I'm on router number 3 from Verizon and my reliability issues with IP passthrough have not been solved. I've read others with the same problem and also the firmware update failed issue.
The lastest change that I've made involved having the gateway on a different subnet than my LAN. This seems to work but its too early to tell if the double NAT has it's own troubles. I haven't tested performance or all connectivity across my devices.
Does anyone use the double NAT configuration with success?
Regards,
ETCM
Solved! Go to Correct Answer
ASUSwrt-Merlin uses iptables according to its Github. tcp-mss can be set using the POSTROUTING Mangle table.
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380Something like this, but you would need to figure out the details according to the networking mechanisms of ASUSwrt-Merlin.
I need to comment: using iptables in 2023 is deprecated. iptables is a legacy netfilter, so continue using might be a security vulnerability. iptables has worse performance than nftables.
If the problem points to customer-provided downstream router lacks TCPMSS adjustments required by 5G Home Internet, then the issue should NOT be attributed to NCQs. IP Passthrough by its name, should only provide L3 connectivity, it should not take care of L4 operations like TCPMSS.
Solely using TCPMSS does not remedy the situation entirely if the issue is coming from IP fragmentation. TCPMSS controls the frame size by limiting the TCP segment length. It does not act on UDP segments. Google primarily uses QUIC over UDP, so these websites might still have degraded performance.
I've been using the service in passthrough mode for about a year with no issues. A few days ago, things got wonky. While about 95% of webpages loaded ok, there was some lag at the beginning of the page load and my speed dropped by quite a bit. Some wepages would just not load completely. Through troubleshooting, I narrowed it down to either the Gateway (ASK-NCQ1338) or the network it was attached to. I called support and found out that there had been an update pushed to the gateway on Aug 17, and they said I needed to do a factory reset. I couldn't get into the gateway anymore via the LAN 1 port like I used to, so I couldn't get in to save my settings first. I did a factory reset and had to reconfigure it from scratch, but lo and behold, there is no option for passthrough mode anymore! This is firmware 231451. They've simplified a lot of the advanced options. I can't even see how to change the LAN IP address from the default 192.168.0.* anymore.
I had to scramble and setup my downstream router into the DMZ, but that introduces other issues using my domain name associated with my home. So, beware if you haven't gotten that update yet.
Let me make a correction. The IP Passthrough setting is there, but it's been buried in the advanced settings. However, when I turned it back on after my factory reset, I still have the issues with certain webpages not loading properly. So, I'm limping along with my router in the DMZ of the Verizon gateway until I can hopefully get a resolution.
Hi, did you ever find a resolution to this?
I’ve had this issue twice now. First time I had the issue I had to deal with support for hours and they would literally hang up on me when they couldn’t help and refused to send me a different unit.
It’s definitely a bug in their firmware and Verizon refuses to acknowledge it. I had the router in bridge mode for about a year with no complaints. Suddenly sites started to have issues loading. I noticed the interface looked different and I had to do a factory reset because the config was all messed up.
I’ve been good for about 3 months but just this week the router decided to update again and all the exact same issues came back.
If you log into the router and go to advanced, diagnostics, system logs and firewall logs, you’ll see “block fragment” events. The IP’s listed would be to the sites you’re having issues with. I’ve tried messing with packet size MTU size but that didn’t help. Also, not sure why things are being sent via UDP. Not much I can do other than try to get another unit with older firmware again.
When I first posted this, I was contacted by Verizon support and they said they would escalate it so they could look into the issue. They said it could take a few weeks for a response, but I haven't heard anything. I'm a little crippled here without being able to use passthrough mode.
Thinking about trying T-Mobile if they have the same kind of option with their gateway.
We hear you loud and clear, and we want to get this resolved. We sent a Private Note to further assist you. ~Geo
@vzw_customer_support wrote:
We hear you loud and clear, and we want to get this resolved. We sent a Private Note to further assist you. ~Geo
VZW customer support, were you addressing a particular user on this thread with your response about sending a private message?
I was able to find the right settings, I am using a Ubiquiti edge router er-x. I was able everything to work using the following settings :
Changed MTU on WAN Interface to: 1400
Changed mss to: 1360
This fixed all my issues. I have called in may of times before, and didn't get very far. They wanted to blame my router at first and I had to prove that it was not. I finally got they sent me a newer gateway that did fix the issue, but it was a new line and was told after the previous tech support rep said it could be swapped to my current 5g home line that it was not able to be done. They told me that i would have to use the new line and lose my current plan and price lock. They did send me a replacement for my current line, but it is the same gateway that as the issue with the ip-passthough with the same issue. This drove me to start down the road of trying to fix the issue my self or at least find the issue.
It is a terrible that the customers have to troubleshoot the issue and figure out the fix to get the isp's equipment to work correctly again.
You changed the two values on your Ubiquiti?
Yes, I changed the mtu setting on the wan interface and the mss and sett the mss to apple to all interfaces in the firewall settings of the configuration tree. I followed this, https://community.ui.com/questions/EdgeRouter-and-MTU-Setting/54051cd0-38fc-4de9-a499-32af37a851b3
Using the numbers that I found that worked.
Thank you for that information. I changed the these settings on my pfsense wan interfaces and it appears to have resolved the issue.
It’s been such horrible dealing with Verizon support. They really don’t care.
@Jake123456 wrote:Thank you for that information. I changed the these settings on my pfsense wan interfaces and it appears to have resolved the issue.
It’s been such horrible dealing with Verizon support. They really don’t care.
Did you have to change the mss-clamp as well? I have a dd-wrt based router and I can change the MTU on the WAN interface, but I have no settings for the firewall for mss.
Yes I did. That was actually the part I was missing. I had changed the mtu size before and had no change in behavior. After changing the MSS on my pfsense firewall, the issues went away finally.
this may help you.
https://www.reddit.com/r/openwrt/s/ZuW4ix2bkv
This really looks promising!
Anyone know how to change MSS on ASUSwrt-Merlin? So far Google has not given me a real answer 😞
I've gotten to SSH prompt ... I'm betting I need to use CLI to change MSS?
ASUSwrt-Merlin uses iptables according to its Github. tcp-mss can be set using the POSTROUTING Mangle table.
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380Something like this, but you would need to figure out the details according to the networking mechanisms of ASUSwrt-Merlin.
I need to comment: using iptables in 2023 is deprecated. iptables is a legacy netfilter, so continue using might be a security vulnerability. iptables has worse performance than nftables.
If the problem points to customer-provided downstream router lacks TCPMSS adjustments required by 5G Home Internet, then the issue should NOT be attributed to NCQs. IP Passthrough by its name, should only provide L3 connectivity, it should not take care of L4 operations like TCPMSS.
Solely using TCPMSS does not remedy the situation entirely if the issue is coming from IP fragmentation. TCPMSS controls the frame size by limiting the TCP segment length. It does not act on UDP segments. Google primarily uses QUIC over UDP, so these websites might still have degraded performance.
@Jake123456 wrote:Yes I did. That was actually the part I was missing. I had changed the mtu size before and had no change in behavior. After changing the MSS on my pfsense firewall, the issues went away finally.
this may help you.
https://www.reddit.com/r/openwrt/s/ZuW4ix2bkv
Unfortunately, there is no such setting under dd-wrt.
dd-wrt must have it.
tcp-mss is a built-in feature of the iptables and nftables. I bet dd-wrt is using iptables or nftable to do the firewalling.
mcu is set on the interface itself, which should be configured through the ip suite commands.
@Cang_Household wrote:dd-wrt must have it.
tcp-mss is a built-in feature of the iptables and nftables. I bet dd-wrt is using iptables or nftable to do the firewalling.
mcu is set on the interface itself, which should be configured through the ip suite commands.
Yes it does use iptables. I was poking around at the cli in the router and I found what looks like the iptables config (.ipt). This is the just the very first part of that and the only thing that references MSS:
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
Start a new topic or ask questions in the open forum.