diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/firewall.rst | 37 | ||||
| -rw-r--r-- | docs/routing.rst | 42 | 
2 files changed, 71 insertions, 8 deletions
| diff --git a/docs/firewall.rst b/docs/firewall.rst index 8ab4dacf..e14cb19b 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -174,5 +174,42 @@ Example Partial Config       }    } +MSS Clamping +------------ + +As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP +MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option +to clamp your TCP MSS value for IPv4 and IPv6. + +Clamping can be disabled per interface using the `disable` keywork: + +.. code-block:: sh + +  set firewall options interface pppoe0 disable + +IPv4 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: sh + +  set firewall options interface pppoe0 adjust-mss '1452' +  set firewall options interface wg02 adjust-mss '1372' + +IPv6 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +To achieve the same for IPv6 please use: + +.. code-block:: sh + +  set firewall options interface pppoe0 adjust-mss6 '1280' +  set firewall options interface wg02 adjust-mss6 '1280' +  [https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List] diff --git a/docs/routing.rst b/docs/routing.rst index 43a1d0d9..b4144969 100644 --- a/docs/routing.rst +++ b/docs/routing.rst @@ -281,7 +281,7 @@ display arp table entries  .. code-block:: sh -  show protocols static arp  +  show protocols static arp    Address                  HWtype  HWaddress           Flags Mask            Iface    10.1.1.1                 ether   08:00:27:de:23:2e   C                     eth1 @@ -331,15 +331,41 @@ we use:    set interfaces ethernet eth1 policy route FILTER-WEB -The route policy functionality in VyOS can also be used to rewrite TCP MSS -using the set policy route <name> rule <rule> `set tcp-mss <value>` directive, -modify DSCP value using `set dscp <value>`, or mark the traffic with an -internal ID using `set mark <value>` for further processing (e.g. QOS) on a -per-rule basis for matching traffic. +MSS Clamping +============ -In addition to 5-tuple matching, additional options such as time-based rules, -are available. See the built-in help for a complete list of options. +As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP +MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option +to clamp your TCP MSS value for IPv4 and IPv6. +Clamping can be disabled per interface using the `disable` keywork: +.. code-block:: sh + +  set firewall options interface pppoe0 disable + +IPv4 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: sh + +  set firewall options interface pppoe0 adjust-mss '1452' +  set firewall options interface wg02 adjust-mss '1372' + +IPv6 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +To achieve the same for IPv6 please use: + +.. code-block:: sh + +  set firewall options interface pppoe0 adjust-mss6 '1280' +  set firewall options interface wg02 adjust-mss6 '1280'  .. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol | 
