diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-09-17 21:47:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-17 21:47:55 +0200 |
commit | 0393c23f6e150315896a8bce49b4a15e406125fc (patch) | |
tree | 53abd773eb3d37ed70b6110f40383f3229d126ee /docs/routing/mss-clamp.rst | |
parent | a537134a550dab407fffbd7ed1082dca4a4120ae (diff) | |
parent | 96f91545fa05efedd7bfdc7a4dfceffb69362ff7 (diff) | |
download | vyos-documentation-0393c23f6e150315896a8bce49b4a15e406125fc.tar.gz vyos-documentation-0393c23f6e150315896a8bce49b4a15e406125fc.zip |
Merge pull request #332 from currite/mss-clamping
mss-clamping: remove unnecessary disable commnad, add directives and …
Diffstat (limited to 'docs/routing/mss-clamp.rst')
-rw-r--r-- | docs/routing/mss-clamp.rst | 47 |
1 files changed, 34 insertions, 13 deletions
diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst index 923b1338..a4edf1c6 100644 --- a/docs/routing/mss-clamp.rst +++ b/docs/routing/mss-clamp.rst @@ -1,24 +1,36 @@ -.. include:: ../_include/need_improvement.txt - .. _routing-mss-clamp: TCP-MSS Clamping ---------------- -As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP -MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option -to clamp your TCP MSS value for IPv4 and IPv6. +As Internet wide PMTU discovery rarely works, we sometimes need to clamp +our TCP MSS value to a specific value. This is a field in the TCP +Options part of a SYN packet. By setting the MSS value, you are telling +the remote side unequivocally 'do not try to send me packets bigger than +this value'. -Clamping can be disabled per interface using the `disable` keyword: +Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS +value for IPv4 and IPv6. -.. code-block:: none - set firewall options interface pppoe0 disable +.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting + in 1452 bytes on a 1492 byte MTU. + IPv4 ^^^^ -Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` +.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes> + + Use this command to set the maximum segment size for IPv4 transit + packets on a specific interface (500-1460 bytes). + + +Example +""""""" + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and +`1372` for your WireGuard `wg02` tunnel. .. code-block:: none @@ -29,15 +41,24 @@ for your WireGuard `wg02` tunnel. IPv6 ^^^^^ +.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes> + + Use this command to set the maximum segment size for IPv6 transit + packets on a specific interface (1280-1492 bytes). + + +Example +""""""" + Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and `wg02` interface. -To achieve the same for IPv6 please use: - .. code-block:: none set firewall options interface pppoe0 adjust-mss6 '1280' set firewall options interface wg02 adjust-mss6 '1280' -.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 - bytes on a 1492 byte MTU. + + +.. hint:: When doing your byte calculations, you might find useful this + `Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_. |