VTI MTU Not Persistent

  • FYI to Netgate - VTI interfaces are not retaining their MTU passed a reboot.

    When rebooted, the ipsec interface MTU drops to 1400 no matter what it was configured at previously.

  • Rebel Alliance Developer Netgate

    What are you trying to set it to?

    A better option is to use MSS clamping under the advanced IPsec options.

  • Was trying to set to 1472.

    I've got my MSS clamping set to 1400 now and removed MSS / MTU from interface. However, I would love to have it set to 1472 as I know that MTU works.

    But when my VPN comes up, my ER-Lite comes up with the correct MTU of 1472, the VTI on pfSense comes up 1400 and my OSPF adjacency gets stuck in Exchange (expected of course with MTU mismatch). If I manually set MTU on ipsec interface to 1400, Save, then set to 1472, Save, the ipsec6000 interface comes up with the correct MTU and everything works. When firewall reboots, it reverts to 1400.

  • Rebel Alliance Developer Netgate

    Hmm, ok. I'm not sure that was intended to work. I don't recall doing anything specific to handle the MTU for the IPsec interfaces when they are configured. I can look into it, but it may not be something fixable for 2.4.4-p1. I opened https://redmine.pfsense.org/issues/9111 to track it for 2.4.5.

  • That's quite okay!

    It's functioning fine on the 1400, just trying to sneak those few little extra bytes out of the connection, that's all. :)