On 2022-05-14, [email protected] <[email protected]> wrote: >> I recommend "max-mss" instead of no-df, you don't really want fragments >> if you can help it. The number to cap at is 40 below the lowest actual >> MTU across the tunnel, so 1380 should do for WireGuard, IPsec varies >> depending on the options used. > > Thank you Stuart and William for your replies. I really like the idea of > setting "max-mss" and I can confirm that after changing my pf.conf like this: > > match out on egress from (wg0:network) nat-to (egress:0) scrub (max-mss 1380) > > I did not notice any network-related problems. > > I'm pretty sure this needs to be in the documentation. I think we need to add > a subsection about Wireguard setup into Networking section in the FAQ.
It isn't just WireGuard, it is common to...well, everything. gif gre vxlan eoip etherip ipsec wg pppoe tun/tap (which would be configured by some other software) and _any_ standard network interface if a packet is forwarded between interfaces with a lower and a higher mtu Perhaps adding a bit more to the description in pf.conf(5) would be a good start, explaining why one might want to use it..
