We have a bunch of GRE tunnels, and have these rules in VyOS to clamp the MSS:
set firewall options interface tun1000002 adjust-mss ‘1422’
set firewall options interface tun1000003 adjust-mss ‘1422’
set firewall options interface tun1000004 adjust-mss ‘1422’
set firewall options interface tun1000005 adjust-mss ‘1422’
set firewall options interface tun1000006 adjust-mss ‘1422’
set firewall options interface tun1000007 adjust-mss ‘1422’
set firewall options interface tun1000008 adjust-mss ‘1422’
set firewall options interface tun1000009 adjust-mss ‘1422’
Unfortunately, they don’t seem to work. This is the output of iptables -S
vyos@vyos:~$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N VYATTA_PRE_FW_IN_HOOK
-N VYATTA_PRE_FW_FWD_HOOK
-N VYATTA_PRE_FW_OUT_HOOK
-N VYATTA_POST_FW_IN_HOOK
-N VYATTA_POST_FW_FWD_HOOK
-N VYATTA_POST_FW_OUT_HOOK
-N VYATTA_FW_OUT_HOOK
-N VYATTA_FW_IN_HOOK
-N VYATTA_FW_LOCAL_HOOK
-N WAN-OUT
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A VYATTA_FW_OUT_HOOK -o eth1 -j WAN-OUT
iptables v1.8.2 (nf_tables): Can’t open socket to ipset.
However, running this command manually seems to work just fine:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400
I’m not sure if this I’m using it incorrectly, or if it’s an actual problem 