MSS-Clamping: move from routing to firewall chapter

2025-11-02 20:02:05 +01:00 · 2019-04-21 21:03:40 +02:00 · 2019-04-21 21:03:40 +02:00 · b7059fb391
commit b7059fb391
parent db9afbc174
2 changed files with 71 additions and 8 deletions
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@ -174,5 +174,42 @@ Example Partial Config
     }
  }

+MSS Clamping
+------------
+
+As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
+MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
+to clamp your TCP MSS value for IPv4 and IPv6.
+
+Clamping can be disabled per interface using the `disable` keywork:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 disable
+
+IPv4
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss '1452'
+  set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+To achieve the same for IPv6 please use:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss6 '1280'
+  set firewall options interface wg02 adjust-mss6 '1280'
+
 [https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List]

--- a/docs/routing.rst
+++ b/docs/routing.rst
@ -281,7 +281,7 @@ display arp table entries

 .. code-block:: sh

-  show protocols static arp 
+  show protocols static arp

  Address                  HWtype  HWaddress           Flags Mask            Iface
  10.1.1.1                 ether   08:00:27:de:23:2e   C                     eth1
@ -331,15 +331,41 @@ we use:

  set interfaces ethernet eth1 policy route FILTER-WEB

-The route policy functionality in VyOS can also be used to rewrite TCP MSS
-using the set policy route <name> rule <rule> `set tcp-mss <value>` directive,
-modify DSCP value using `set dscp <value>`, or mark the traffic with an
-internal ID using `set mark <value>` for further processing (e.g. QOS) on a
-per-rule basis for matching traffic.
+MSS Clamping
+============

-In addition to 5-tuple matching, additional options such as time-based rules,
-are available. See the built-in help for a complete list of options.
+As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP
+MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option
+to clamp your TCP MSS value for IPv4 and IPv6.

+Clamping can be disabled per interface using the `disable` keywork:

+.. code-block:: sh
+
+  set firewall options interface pppoe0 disable
+
+IPv4
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
+for your WireGuard `wg02` tunnel.
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss '1452'
+  set firewall options interface wg02 adjust-mss '1372'
+
+IPv6
+----
+
+Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
+`wg02` interface.
+
+To achieve the same for IPv6 please use:
+
+.. code-block:: sh
+
+  set firewall options interface pppoe0 adjust-mss6 '1280'
+  set firewall options interface wg02 adjust-mss6 '1280'

 .. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol