diff options
Diffstat (limited to 'docs/routing')
-rw-r--r-- | docs/routing/index.rst | 1 | ||||
-rw-r--r-- | docs/routing/mss-clamp.rst | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/docs/routing/index.rst b/docs/routing/index.rst index cdf313ac..2f183c70 100644 --- a/docs/routing/index.rst +++ b/docs/routing/index.rst @@ -17,4 +17,5 @@ BGP). pbr rip static + mss-clamp diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst new file mode 100644 index 00000000..3ec1a025 --- /dev/null +++ b/docs/routing/mss-clamp.rst @@ -0,0 +1,39 @@ +.. _routing-mss-clamp: + +MSS Clamping +------------ + +As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP +MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option +to clamp your TCP MSS value for IPv4 and IPv6. + +Clamping can be disabled per interface using the `disable` keywork: + +.. code-block:: sh + + set firewall options interface pppoe0 disable + +IPv4 +^^^^ + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: sh + + set firewall options interface pppoe0 adjust-mss '1452' + set firewall options interface wg02 adjust-mss '1372' + +IPv6 +^^^^^ + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +To achieve the same for IPv6 please use: + +.. code-block:: sh + + set firewall options interface pppoe0 adjust-mss6 '1280' + set firewall options interface wg02 adjust-mss6 '1280' + |