OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: olest on March 30, 2021, 09:47:50 am
-
Hi,
I have had a few new sites where I need to set MSS=1400 om LAN interface to get traffic through IPSEC tunnels.
Is that a "normal" problem?
-
I think it is, if one of your IPSEC Endpoints is using a MTU less than default 1500 and PMTU-Discovery is broken between endpoints. In all tunnels with one endpoint on our Hetzner servers I have to use use MSS=1300 as they are running with MTU 1400 due to Hetzner Virtual Switch VLAN's.
-
On opnsense router what metrics/counters indicate that my vpn tunnel speed problem happens because of MTU / fragmentation?
-
In my experience MTU problems mostly manifest not as speed problems, but connections with larger paket sizes stalling. For example ping goes through, ssh hangs once you type 'ls' in a directory with many files :)
-
How about high amount of fragmentation due to tunnel MTU smaller than endpoint MTU, and the constant fragmentation/re-assembly that can kill throughput?
-
I set a Firewall normalisation rule for my IPSEC interface and set all traffic to Max MSS 1350 for that interface. That resolved it for my IPSEC tunnel to Azure (gleamed from their documentation).
-
@Aergan: that "firewall normalisation" sounds plain chinese to me. What did you do exactly, any stepbystep guide to follow?