Filter
Top Products
210 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
Change MSS
It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A large
packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that
kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be
discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of
problems, including problems with FTP and HTTP data transfer and e-mail services.
In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link
solves the problem. The following example demonstrates how to decrease the MSS value via mangle:
[admin@AT-WR4562] > /ip firewall mangle add out-interface=pppoe-out \
\... protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward
[admin@AT-WR4562] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward out-interface=pppoe-out protocol=tcp tcp-flags=syn
action=change-mss new-mss=1300
[admin@AT-WR4562] >
9.3 Packet Flow
Document revisi on: 2.7 (Mon Jun 05 12:0 4:15 GMT 2006)
Applies to: V2.9
9.3.1 General Information
Summary
This manual describes the order in which an IP packet traverses various internal facilities of the router
and some general information regarding packet handling, common IP protocols and protocol options.
Specifications
Packages required: system
License required: Level3
Submenu level: /ip firewall
Standards and Technologies: IP
Hardware usage: Increases with NAT, mangle and filter rules count
Related Topics
IP Addresses and ARP
Routes, Equal Cost Multipath Routing, Policy Routing
NAT
Mangle
Filter
9.3.2 Packet Flow
Description
RouterOS is designed to be easy to operate in various aspects, including IP firewall. Therefore regular
firewall policies can be created and deployed without the knowledge about how the packets are
processed in the router. For example, if all that required is just natting internal clients to a public address,
the following command can be issued (assuming the interface to the Internet in named Public):
/ip firewall nat add action=masquerade out-interface=Public chain=srcnat
Regular packet filtering, bandwith management or packet marking can be configured with ease in a similar
manner. However, a more complicated configuration could be deployed only with a good understanding
of the underlying processes in the router.