I have VyOS router with ipsec tunnel(s) and vlan(s) and I have problem with forwarding bigger packets (well-know mtu/tcp-mss problem).
I need to setup tcp-mss option for connections incoming from ipsec tunnel and outgoing to vlan.
I tried that:
set policy route mss rule 5 protocol 'tcp' set policy route mss rule 5 set tcp-mss '1366' set policy route mss rule 5 tcp flags 'SYN' set interfaces ethernet eth0 vif 10 policy route 'mss'
It works, but only in opossite direction (vlan -> ipsec). I checked iptables rules and found that:
Chain VYATTA_FW_IN_HOOK (1 references) pkts bytes target prot opt in out source destination 273K 501M mss all -- eth0.10 * 0.0.0.0/0 0.0.0.0/0
I checked manually added iptable rules: similar with “-o eth0.10” instead of “-i eth0.10” works, rule added to filter/FORWARD chain also works.
How to configure that using standard VyOS CLI? I cannot attach route policy to vti, I cannot setup tcp-mss in access-list policy.
I know solution with raw iptables call from /config/scripts/vyatta-postconfig-bootup.script - but it’s ugly hack, another file to backup, invisible in “show conf” - I don’t want to use it.