blob: a4edf1c6c4673f58044d0c3655cdf2ecc6044a96 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
.. _routing-mss-clamp:
TCP-MSS Clamping
----------------
As Internet wide PMTU discovery rarely works, we sometimes need to clamp
our TCP MSS value to a specific value. This is a field in the TCP
Options part of a SYN packet. By setting the MSS value, you are telling
the remote side unequivocally 'do not try to send me packets bigger than
this value'.
Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS
value for IPv4 and IPv6.
.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting
in 1452 bytes on a 1492 byte MTU.
IPv4
^^^^
.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes>
Use this command to set the maximum segment size for IPv4 transit
packets on a specific interface (500-1460 bytes).
Example
"""""""
Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and
`1372`
for your WireGuard `wg02` tunnel.
.. code-block:: none
set firewall options interface pppoe0 adjust-mss '1452'
set firewall options interface wg02 adjust-mss '1372'
IPv6
^^^^^
.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes>
Use this command to set the maximum segment size for IPv6 transit
packets on a specific interface (1280-1492 bytes).
Example
"""""""
Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
`wg02` interface.
.. code-block:: none
set firewall options interface pppoe0 adjust-mss6 '1280'
set firewall options interface wg02 adjust-mss6 '1280'
.. hint:: When doing your byte calculations, you might find useful this
`Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_.
|