TCP MSS clamping in PROPER way (incoming and outgoing traffic)
Dear list members, I am using PPPoE over GPON (FTTH) in Turkiye,HATAY. Provider is NetInternet Datacenter, Denizli,TR. We have a written conversation with Turk Telecom to increase MTU from 1492 to 1500 as we use Mikrotik CCR that supports 1508 bytes (baby), 9kb and 10kb jumbo frames,. I am running non-commercial R&D network for myself. They responded negative to their reseller (the datacenter). They do not provide DHCP over GPON (IPoE) or DotX. Why would I request that (1500 bytes MTU) while there is TCP MSS clamping?! Unfortunately i have come to understanding that enabling Mikrotik's TCP MSS Clamping PPP profile in addition to IPv4+IPv6 clamp-to-pmtu rule; does not work in both ways. How did I find that? Added filter rule with LOG action for packet size > 1492 or/and for TCP packets > 1452 MSS. There was lots of packets by-passing clamping. After that, I added following rules; and email-loads and page-loads are much more FASTER! without any renegotiations. //ipv6 firewall mangle add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!syn add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!syn add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack,!syn add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack,!syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack,!syn/ //ip firewall mangle add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!syn add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!syn add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack add action=change-mss chain=postrouting new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack,!syn add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack,!syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,ack,!syn/ But couldn't and shouldn't all these possible with single rule? or PPP profile setting shouldnt consider ACK's and any other flags that can be added to SYN?! Thanks for reading and looking forward to HEAR feedback from you all. Regards
participants (1)
-
Volkan SALiH