With VLAN I need to manually set MSS. Why?

Started by soko, January 23, 2021, 02:38:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2021, 02:38:17 PM Last Edit: January 23, 2021, 02:42:37 PM by soko
Hi guys,

It took me days to figure this out but I'm also curious if someone of you has an hypophosis or even can explain this to me. I usually like very much to understand why something is happening :)

First my - I admit - a little exotic network configuration:

  • Switch-GBit-Eth-Port (tagged VLAN 1 + 99) <=> Win10 with Realtek NIC
  • With Realtek Diagnostic Tool I have installed 2 separate VLAN NICs in Win10. One for VLAN1, one for VLAN99. So everything that uses one of the two NICs gets the corresponding VLAN-ID
  • OPNsense runs in a VM (VMWare) with two virtual NICs. VIRT1 is bridged to NIC-VLAN1. VIRT2 to NIC-VLAN99
  • In OPNsense VIRT1/VLAN1 is LAN. VIRT2/VLAN99 is WAN.

So far so good and everything worked perfectly... at the first glance at least.

From a LAN PC I was able to:

  • Resolve DNS names
  • Ping (ICMP) into the internet via IP or dns name

But no internet page (browser) was working. Even the one I was able to ping successfully.

Once I've changed in Interfaces->WAN MTU=1500 and MSS=1456 everything worked perfectly.

So I somehow have to manually accommodate the 4 bytes of VLAN tagging. Just changing the MTU to a smaller number (even 1000) didn't help.

Now for someone who knows really much about this things I'm happy to learn and also have the following questions:

  • Why do I have to do this only on the WAN interface and not on LAN?
  • Why am I still able to browse to the OPNsense website from a LAN PC if the issue seems to be somewhere between the OPNsense and the switch port?
  • Or in other words: Why does this issue only occur on internet TCP traffic and not local TCP traffic?

Thanks in advance
Soko
Print
Go Up Pages1
User actions