Adjust-mss not working on trunks?

Hi,

I have 2 sites and VyOS router running on VMware ESXi on each side.The task was to connect local networks on both sides. I connected 2 sites with GRE-Bridge over IPsec tunnel. Tunnel working fine. When I bridge tunnel and eth1 through which goes untagged traffic, adjust-mss working fine and sites loading fine. But when I connect to eth1 trunk port with dozen vlans inside adjust-mss not working.

Is this the correct behavior?

@Serj1988 Can you provide a network map with ip addressing and configurations of each router.

show configuration commands

Of course you can replace addresses and other private information.
To be able to reproduce this in a test lab.

@Viacheslav
Config almost the same on both sides (only public IPs are different). Routemap is very simple:

S>* Y.Y.Y.Y/32 [1/0] via GW of , eth0, 1d05h20m
C>* Z.Z.Z.Z/28 is directly connected, eth0, 1d05h20m

firewall {
   all-ping enable
   broadcast-ping disable
   config-trap disable
   ipv6-receive-redirects disable
   ipv6-src-route disable
   ip-src-route disable
   log-martians enable
   options {
       interface br0 {
           adjust-mss 1356
       }
   }
   receive-redirects disable
   send-redirects enable
   source-validation disable
   syn-cookies enable
   twa-hazards-protection disable
}
interfaces {
   bridge br0 {
       member {
           interface eth1 {
           }
           interface tun0 {
           }
       }
   }
   ethernet eth0 {
       address dhcp
       hw-id 00:0c:29:fc:15:21
   }
   ethernet eth1 {
       hw-id 00:0c:29:fc:15:7a
   }
   loopback lo {
   }
   tunnel tun0 {
       encapsulation gre-bridge
       local-ip X.X.X.X
       remote-ip Y.Y.Y.Y
   }
}
protocols {
   static {
   }
}
service {
   ssh {
   }
}
system {
   config-management {
       commit-revisions 100
   }
   console {
       device ttyS0 {
           speed 115200
       }
   }
   host-name vyos
   login {
       user vyos {
           authentication {
               encrypted-password ****************
               plaintext-password ****************
           }
       }
   }
   ntp {
       server server1 {
       }
       server server2 {
       }
       server server3 {
       }
   }
   syslog {
       global {
           facility all {
               level info
           }
           facility protocols {
               level debug
           }
       }
   }
}
vpn {
   ipsec {
       esp-group remoteTest {
           compression disable
           lifetime 1800
           mode tunnel
           pfs enable
           proposal 1 {
               encryption aes256
               hash sha256
           }
       }
       ike-group remoteTest {
           close-action none
           ikev2-reauth no
           key-exchange ikev1
           lifetime 3600
           proposal 1 {
               dh-group 2
               encryption aes256
               hash sha256
           }
       }
       ipsec-interfaces {
           interface eth0
       }
       site-to-site {
           peer Y.Y.Y.Y {
               authentication {
                   mode pre-shared-secret
                   pre-shared-secret ****************
               }
               connection-type initiate
               default-esp-group remoteTest
               ike-group remoteTest
               ikev2-reauth inherit
               local-address X.X.X.X
               tunnel 0 {
                   allow-nat-networks disable
                   allow-public-networks disable
                   protocol gre
               }
           }
       }
   }
}

In my understanding iptables by default working with untagged packets thus it wont filter anything I or vyos scripts put there .

http://ebtables.netfilter.org/documentation/bridge-nf.html

Enabled 802.1Q tag support for iptables:

echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged

now all working fine.

Added to /config/scripts/vyos-postconfig-boot.script

/usr/bin/echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged

1 Like

You could also add

set system sysctl custom net.bridge.bridge-nf-filter-vlan-tagged value 1

If you want to keep that setting readable in your config (And more portable for the future)

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.