Help Me Better Understand MSS Clamping
-
I've been doing a lot of digging around online, but seems like it's hard to find more definitive information so I wanted to post about it.
MSS clamping within Systems > Advanced > Firewall & NAT for VPN Packet Processing; is this risky to enable in a production environment? By this I mean is any downtime expected? Reconnections of the IPsec tunnels? Reboot of the firewall?
Additionally, is my understanding correct that MSS clamping effectively intercepts the TCP stream and "notifies" the other side to lower how much data is in each packet? What damage will occur if this is enabled on 1 firewall but not the other? In theory shouldn't it still work even though ideally you'd set it the same on both ends?
I think I get this but like to make sure before making changes in any sensitive environment, I manage some pretty massive VPNs, some of which are sending ~1TB a day and are fragmenting most packets so hoping to speed things up a bit.
-
@planedrop said in Help Me Better Understand MSS Clamping:
MSS clamping within Systems > Advanced > Firewall & NAT for VPN Packet Processing; is this risky to enable in a production environment? By this I mean is any downtime expected? Reconnections of the IPsec tunnels? Reboot of the firewall?
I recently enabled MSS clamping on the IPSec interface in OPNsense, because of packet fragmentation on a VPN to a pfSense.
I didn't notice any bad influence on the existing IPSec VPN. However, there was not really much traffic flowing over the connection at this time.
The setting was applied immediately to the next connections within the IPSec.
However, maybe this behaves different, when you set it on pfSense.Additionally, is my understanding correct that MSS clamping effectively intercepts the TCP stream and "notifies" the other side to lower how much data is in each packet?
Yes. As far as I know, the maximum segment size is negotiated between both sites, when one starts a connection. At this point the TCP stream is intercepted if MSS is set to a limited amount and then both sites set their segment size to the stated value.
What damage will occur if this is enabled on 1 firewall but not the other? In theory shouldn't it still work even though ideally you'd set it the same on both ends?
I enabled it only on OPNsense. OPNsense let you set MSS for only in- or outbound or for any direction. I used any. So obviously it is sufficient to set it on only one site.
I manage some pretty massive VPNs, some of which are sending ~1TB a day and are fragmenting most packets so hoping to speed things up a bit.
1 TB??
I only got 2 Mb/s with fragmentation. 1 TB might have taken a week then.
After setting MMS to 1398 (tried out), I get up to 900 Mb/s over the VPN. -
@viragomann Hey thanks a ton for all the info here, mostly confirmed what I thought so that is great.
I'll do some testing with it and be sure whenever I do enable it that the VPN isn't under some super heavy load (like it is most of the day).
And yeah with fragmentation (almost every packet) I'm still able to move at 300Mb/s or higher, it's pretty insane, using Netgate 1541's with the CPIC card installed so crypto is insanely fast, genuinely impressed with it's abilities, and even though it's working, I'd rather get it cleaned up to not be fragmented.
-
@planedrop
Okay, since we have currently inspection window anywa, I tried to enable it in pfSense.I disabled it on OPNsense again and got a bad throughput.
Then I enabled it on pfSense. Throughput was high again. There was no interruption or reconnection of the tunnels. Running three IPSec on this pfSense. -
@viragomann OK this is great news, thanks for testing this, I hadn't had a chance to do that yet, helps a ton!
I figured it wouldn't interrupt anything, or at least not for long at all, but incredibly nice to confirm it.
