how to set the DF bit to 0


#1

I’m running through a GRE tunnel and have the common issue that the client pc’s are setting the DF BIT=1 is there a route policy or other feature that i can use to set this bit to 0 so that i can have the client pc’s browse through the GRE tunnel. I can do this with a policy route on a Cisco router but have not been able to find this feature within Vyos. Can someone tell me if this is possible? :slight_smile:
Thanks


#2

1st of all , start by configuring proper mtu value on tunnel interfaces
Don’t know if we can alter DF bit, but a better solution is to prevent packets getting that big, avoiding fragmentation
This can be done using mss-clamp to a value (at least) 40 bytes lower than MTU
Afaik, applying it to tunnel interface won’t work, you can apply to LAN interface(s) on both sites, selectively lowering MSS value only for remote destinations.

set policy route POL_ETH0_IN rule 10 description ‘MSS-CLAMPforVPN’
set policy route POL_ETH0_IN rule 10 destination group network-group REMOTE_NETWORKS
set policy route POL_ETH0_IN rule 10 protocol ‘tcp’
set policy route POL_ETH0_IN rule 10 set tcp-mss ‘1358’
set policy route POL_ETH0_IN rule 10 tcp flags ‘SYN’
set interfaces ethernet eth0 policy route ‘POL_ETH0_IN’