Feature #15585
open
It would be nice to have this as a non custom option a GUI based option for users.
Jonathan Lee wrote in #note-1:
It would be nice to have this as a non custom option a GUI based option for users.
You can set MSS clamping in the GUI at System > Advanced > Firewall & NAT under the VPN Packet Processing.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#mss-clamping
This should overcome the issues you are having without the need to set custom options. If not, please provide the custom options you are using and whether you are using an OpenVPN server or client on pfSense.
So the Users on the forum didn’t need to set custom settings for OpenVPN configuration export system? The way I understood this was the device running the client software needed an import file that OpenVPN generates and this is what was being customized so that the clients are pre set to that MTU and MSS. This wouldn’t be handled by the firewall software itself but the OpenVPN export config file used to import into the devices dialing into the VPN.
Jonathan Lee wrote in #note-3:
So the Users on the forum didn’t need to set custom settings for OpenVPN configuration export system? The way I understood this was the device running the client software needed an import file that OpenVPN generates and this is what was being customized so that the clients are pre set to that MTU and MSS. This wouldn’t be handled by the firewall software itself but the OpenVPN export config file used to import into the devices dialing into the VPN.
If you are trying to set it explicitly on the client side the custom option is needed. However, most issues should be fixed by the setting on the firewall as it clamps the values across the tunnel and TCP traffic will negotiate based upon that value, which ultimately affects the client connection as well.
- Priority changed from Normal to Low
Christopher Cope wrote in #note-4:
Jonathan Lee wrote in #note-3:
So the Users on the forum didn’t need to set custom settings for OpenVPN configuration export system? The way I understood this was the device running the client software needed an import file that OpenVPN generates and this is what was being customized so that the clients are pre set to that MTU and MSS. This wouldn’t be handled by the firewall software itself but the OpenVPN export config file used to import into the devices dialing into the VPN.
If you are trying to set it explicitly on the client side the custom option is needed. However, most issues should be fixed by the setting on the firewall as it clamps the values across the tunnel and TCP traffic will negotiate based upon that value, which ultimately affects the client connection as well.
Which setting it globally for all VPN traffic, there are situations where you only want a single client to have MSS clamping present on their client config. Since this is for the OpenVPN Client Export package, I believe we should consider this regardless.
Moving the priority to Low, however, as you can apply mssfix to the client config when you export it in the advanced options.
Thanks for considering this. I was researching this after I was testing the VPN to home NAS connection across the United states and it seemed to be fragmenting. I started to look into this and found many other users with T-Mobile service also have to set custom options for specific requirements. Again, that took a while to find. I was originally searching in the GUI OpenVPN package and it does not list it. Yes it is achievable with utilization of manual custom options. Still, everyday pfSense users would not know how to use or set the custom options like this. This would simplify the process if it is listed as an option they can change in the GUI. The forum page has different ways to achieve this. Again with pfSense having it coded into the GUI the best method would be utilized as PHP would be the one setting it for users.
I was doing some forum research I have found 2 different methods recommended by users that are being utilized currently.
A.
tun-mtu 1500;
tun-mtu-extra 32;
missfix 1450;
Also
One that skips tun-mtu-extra
tun-mtu 1200;
misfit 1200;
And one that utilizes the fragment keyword
fragment 1300;
mssfix 1340;
One is using fragment keyword and the other is using tun-mtu
Yes the numbers would be different however the way this is achieved seems different among users with what keywords are used.
Also available in: Atom
PDF