Page MenuHomeVyOS Platform

Better support for tcp-mss
Closed, DuplicatePublicENHANCEMENT


I have VyOS-1.1.7 router with ipsec tunnel(s) and vlan(s) and I have problem with forwarding bigger packets (well-known mtu/tcp-mss problem).

I need to setup tcp-mss option for connections incoming from ipsec tunnel and outgoing to vlan.

I tried that:

set policy route mss rule 5 protocol 'tcp'
set policy route mss rule 5 set tcp-mss '1366'
set policy route mss rule 5 tcp flags 'SYN'
set interfaces ethernet eth0 vif 10 policy route 'mss'

It works, but only in one direction (vlan -> ipsec). I checked iptables rules and found that:

Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target     prot opt in     out     source               destination         
273K  501M mss        all  --  eth0.10 *  

I checked manually added iptable rules: similar with "-o eth0.10" instead of "-i eth0.10" works, rule added to filter/FORWARD chain also works.

It is impossible to add policy to vti interface, it is impossible to add policy for ethernet/vlan interface for outgoing traffic.


Difficulty level
Easy (less than an hour)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

syncer added a project: VyOS 1.2 Crux.
syncer added a subscriber: syncer.

We may want to extend this

syncer added a subscriber: c-po.
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM

Would also like to see this available for Wireguard interfaces as I'm hitting this when using PBR/NATing.

If we are planning firewall overhaul, the old design issues should not get in the way. It's planned for 1.3 though

dmbaturin set Why the issue appeared? to Will be filled on close.
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:56 AM
erkin set Issue type to Improvement (missing useful functionality).