CSS Clamping and Deutsche Glasfaser
Is an Unifi USG adjustment needed? We have had a new provider come to our region here in Germany, Deutsche Glasfaser. While this is fantastic due to the increases in speed and dependability, we have seen a strange issue appear in our client USG's
DHCP so limited options for connection
Why would we have connection issues when the USG is grabbing the connection information via DHCP?
This issue falls into two categories: Connectivity and the reduction of speed
ABOUT THIS ISSUE
- Client complaints about reduced speed
- Packet loss and unpredictable outages
We noticed this problem in one of our very first provider cutovers. The USG would grab the DHCP settings and establish a connection. Once connected, we could not get the desired throughput. Some investigation was required, so we tested directly against the modem, and the throughput was available.
HOW TO FIX IT
Here is what we found:
- After pulling out our hair, we found that the USG was not grabbing the proper MTU setting.
- Finding the MTU setting took some time, but once found, and applied this issue had subsided.
- The mystery WAN VLAN Setting. There isn't one.
After further inspection
After reviewing the issue, we found that the USG grabbed a phantom VLAN setting, and the provisioning of the MTU setting was incorrect. We checked the provider's documentation with no luck. After some testing, we found the most optimal setup.
The fix
The VLAN setting could be a "one-off" but this needed to be disabled to establish a connection. You can find the VLAN setting by logging directly into the USG and going through the connection process (uncheck the "VLAN" box under WAN Settings).
MTU wasn't so straightforward. Unifi Defines its MSS Clamping as:
MSS Clamping MSS (Maximum Segment Size) clamping is typically used when Path MTU Discovery is not working properly. Using ICMP messages, Path MTU Discovery determines the highest allowable MTU (Maximum Transmission Unit) of traffic traveling between two hosts to avoid fragmentation.
TCP uses MSS, which is the MTU minus the IP and TCP headers. The sender should limit its data so it does not exceed the MSS reported by the receiver. Sometimes security firewalls or other issues interfere with the Path MTU Discovery process (for example, ICMP messages are blocked), so you can use a workaround, TCP MSS clamping, which sets the MSS value for all TCP connections.
MSS Clamping Select the appropriate option: Auto (default), Custom, or Disabled. If you select Custom, enter the MSS value in the field provided. 1412 is the default.
We found that the best setting for this provider had been
MSS Clamping Setting: 1452
To change this setting, you need to look for MSS Clamping
: is found in the cloud controller under "Devices -> USG -> Configuration"
Limitations
Please note the limitations of the USG.
- This is a security gateway, and by its definition, there should be some acceptable over-head loss. These losses had not been so apparent with the previous provider due to the slower connection speed.
UniFi's Intrusion Prevention System will protect your network from attacks and malicious activity. It will block and shut down connections that could compromise your security.
Warning: Enabling Threat Management will affect the USG-3P maximum throughput (85 Mbps).
Warning: Enabling Threat Management will disable hardware offload.