Hello and thanks in advance for your help. Several weeks have already passed since I have problems with MTU and MSS. More precisely, my provider started filtering ICMP messages from the Path MTU and thus, the speeds are chaotic. From the maximum of 500 Mbps I dropped to 25 Mbps download and maximum upload, that is, 500 Mbps. From what I found out from the support offered by the ISP, I have to set the following values:
Mtu: 1492 (pppoe interface). With MSS-Clamping used on WAN zone there are no changes in internet speeds. I tested the connection directly on my PC and I have the full 500 Mbps values.
Mss clamp ipv4: 1452 (pppoe interface)
Mss clamp ipv6: 1432 (pppoe interface). But, I only found the MSS-Clamping option in the firewall (LuCi) and not the option to set certain numbers, so how can I set the value of 1452(v4), respectively 1432(v6) to MSS Clamp in OpenWRT? They are not ofering suport for other routers than the ones offered by them, the routers offerd by them already received FW updates with the new values, this is what I found out on some forums.
Firmware Version OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd
If that is true I would raise that as an issue with the ISP, critical ICMP packets are not supposed to be filtered away by over-eager firewalls.
Anyway, before nftables-based firewall4 you could use something like:
# special rules to allow MSS clamping for in and outbound traffic
# use ip6tables -t mangle -S ; iptables -t mangle -S to check
forced_MSS=1220 # 300, 536, 1280-60
# the following does work under TOS5 as of 20220618
# affects UPLOAD transfers
#iptables -t mangle -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "custom: Zone wan ingress MTU fixing" -j TCPMSS --set-mss ${forced_MSS}
#ip6tables -t mangle -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "custom6: Zone wan ingress MTU fixing" -j TCPMSS --set-mss ${forced_MSS}
# affects DOWNLOAD transfers
ingress_forced_MSS=${forced_MSS}
#iptables -t mangle -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "custom: Zone wan egress2 MTU fixing" -j TCPMSS --set-mss ${ingress_forced_MSS}
#ip6tables -t mangle -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "custom6: Zone wan egress2 MTU fixing" -j TCPMSS --set-mss ${ingress_forced_MSS}
You would need to adjust the values independently for IPv4 and IPv6, I went for a common value, as my use-case was to reduce the MSS to something tiny like 216 byte and then the 20 byte difference between IPv4 anf IPv6 headers does not matter.
To manually set MSS-clamping values, I had placed these commands inside /etc/firewall.user but that was under old iptables-based firewall3. That file stopped existing/working with fw4, and I have not yet bothered to figure out how to achieve the same with nftables.
If I am connecting using an old ASUS router I get this message spammed in the logs every 5 minutes: "TCPMSS: unknown or invalid path-MTU". I've been in touch with someone that worked in the past for this ISP and still has some "connections" with them and he told me that they started applying ICMP filtering, I am talking about the ISP RCS&RDS | DIGI in Romania.
Beside that, the ISP is testing the RFC4638 implementation, meaning MTU 1500 on PPPoE and 1508 on Ethernet.
Some ping results from one user on another forum with the same ISP:
Pinging google.com [216.58.214.238] with 1472 bytes of data:
Reply from 216.58.214.238: bytes=68 (sent 1472) time=22ms TTL=56
Reply from 216.58.214.238: bytes=68 (sent 1472) time=21ms TTL=56
Reply from 216.58.214.238: bytes=68 (sent 1472) time=21ms TTL=56
Reply from 216.58.214.238: bytes=68 (sent 1472) time=21ms TTL=56
I still can not use yet 1500 MTU PPPoE, perhaps not implemented yet on my area.
As I said contact them, filtering essential ICMP messages is surely not what they intend to do, so convince them that some ICMP messages need to be passed onto their end-users. Path-MTU discovery is somewhat important...
Interesting as I also have digi and don't have any of these issues...
- You set WAN MTU to 1508
- You set PPoE to MTU 1500
You never noted if you did this before testing. The rest of your network should be 1500 by default.
Just tested this and seems to be working (as I'm typing this over that pppoe 1508 mtu)
Tested with PPPOE 1500 and WAN 1508, some websites not loading, inclunding ISP hosted ones(digi.ro / digi24.ro). Speeds are the same, 25-30mbps download limit, upload at maximum speed. Directly on laptop, PPPoE, speeds are good, 430 download and 500 upload.
what about lowering those to let's say 1400(1408) ?
I was called today by a network engineer from the ISP, he told me to set MTU 1500 on PPPoE and 1508 on WAN with MSS-Clamping disabled in the firewall, now it works in the parameters. In the end it was something due to some modified ISP configurations in their servers, but thank you for the advice!
Fortunately, after several phone calls to them, I got through to the people from the call center who recommended me to reinstall windows, I reached the engineers, who solved the problem.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.