Page MenuHomeVyOS Platform
Create Task
Maniphest T50

Better support for tcp-mss
Closed, DuplicatePublicENHANCEMENT
Actions

Description

I have VyOS-1.1.7 router with ipsec tunnel(s) and vlan(s) and I have problem with forwarding bigger packets (well-known mtu/tcp-mss problem).

I need to setup tcp-mss option for connections incoming from ipsec tunnel and outgoing to vlan.

I tried that:

set policy route mss rule 5 protocol 'tcp'
set policy route mss rule 5 set tcp-mss '1366'
set policy route mss rule 5 tcp flags 'SYN'
set interfaces ethernet eth0 vif 10 policy route 'mss'

It works, but only in one direction (vlan -> ipsec). I checked iptables rules and found that:

Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target     prot opt in     out     source               destination         
273K  501M mss        all  --  eth0.10 *       0.0.0.0/0            0.0.0.0/0

I checked manually added iptable rules: similar with "-o eth0.10" instead of "-i eth0.10" works, rule added to filter/FORWARD chain also works.

It is impossible to add policy to vti interface, it is impossible to add policy for ethernet/vlan interface for outgoing traffic.

Details

Version
1.1.7
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Kielek created this task.Apr 20 2016, 9:37 AM
syncer assigned this task to c-po.Jun 10 2018, 4:27 AM
syncer added a project: VyOS 1.2 Crux.
syncer subscribed.

We may want to extend this

pasik subscribed.Oct 1 2018, 9:51 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer reassigned this task from c-po to dmbaturin.Oct 20 2018, 4:33 AM
syncer added a subscriber: c-po.
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).Nov 13 2018, 3:48 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux (VyOS 1.2.0-rc9).Nov 27 2018, 12:03 AM
trystan subscribed.Nov 30 2018, 6:19 PM

Would also like to see this available for Wireguard interfaces as I'm hitting this when using PBR/NATing.

syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM
dmbaturin added a comment.Dec 16 2018, 4:45 PM

If we are planning firewall overhaul, the old design issues should not get in the way. It's planned for 1.3 though

dmbaturin edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).Dec 16 2018, 4:45 PM
dmbaturin edited a custom field.
c-po closed this task as a duplicate of T314: Unable to apply MSS Clamp with VyOS configuration.Apr 23 2019, 10:47 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 12 2019, 9:19 PM
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:56 AM
erkin set Issue type to improvement.
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.Sep 10 2021, 5:56 AM
dmbaturin set Issue type to Feature (new functionality).Fri, Nov 8, 10:50 AM