If you are struggling to view websites, especially sites such as banks or the .gov websites, then check how your Mikrotik connects to the internet.
There are a few things to check but the most likely issues are:
- a firewall rule blocking ICMP on the inside of the Mikrotik.
ICMP is needed for some web sites and you should pass it outbound, and potentially from any part of the network internally.
If you do need to block ICMP then be very careful if you are using PPoE. The MTU discovery protocol relies on ICMP, so blocking the traffic will mean the MTU drifts and websites stop working.
Instead, have a look at firewall rules to block syn attacks or to block traffic from frequent connections. We have a post on our knowledgebase about this. - a poor MTU size setting on the router for the PPoE interface.
Remember that the PPoE interface is a virtual interface and becomes active as you authenticate against the ISP.
The traffic is sent from the Mikrotik to the ISP via your physical WAN port (normally Eth1). This is wired and has an MTU of 1500.
The virtual interface for the PPoE connection has a lower MTU because PPoE consumes some of the packet, making the actual MTU for PPoE more like 1396.
Most ISPs work to the internet standard “RFC4638” and there is no problem. However occasionally the Mikrotik needs an extra mangle firewall rule adding to force the PPoE connection to follow the MTU size advertised by the ISP.
Wikipedia explanation of MTU size discovery.
If you think this is the issue then run the command/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=synThis forces the Mikrotik to clamp the MTU size to the size detected from the ISP.
