vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #332 from currite/mss-clamping

Browse Source 
mss-clamping: remove unnecessary disable commnad, add directives and …
This commit is contained in:
Christian Poessinger 2020-09-17 21:47:55 +02:00 committed by GitHub
commit 0393c23f6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs/routing/mss-clamp.rst
View File

@ -1,24 +1,36 @@
.. include:: ../_include/need_improvement.txt
.. _routing-mss-clamp: .. _routing-mss-clamp:
TCP-MSS Clamping TCP-MSS Clamping
---------------- ----------------
As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP As Internet wide PMTU discovery rarely works, we sometimes need to clamp
MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option our TCP MSS value to a specific value. This is a field in the TCP
to clamp your TCP MSS value for IPv4 and IPv6. Options part of a SYN packet. By setting the MSS value, you are telling
the remote side unequivocally 'do not try to send me packets bigger than
this value'.
Clamping can be disabled per interface using the `disable` keyword: Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS
value for IPv4 and IPv6.
.. code-block:: none
set firewall options interface pppoe0 disable .. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting
in 1452 bytes on a 1492 byte MTU.
IPv4 IPv4
^^^^ ^^^^
Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` .. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes>
Use this command to set the maximum segment size for IPv4 transit
packets on a specific interface (500-1460 bytes).
Example
"""""""
Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and
`1372`
for your WireGuard `wg02` tunnel. for your WireGuard `wg02` tunnel.
.. code-block:: none .. code-block:: none
@ -29,15 +41,24 @@ for your WireGuard `wg02` tunnel.
IPv6 IPv6
^^^^^ ^^^^^
.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes>
Use this command to set the maximum segment size for IPv6 transit
packets on a specific interface (1280-1492 bytes).
Example
"""""""
Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
`wg02` interface. `wg02` interface.
To achieve the same for IPv6 please use:
.. code-block:: none .. code-block:: none
set firewall options interface pppoe0 adjust-mss6 '1280' set firewall options interface pppoe0 adjust-mss6 '1280'
set firewall options interface wg02 adjust-mss6 '1280' set firewall options interface wg02 adjust-mss6 '1280'
.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452
bytes on a 1492 byte MTU.
.. hint:: When doing your byte calculations, you might find useful this
`Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_.