MSS Clamping / Possible Issue or I'm doing something incorrect

Dickins · September 25, 2019, 5:54pm

Hello.

I’m having a bit of a problem understanding MSS Clamping on VyOS. It’s working fine, but I’m a little bit puzzled as to why I have to do it this certain way.

I have three interfaces on my VyOS installation, two internal interfaces running standard Ethernet, MTU 1500. I’ve then got on external interface running PPPoE, MTU 1492 (MSS 1452). I’m running “VyOS 1.2-rolling-201908271639”.

I have the following policy route;

    set policy route MSS description 'TCP MSS Clamping for PPPoE'
    set policy route MSS rule 5 protocol 'tcp'
    set policy route MSS rule 5 set tcp-mss '1452'
    set policy route MSS rule 5 tcp flags 'SYN'

If I set this policy on the PPPoE interface using the following command;

    set interfaces ethernet eth1 pppoe 0 policy route 'MSS'

Doing this will result in outbound SYN packets leaving VyOS with an MSS of 1460 (too-high) thus causing slow internet browsing, etc.

If I set this policy on the INSIDE interface using the following command;

    set interfaces ethernet eth2 policy route 'MSS'

Doing this will result in outbound SYN packets leaving VyOS with an MSS of 1452 (correct size), thus - all-ok.

Now my question is for why am I required to set this on inside interfaces, my understanding is that this should be set on Outside interfaces to set outbound SYN packets to the correct MSS. For example, I could have multiple tunnel interfaces which all require different MSS clamping options - however, with what I’m doing at the moment - I’d be required to set the lowest MSS on all inside interfaces.

Hope this makes sense, hopefully I’m just doing something wrong - or my understanding of where you set MSS Clamping is incorrect.

Regards,
Oliver.

zsdc · September 27, 2019, 5:06pm

Hello, Oliver!
In case, if you work with policy or firewall you always have a deal with incoming traffic. So, when you are configuring like this:

set interfaces ethernet eth2 policy route 'MSS'

Then all traffic, which comes into the eth2 interface will be processed with MSS policy.

If you don’t need to process all the traffic from the interface, make the rule more accurate. For example, by using the destination option.

pete · January 2, 2022, 6:24pm

I think the VYOS team should come out with a robust TCP MSS clamping recommendation.

After reading the above comments and also the VYOS knowledgebase on TCP MSS clamping for PPPOE connections: https://support.vyos.io/en/kb/articles/pppoe-sub-interfaces-2#comments

I see that both of these point the user to setting the TCP MSS clamping on the LAN interface, whereas the actual clamping should take place on the WAN interface.

There is another option referred to by a Ubiquity thread: https://community.ui.com/questions/TCP-MTU-MSS-values-for-PPPoE/6218d940-a69e-40a3-93ba-12d5ab8c3455
and this uses the firewall option to set the TCP MSS clamping. It also turns out that VYOS also has this option and using this method allows the user to set the TCP MSS clamping on the pppoe interface itself (WAN).

set firewall options interface pppoe0 adjust-mss 1452

On a side note it is also possible to assign a policy route to the pppoe0 interface itself, but this does not give the correct clamping in VYOS.