From Personal Wiki
Jump to navigation Jump to search

Design and Architecture

Network lifecycle


Spanning tree




STP Difference


STP Listening state


STP Comparison


Network lessons

Hello BPDU

Network lessons discussion

Timers great explain


Detect rogue router/NAT

  • TTL - frames with different TTL values from one host
  • Routing protocols updates - RIP/OSPF
  • High port numbers
  • Many opened connections/ports
  • TCP header - different window sizes, MSS
  • Different SYN packet size
  • Disable ICMP, CDP, LLDP to router
  • DF bit
  • OS fingerprinting (TTL, DF, TCP Window, SYN size)
  • HTTP cookie + HTTP (OS, version,....)



Good explain of use Tunnel and Transport mode

How the headers looks is obvious, also what kind of security they offer.

AH does not support NAT in neither transport nor tunnel, because IP is changed and ICV is computed from original IP header (Transport mode) and also new (Tunnel mode).

ESP supports NAT only in Tunnel mode, in Transport I am not sure why, probably hash is in Tunnel mode computed from inner IP, so in transport there is only one IP header, so if this changes by NAT and hash is computed from it, integrity check fails.

Transport mode is usually used when another tunnel is used e.g. GRE/L2TP, but NAT must not be used. Or it is also used inside intra network. Probably not true bcs using L2TP/IPSec uses ESP transport mode also with NAT/PAT, but NAT-T must be used

MAX MSS/MTU Tunnel Mode


Values in italics can be variable, according to Cipher and Hash. Probably using AES GCM would lead not using ICV field

ESP Overhead for AES-256(CBC) with SHA256:

  1. New IP Header       20B
  2. ESP SPI                   4B
  3. ESP SEQ                 4B
  4. ESP IV                   16B - AES-128/192/256 has 128b data input 128/8 = 16
  5. ESP Padding         15B - AES-128/192/256 has 128b data input 128/8 = 16-1 = 15, worst case when 1B packet will be present
  6. Padding length         1B
  7. Next header             1B
  8. ICV                         16B - half of hash-truncated, SHA256 - 128/8 = 16, exception with SHA 96/8 = 12

OVERHEAD                      77B

Standard MTU (Ethernet) - 1500B

MSS = 1500 - 20(IP) - 20(TCP) - 77 = 1383B

With NAT-T, which shoul be used when NAT is present, so I think everytime, substitude 8B

MSS = 1375B (NAT-T)

MSS = 1367B (PPPoE) because not 1500B but 1492B

RFC 6071

RFC 2406






TODO: ADD picture [3]

L2TP over IPsec has even more overhead calculation are based on IPSec from previous section.

MSS starts with 1383 + 20 = 1403 beacause it uses ESP transport mode, no new IP header is added in ESP, but it is added by L2TP, which will be added below.

ESP Overhead for AES-256(CBC) with SHA256:

  1. IP Header (New outer)    20B
  2. UDP Header (NAT-T)        8B
  3. UDP Header (L2TP)         8B
  4. L2TP Header                  16B
  5. PPP Header                     4B

OVERHEAD                              56B

MSS = 1403-56 = 1347

MSS = 1339 (PPPoE)

MTU = 1339 + 40(IP+TCP) = 1379 (according to picture) applied on L2TP interface

Mikrotik L2TP/IPSEC - IPSec is used in trasnsport mode probably

MTU Discover

Option "-M do" means do not fragment, if is big, packet is not send and notification is displayed to terminal. Option "-s $((1406 - 28))" 1406 is real MTU, as ICMP + IP is automatically added.

 ping -s $((1406 - 28)) -M do 


Supernet calculator:

IP Calculator:

IP addressing summary:


ACK PSH to router IP

Sometimes in FW rules can be seen drop out of PPPoe with private IP address as a destination. Probably it is connected with timeout-ed connection and Google servers tries to reach client. In MikroTik traffic is going from PPPoE to PPPoE interface with destination private IP Google IP sends a TCP (ACK, PSH) to my router. Known why?


  • iperf - reverse mode means send from server to client. Sometimes window mus be enlarged and sometime in linux one property must be set on interface to allow full speed. Default port is 5201, check firewall and also local device firewall, antimalware software can block it too. Multiple streams can boost speed.
iperf3 -s
iperf3 -c -R -P 4
  • SMB
  • FTP
  • WGET - is sometimes better and more reflect real speeds. To outcome bottleneck, do not use HDD, used random generated file read from SSD (/dev/urandom >> /tmp/file) used apache/nginx and write it to /dev/null then real speeds will be captured.


  • CPU
  • Network interface
  • Network transit device e.g. firewall
  • QoS
  • HDD