How to configure tcp-mss with ipsec and vlan



I have VyOS router with ipsec tunnel(s) and vlan(s) and I have problem with forwarding bigger packets (well-know mtu/tcp-mss problem).

I need to setup tcp-mss option for connections incoming from ipsec tunnel and outgoing to vlan.

I tried that:

set policy route mss rule 5 protocol 'tcp'
set policy route mss rule 5 set tcp-mss '1366'
set policy route mss rule 5 tcp flags 'SYN'
set interfaces ethernet eth0 vif 10 policy route 'mss'

It works, but only in opossite direction (vlan -> ipsec). I checked iptables rules and found that:

Chain VYATTA_FW_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 273K  501M mss        all  --  eth0.10 *  

I checked manually added iptable rules: similar with “-o eth0.10” instead of “-i eth0.10” works, rule added to filter/FORWARD chain also works.

How to configure that using standard VyOS CLI? I cannot attach route policy to vti, I cannot setup tcp-mss in access-list policy.

I know solution with raw iptables call from /config/scripts/vyatta-postconfig-bootup.script - but it’s ugly hack, another file to backup, invisible in “show conf” - I don’t want to use it.

Best regards,


No one?