Hi,
I have VyOS router with ipsec tunnel(s) and vlan(s) and I have problem with forwarding bigger packets (well-know mtu/tcp-mss problem).
I need to setup tcp-mss option for connections incoming from ipsec tunnel and outgoing to vlan.
I tried that:
set policy route mss rule 5 protocol 'tcp'
set policy route mss rule 5 set tcp-mss '1366'
set policy route mss rule 5 tcp flags 'SYN'
set interfaces ethernet eth0 vif 10 policy route 'mss'It works, but only in opossite direction (vlan -> ipsec). I checked iptables rules and found that:
Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
273K 501M mss all -- eth0.10 * 0.0.0.0/0 0.0.0.0/0I checked manually added iptable rules: similar with “-o eth0.10” instead of “-i eth0.10” works, rule added to filter/FORWARD chain also works.
How to configure that using standard VyOS CLI? I cannot attach route policy to vti, I cannot setup tcp-mss in access-list policy.
I know solution with raw iptables call from /config/scripts/vyatta-postconfig-bootup.script - but it’s ugly hack, another file to backup, invisible in “show conf” - I don’t want to use it.
Best regards,
Kiełek