True, but issue was related to downloading over http, which is over tcp. So, if http is your only concern I would go for this option.
Most clients are configured with an MTU of their physical NIC capabilities, and sometimes even with jumbo support. MTU is a property of the OS in both ends, while MSS is a property of the packets that can be adjusted in-flight. So, if you want to fix the MTU, you will have to configure that on the conversation parters and not in pf. So, while we agree on the principals, how do you suggest MTU is changed? Statically configured on each host? DHCP option? Cheers, Simon. On Mon, 10 Feb 2020 at 12:06, Janne Johansson <[email protected]> wrote: > Den mån 10 feb. 2020 kl 11:58 skrev Simen Stavdal <[email protected]>: > >> Hi Lucas, >> Have you tried to manipulate the mss during conversation setup? >> This is done with the max-mss directive in pf.conf. >> Basically, it takes the three way handshake, and overrides the MSS value >> in >> the handshake to something lower than the default. >> > > This might fix the http/ssh issues one might see, because both of those > run over TCP, but MSS fixups will not correct large UDP or icmp packets, or > any other non-TCP protocol one might run over that ipsec, so making sure > the traffic is below the MTU should be the end goal, not fixing 90% with > pf. > > -- > May the most significant bit of your life be positive. >
