MTU/MRU problem with WAN interface (with VLAN)

IT_Field_Support
IT_Field_Support Posts: 97  Ally Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi everyone,

I am facing a weird problem.
We changed the ISP on one of our USG40W running v4.38
This new ISP connects it clients with an ethernet connection (WAN port) with a VLAN inside.
Since this modification, we are facing issues with MTU/MRU on this WAN link.
The trunk is enabled (failover) on this router with the OPT port.

Here is the configuration of the WAN port:
DHCP 0.0.0.0/0.0.0.0
egress/ingress set
MTU 1500
IGMP disabled
Connectivity Check disabled

Here is the configuration of the VLAN port:
VLAN 700
Interface type: external
Static IP 197.xxx.xx.x41 (public IP)
egress/ingress set
MTU 1500
IGMP disable
Connectivity Check enabled (ICMP 1.1.1.1 and 8.8.8.8)



This new WAN link is almost working, the problem is that the MTU cannot go higher than 1440 (and sometimes even changes, last time I was able to ping upon 1470)
And the MRU cannot go higher than 100 !

I'm stuck finding a solution on this one.

If we replace the Zyxel router with a router from another brand, the link works well and there are no problems with MTU/MRU, but with the Zyxel, we are stucked.

Any Idea ?

Thanks a lot in advance for your help,
Jordan.










Accepted Solution

  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Anniversary Friend Collector First Comment
    Answer ✓
    Hi,

    Thanks again for your answer,
    I think we found what was the problem and in fact there was no problem with the MTU at all, that was bad track.

    I have noticed that all of our Zyxel routers doesn't reply to ping higher than 100 bytes and the ADP was responsible of this. When you turn off the ADP in the security policy, you can ping with a MTU higher than 100.

    Thanks a lot for your help,
    Have a nice day,
    Jordan.

All Replies

  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    VLAN 700 base port is wan1? And you SNAT the LAN1?

    Does your ISP require a VLAN? Could you test with a VLAN switch to tag incoming VLAN and untag the port to wan1 and see what happens.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020

    Hi @IT_Field_Support

    Can you test the MTU size between your PC to the destination server, first ? 

    Path MTU tool: https://www.iea-software.com/products/mtupath/

    e.g.
    C:\>mtupath.exe www.google.com
    MTU path scan to www.google.com (216.58.200.228), ttl=64, limit=48
    # 16 processing - best MSS 1472 (estimated MTU 1500) [pPPPPpPppPpppppp]
    # 01 nearest minimum MTU on local interface
          #1 MSS IN RANGE     1 <==  1471 ==>  1472
          #2 MSS EXCEEDED  1473 <== 14911 ==> 16384

    Default MTU of USG is 1500.

    There are many routers between your PC to destination server.

    If any node in whole of path doesn’t allow MTU size over 1500, then packets will drop by that router.

    After you got “estimated MTU”, you can change MTU size on your VLAN interface.


  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Anniversary Friend Collector First Comment
    edited June 2020
    Hi everyone,

    Thanks a lot for your replies,

    PeterUK said:

    VLAN 700 base port is wan1? And you SNAT the LAN1?

    Does your ISP require a VLAN? Could you test with a VLAN switch to tag incoming VLAN and untag the port to wan1 and see what happens.


    Yes the ISP requires a VLAN.
    I cannot test with a switch between the devices, I sadly do not have physical access to our zyxel router.

    Hi @IT_Field_Support

    Can you test the MTU size between your PC to the destination server, first ? 

    Path MTU tool: https://www.iea-software.com/products/mtupath/

    e.g.
    C:\>mtupath.exe www.google.com
    MTU path scan to www.google.com (216.58.200.228), ttl=64, limit=48
    # 16 processing - best MSS 1472 (estimated MTU 1500) [pPPPPpPppPpppppp]
    # 01 nearest minimum MTU on local interface
          #1 MSS IN RANGE     1 <==  1471 ==>  1472
          #2 MSS EXCEEDED  1473 <== 14911 ==> 16384

    Default MTU of USG is 1500.

    There are many routers between your PC to destination server.

    If any node in whole of path doesn’t allow MTU size over 1500, then packets will drop by that router.

    After you got “estimated MTU”, you can change MTU size on your VLAN interface.


    So I did a MTUpath from the faulty zyxel to google.ch, here are the results:

    C:\>mtupath.exe google.ch

    MTU path scan to google.ch (172.217.170.3), ttl=64, limit=48
    # 16 processing - best MSS 1472 (estimated MTU 1500) [pPPPPpPppPpppppp]
    # 01 nearest minimum MTU on local interface

            #1 MSS IN RANGE     1 <==  1471 ==>  1472
            #2 MSS EXCEEDED  1473 <== 14911 ==> 16384


    And here are the results from the outside to the public IP of the Zyxel:

    D:\>mtupath.exe 197.2XX.XXX.XXX

    MTU path scan to 197.2XX.XXX.XXX, ttl=64, limit=48
    # 16 processing - best MSS 100 (estimated MTU 128) [p********pp***pp]


            #1 MSS IN RANGE     1 <==    99 ==>   100
            #2 SCAN TIMEOUT   101 <== 16283 ==> 16384

    [WARNING] Minimum IPv4 Internet MTU of 576 was not reached
    [WARNING] Possible PMTU blackhole in route to peer



    Cheers,
    Jordan.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @IT_Field_Support  

    The pathMTU tool can only find the maximum MTU can pass to destination server in whole of the path.

    You can also use trace route to find all of hops to destination, and test pathMTU again to find the router which doesn’t allow larger MTU.

    C:\>tracert -d 8.8.8.8

    In the usual, the routers are maintained by service provider. So the only way is reporting this situation to your service provider.

    According to your situation, what’s server address and service port doesn’t work in your environment?

  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Anniversary Friend Collector First Comment
    Answer ✓
    Hi,

    Thanks again for your answer,
    I think we found what was the problem and in fact there was no problem with the MTU at all, that was bad track.

    I have noticed that all of our Zyxel routers doesn't reply to ping higher than 100 bytes and the ADP was responsible of this. When you turn off the ADP in the security policy, you can ping with a MTU higher than 100.

    Thanks a lot for your help,
    Have a nice day,
    Jordan.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @IT_Field_Support
    It's good to hear you found the reason of it. :+1:

Security Highlight