summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/index.rst
diff options
context:
space:
mode:
authorrebortg <github@ghlr.de>2020-11-30 20:53:36 +0100
committerrebortg <github@ghlr.de>2020-11-30 20:53:36 +0100
commit8943fc9f877cbee3301a8261ddd27b4b1f15f174 (patch)
treebb09c5f41a7683dc361517c2bde346eea36cda24 /docs/configuration/firewall/index.rst
parente33e1268f944be445b5a771df0e97e913487512f (diff)
downloadvyos-documentation-8943fc9f877cbee3301a8261ddd27b4b1f15f174.tar.gz
vyos-documentation-8943fc9f877cbee3301a8261ddd27b4b1f15f174.zip
arrange services and protocols
Diffstat (limited to 'docs/configuration/firewall/index.rst')
-rw-r--r--docs/configuration/firewall/index.rst65
1 files changed, 65 insertions, 0 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index d9a3ebe3..2615774f 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -766,3 +766,68 @@ Example Partial Config
}
}
}
+
+
+.. _routing-mss-clamp:
+
+################
+TCP-MSS Clamping
+################
+
+As Internet wide PMTU discovery rarely works, we sometimes need to clamp
+our TCP MSS value to a specific value. This is a field in the TCP
+Options part of a SYN packet. By setting the MSS value, you are telling
+the remote side unequivocally 'do not try to send me packets bigger than
+this value'.
+
+Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS
+value for IPv4 and IPv6.
+
+
+.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting
+ in 1452 bytes on a 1492 byte MTU.
+
+
+IPv4
+====
+
+.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes>
+
+ Use this command to set the maximum segment size for IPv4 transit
+ packets on a specific interface (500-1460 bytes).
+
+Example
+-------
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and
+`1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: none
+
+ set firewall options interface pppoe0 adjust-mss '1452'
+ set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+====
+
+.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes>
+
+ Use this command to set the maximum segment size for IPv6 transit
+ packets on a specific interface (1280-1492 bytes).
+
+Example
+-------
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+.. code-block:: none
+
+ set firewall options interface pppoe0 adjust-mss6 '1280'
+ set firewall options interface wg02 adjust-mss6 '1280'
+
+
+
+.. hint:: When doing your byte calculations, you might find useful this
+ `Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_.