summaryrefslogtreecommitdiff
path: root/docs/routing
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-06-20 12:32:08 +0200
committerChristian Poessinger <christian@poessinger.com>2019-06-20 12:47:56 +0200
commite6e0bf738df27e4b3a1640e8e17602d7624eb819 (patch)
tree71e99ba10ea2396bc618b72c347e0a3dafe06b2c /docs/routing
parent41d2d62e6948f0978f09b7350b1897168efec9f2 (diff)
downloadvyos-documentation-e6e0bf738df27e4b3a1640e8e17602d7624eb819.tar.gz
vyos-documentation-e6e0bf738df27e4b3a1640e8e17602d7624eb819.zip
mss: move chapter from firewall to routing
Diffstat (limited to 'docs/routing')
-rw-r--r--docs/routing/index.rst1
-rw-r--r--docs/routing/mss-clamp.rst39
2 files changed, 40 insertions, 0 deletions
diff --git a/docs/routing/index.rst b/docs/routing/index.rst
index cdf313ac..2f183c70 100644
--- a/docs/routing/index.rst
+++ b/docs/routing/index.rst
@@ -17,4 +17,5 @@ BGP).
pbr
rip
static
+ mss-clamp
diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst
new file mode 100644
index 00000000..3ec1a025
--- /dev/null
+++ b/docs/routing/mss-clamp.rst
@@ -0,0 +1,39 @@
+.. _routing-mss-clamp:
+
+MSS Clamping
+------------
+
+As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
+MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
+to clamp your TCP MSS value for IPv4 and IPv6.
+
+Clamping can be disabled per interface using the `disable` keywork:
+
+.. code-block:: sh
+
+ set firewall options interface pppoe0 disable
+
+IPv4
+^^^^
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: sh
+
+ set firewall options interface pppoe0 adjust-mss '1452'
+ set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+^^^^^
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+To achieve the same for IPv6 please use:
+
+.. code-block:: sh
+
+ set firewall options interface pppoe0 adjust-mss6 '1280'
+ set firewall options interface wg02 adjust-mss6 '1280'
+