MSS-Clamping: move from routing to firewall chapter

1 files changed, 37 insertions, 0 deletions

diff --git a/docs/firewall.rst b/docs/firewall.rst
index 8ab4dacf..e14cb19b 100644
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@@ -174,5 +174,42 @@ Example Partial Config
      }
   }
 
+MSS Clamping
+------------
+
+As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
+MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
+to clamp your TCP MSS value for IPv4 and IPv6.
+
+Clamping can be disabled per interface using the `disable` keywork:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 disable
+
+IPv4
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss '1452'
+  set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+To achieve the same for IPv6 please use:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss6 '1280'
+  set firewall options interface wg02 adjust-mss6 '1280'
+
 [https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List]