Setting TCP-MSS

Staro · Jun 25, 2021

Hi.

To improve throughput on a proxmox installation, is it possible to set TCP-MSS to reduce fragmentation using iptables?

I've tried to add this using

Code:

iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1436

but it has had no effect.

Is there a pve-firewall caveat to be aware of?

Thanks

RokaKen · Jun 25, 2021

In my experience, pve-firewall tooling is focused on the filter table and the other tables have been manipulated by the Network Configuration [0}.

For your use case, I suggest TCPMSS be applied in the POSTROUTING chain of the mangle table, i.e., if your physical interface is eno1 and your host bridge is vmbr0, then your /etc/network/interfaces would look something like:

Code:

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address <ip addr>
        netmask <ip mask>
        gateway <ip gateway>
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        
        post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eno1 -j TCPMSS --set-mss 1436
        post-down iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eno1 -j TCPMSS --set-mss 1436

then ifreload (IFF you have installed ifupdown2 pkg) or reboot to take affect.

[0] https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt

ph0x · Jun 25, 2021

Acknowledge correct use of »iff«.

Search

Search

Setting TCP-MSS

Staro

Member

RokaKen

Active Member

ph0x

Renowned Member