GRE MTU/MSS issues (VyOS only)

General questions
1

GRE with VyOS:
interfaces {
ethernet eth0 {
address 107.189.28.218/24
hw-id 00:16:97:55:ea:46
}
loopback lo {
}
tunnel tun0 {
address 10.7.0.1/30
encapsulation gre
ip {
ospf {
network point-to-point
}
}
mtu 1476
remote xxx
source-address xxx
}
}

The other end is Mikrotik router with config:
1 R name=“GRE” mtu=1476 actual-mtu=1476
local-address=xxx
remote-address=xxx keepalive=10s,10
dscp=inherit clamp-tcp-mss=yes dont-fragment=inherit
allow-fast-path=yes

Traffic going through here is having massive issues with SSL and loading content/pages. If I switch our my VyOS router with another Mikrotik, it works just fine with the same settings.

What am I missing?

2

You may need to try using MSS clamping on the VyOS side of the tunnel aswell.

https://docs.vyos.io/en/latest/configuration/interfaces/tunnel.html#cfgcmd-set-interfaces-tunnel-interface-ip-adjust-mss-mss-clamp-mss-to-pmtu

3

Which I have also. Same outcome sadly.

4

What your running into certainly sounds like an MTU issue. Have you tried seeing what MTU can get through the tunnel without fragmentation? You can do so from a linux host using “ping 23.136.232.33 -c 10 -M do -s 1446” and adjust the size until it works.

1 Like
5

How about try mtu = 1400 or mtu=1300

6

On both ends of the gre tunnel or only VyOs?:slight_smile:

7

both side set mtu and mss, please.

8

Hello.
I’ve tried 1476 and 1452 on both sides as mtu and mss.

I Will try 1400 and 1300. Not sure if makes a difference. Will let you know :slight_smile:

9 
root@raspberrypi:~# ping xxx -c 10 -M do -s 1452
PING xxxxx 1452(1480) bytes of data.
From 107.189.28.218 icmp_seq=1 Frag needed and DF set (mtu = 1476)
ping: local error: message too long, mtu=1476
ping: local error: message too long, mtu=1476
ping: local error: message too long, mtu=1476

Something like 1400 works. So I set MTU on both sides to that with the same value for mss and clamping enabled. Same error.

10

Maybe I am doing something could. Could someone give me the commands I need for the above config to set the correct MTU and MSS value

12

vyos@vyos# set firewall options interface tun0 adjust-mss 1476
[edit]
vyos@vyos# set interfaces tunnel tun0 mtu 1476
I’ve done this on both ends. Same outcome.

I’ve tried 1452, 1400, 1300, etc, and nothing works :frowning:
Is there a other way I troubleshoot?

13

Your MSS is too high if your MTU is set to 1476. Try setting it around 1446 or 1436.

14

Maybe you can try to use Wireshark to debug this issue if you still want to build a tunnel with gre over ips. Otherwise you can build wireguard tunnel instead of gre. since wireguard will be more faster than grep tunnel.

15

While wireguard does offer great performance for an encrypted tunnel, Many nics offer offloading for GRE which will generally allow it to perform better, they also mentioned they are using a mikrotik on one end and while RouterOS7 does support wireguard the CPUs in most of the mikrotik devices are too weak to handle lots of traffic over wireguard. But that may not be an issue depending on their use case.

16

wireguard is the fastest vpn I ever know! At every scenarios, I replaced other vpn solution with wireguard vpn. Trust me, You will love vyos and wireguard vpn.

17

mss value equal mtu-40, for example if you set mtu=1400, then the mss will be 1400-40=1360

18

wireguard also need to set the right mtu and mss value. That will make your tunnel faster.

19

I will test that! I Think the mikrotik UI handles this for me.

For wireguard, thats what Im testing right now on a second router

20

Both has also been tested now, with the exact same outcome. :frowning:

It’s the tun0 interface I have to change the settings of, and not eth0. Correct?

22

Got it up via Wireguard. Works perfectly :-)!

2 Likes