When TCP MSS is too high, large packets get silently dropped causing connections that hang after the TCP handshake. MSS clamping fixes this without changing MTU on endpoints.
# Linux iptables — clamp MSS to calculated value (update 1460 to your MSS)
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --set-mss 1460
# Or clamp to path MTU automatically
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
# Cisco IOS — clamp MSS on interface
interface GigabitEthernet0/0
ip tcp adjust-mss 1460
# pfSense — set in Interfaces > WAN > MSS field
# or Firewall > Rules > Advanced > MSS
# Test for MTU/MSS issues — ping with DF bit set
# Linux: adjust 1472 down until ping succeeds = correct MTU
ping -M do -s 1472 8.8.8.8 # 1472 + 28 byte IP/ICMP header = 1500 MTU
# Windows:
ping -f -l 1472 8.8.8.8
# If you get "Frag needed" or timeout, reduce size until it passes
| Interface / Tunnel | Typical MTU | TCP MSS | Notes |
|---|---|---|---|
| Standard Ethernet | 1500 | 1460 | Default everywhere |
| VLAN (802.1Q) | 1496 | 1456 | 4 byte tag overhead |
| PPPoE (DSL/Broadband) | 1492 | 1452 | Very common ISP issue |
| GRE Tunnel | 1476 | 1436 | 24 byte GRE overhead |
| WireGuard | 1420 | 1380 | Recommended WG MTU |
| OpenVPN UDP | 1452 | 1412 | Varies by config |
| IPsec ESP (Tunnel) | 1472 | 1432 | 28 byte ESP overhead |
| IPsec + NAT-T | 1444 | 1404 | UDP encapsulation adds 8 bytes |
| VXLAN | 1450 | 1410 | 50 byte VXLAN overhead |
| Jumbo Frames | 9000 | 8960 | Data centre / storage networks |