP Tunnel Clamp TPC MSS

Wed Nov 23, 2022 11:15 pm

The Clamp tcp mss option has NEVER worked in RouterOS - period!! :-x

I have always had to create a special mangle rule to solve the problem which affects SSL websites randomly since they cannot renegotiate TCP MSS. The websites that fail are usually the sites that block ICMP which prevents path discovery.

Unbelievable how many years (>10) this has been a problem and that nobody at Mikrotik has fixed it yet and yes - all the way up to the most current version of RouterOS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: EoIP Tunnel Clamp TPC MSS

Wed Nov 23, 2022 11:46 pm

I know that in wireguard this can work.to deal with MTU issues.
new-mss=clamp-to-pmtu !

Also one can use L2TP within wireguard and deal with MTU issues
by adjusting MRRU
 
User avatar
halacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Jul 06, 2017 5:45 pm
Location: Hungary

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 9:04 am

I know that in wireguard this can work.to deal with MTU issues.
new-mss=clamp-to-pmtu !

Also one can use L2TP within wireguard and deal with MTU issues
by adjusting MRRU
Is wireguard a Mikrotik RouterOS feature? I haven't hear about it so far.
 
accarda
Member Candidate
Member Candidate
Posts: 171
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 9:53 am

You can read about wireguard here https://help.mikrotik.com/docs/display/ROS/WireGuard which requires Ros v7.x
 
sup5
Member
Member
Posts: 355
Joined: Sat Jul 10, 2010 12:37 am

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 12:31 pm

The Clamp tcp mss option has NEVER worked in RouterOS - period!! :-x
It works for me. I did several packet captures, which confirm, that it works.
But it has constraints:
TCP-MSS-clamping will only work with untagged native IPv4 traffic passing through the EoIP interface. As soon as it is encapsulated (802.1q, 802.1ad or PPPoE) it won't work and you have to manually set up mangle rules.
 
pe1chl
Forum Guru
Forum Guru
Posts: 9030
Joined: Mon Jun 08, 2015 12:09 pm

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 12:36 pm

The Clamp tcp mss option has NEVER worked in RouterOS - period!! :-x

I have always had to create a special mangle rule to solve the problem which affects SSL websites randomly since they cannot renegotiate TCP MSS. The websites that fail are usually the sites that block ICMP which prevents path discovery.

Unbelievable how many years (>10) this has been a problem and that nobody at Mikrotik has fixed it yet and yes - all the way up to the most current version of RouterOS.
Note that any problem you attempt to fix using TCP MSS clamping is actually caused by an error somewhere else.
Usually the error is that people "drop all ICMP" in their firewall, after advice from clueless "experts" like Steve Gibson.
ICMP plays a crucial role in the internet, in this case as part of path MTU detection, and dropping it will break things.
Clamping TCP MSS works as a workaround for these issues, but it is better when the root problem is solved. Fix the firewalls.
 
User avatar
halacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Jul 06, 2017 5:45 pm
Location: Hungary

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 9:22 pm

But it has constraints:
TCP-MSS-clamping will only work with untagged native IPv4 traffic passing through the EoIP interface. As soon as it is encapsulated (802.1q, 802.1ad or PPPoE) it won't work and you have to manually set up mangle rules.
Ah gotcha! :)
So this is the reason why TCP-MSS-clamping was not working in my EoIP tunnel: I have a VLAN trunk inside my EoIP tunnel. I have several separated VLANs in my network. I had to setup a mange rule manually for this purpose which works well.

I guess, from this point of view, it doesn't matter I have a PPPoE connection toward my ISP outside of my EoIP tunnel. It influence only the MTU inside and outside of the EoIP tunnel.

What's the case with IPv6 traffic?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2552
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 9:28 pm

topic with dropper details, like a course by fascicles
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: EoIP Tunnel Clamp TPC MSS

Thu Nov 24, 2022 11:12 pm

No idea what means, but looking at that avatar I think the Op's problem is nourishment, its screaming I am Hungary!

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], nonolk, sjdurand and 29 guests