http works sometimes, https usually does not connect
Q: Ok , I couldn’t open http or https web pages over the router on various devices when in operation
but it allowed ping.
Even after defaulting it and netinstalling it, no difference.
It didn’t matter if it was via it’s proxy or direct , it wouldn’t behave, thus why I spent two hours trying
to establish where the bizarre behaviour was coming from.
A: That behaviour is usually MTU issue - solution is to clamp the maximum segment size on the pppoe output interface - here is an example:
| /ip firewall mangle add protocol=tcp tcp-flags=syn action=change-mss \ new-mss=<mss> chain=forward out-interface=<out-interface> |
You need to change the value of <output-interface> to the output interface of your router (e.g. pppoe-out1, or ether1, etc) and the value of <mss> to match the maximum MTU size possible for that link.
This problem happens when normal MTU discovery is broken over the ISP's customer network. You can discover the maximum packet size possible by using ping command with do-not-fragment set, and varying the frame size higher/lower until you can discover the largest packet size that will traverse the network unfragmented. See the example below, using this method to discover that the maximum packet size for this network is 1472 bytes:
This problem happens when normal MTU discovery is broken over the ISP's customer network. You can discover the maximum packet size possible by using ping command with do-not-fragment set, and varying the frame size higher/lower until you can discover the largest packet size that will traverse the network unfragmented. See the example below, using this method to discover that the maximum packet size for this network is 1472 bytes:
| C:\Users\mike>ping duxtel.com -f -l 1500
Pinging duxtel.com [203.21.77.17] with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 203.21.77.17:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1400
Pinging duxtel.com [203.21.77.17] with 1400 bytes of data:
Reply from 203.21.77.17: bytes=1400 time=6ms TTL=126
Reply from 203.21.77.17: bytes=1400 time=9ms TTL=126
Reply from 203.21.77.17: bytes=1400 time=7ms TTL=126
Ping statistics for 203.21.77.17:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 9ms, Average = 7ms
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1450
Pinging duxtel.com [203.21.77.17] with 1450 bytes of data:
Reply from 203.21.77.17: bytes=1450 time=7ms TTL=126
Reply from 203.21.77.17: bytes=1450 time=10ms TTL=126
Reply from 203.21.77.17: bytes=1450 time=11ms TTL=126
Ping statistics for 203.21.77.17:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 11ms, Average = 9ms
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1475
Pinging duxtel.com [203.21.77.17] with 1475 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 203.21.77.17:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1465
Pinging duxtel.com [203.21.77.17] with 1465 bytes of data:
Reply from 203.21.77.17: bytes=1465 time=6ms TTL=126
Reply from 203.21.77.17: bytes=1465 time=15ms TTL=126
Ping statistics for 203.21.77.17:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 15ms, Average = 10ms
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1470
Pinging duxtel.com [203.21.77.17] with 1470 bytes of data:
Reply from 203.21.77.17: bytes=1470 time=12ms TTL=126
Reply from 203.21.77.17: bytes=1470 time=19ms TTL=126
Ping statistics for 203.21.77.17:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 19ms, Average = 15ms
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1472
Pinging duxtel.com [203.21.77.17] with 1472 bytes of data:
Reply from 203.21.77.17: bytes=1472 time=14ms TTL=126
Reply from 203.21.77.17: bytes=1472 time=25ms TTL=126
Ping statistics for 203.21.77.17:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 25ms, Average = 19ms
Control-C
^C
C:\Users\mike>ping duxtel.com -f -l 1473
Pinging duxtel.com [203.21.77.17] with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 203.21.77.17:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
C:\Users\mike>
|
Hope it helps - questions are welcome!