Please help me solve the mtu puzzle

I had posted my issue earlier in this post Wireguard issues over 5G cellular network

Turns out it is indeed a fragmentation issue, and even mss clamping on the vpn zone isn’t helping in this case.

The MTU value that works over this 5G mobile network is 1220.

If I want to add a custom mangle_postrouting rule is this the correct way?

chain mangle_postrouting {
    type filter hook postrouting priority mangle; policy accept;
    oifname { "wg0", "tailscale0" } tcp flags syn / fin,syn,rst tcp option maxseg size set 1220
}

Your rule is correct

24.10-rc has mssfix rule already in correct place.

Be aware that the minimum MTU for IPv6 is 1280 Byte.

Hey @brada4 I’m already on 24.10.0-rc5 but with the default mss clamping rule on vpn zone I was still having issue with fragmentation

Is the fw4 rule in nft list ruleset and what is in /etc/config/firewall and /etc/config/network wrt mtu mainly?

Does this also apply to mss clamping? Sorry if this is a dumb question.

On this 5G network with 464xlat IPv6 pings work till 1252 bytes so 1252+48=1,300, over Wireguard I need 1220 for IPv6 to function properly.

mss vs mtu is adjusted with v4 v6 overheads, dont over-correct.

In nft list ruleset

nft list ruleset | grep maxseg
                oifname { "wg0", "tailscale0" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set 1200 comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
                oifname "eth0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                oifname { "wg0", "tailscale0" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
                iifname "eth0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                iifname { "wg0", "tailscale0" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"

config zone                                         
        option name 'vpn'                           
        option input 'ACCEPT'                       
        option output 'ACCEPT'                      
        option forward 'ACCEPT'                     
        option masq '1'                             
        list network 'tailscale'                    
        list network 'wg0'                          
        option mtu_fix '1'                          
                                                    
config forwarding                                   
        option src 'lan'                            
        option dest 'vpn'                           
                                                    
config forwarding                                   
        option src 'vpn'                            
        option dest 'wan'                           
                                                    
config forwarding                                   
        option src 'vpn'                            
        option dest 'lan'

There’s nothing mtu related in /etc/config/netwok specifically wg0 inteface is at the default 1420 MTU

45: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none

What are mtu-s configured in /etc/config/network and reflected in ip link

They’re both identical 1420 for wg0, 1280 for Tailscale (default value they use) and 1500 for the rest of the interfaces (br-lan,wan,wan6)

You have to guess network infrastructure down the line.

I don’t know how reliable this website is but on bgp.tools they show my mss values for my 5G cellular service like this

IMG_75991170×2029 293 KB

In the postrouting rule how can I set different mss values for IPv6 and IPv4?