Bad dns resolving while going from sys-vpn to sys-firewall

Heyho,

I have an extra VPN qube, which is connected to sys-vpn and this one goes to the sys-firewall. Everything works so far, I get VPN connections, but I get very bad DNS resolving even without activated VPN.

So, no VPN is activated, I ping cloudflare.com and can wait about 8 sec., even between the pings is a stop about 3 sec. The waiting time to open some page is that kind of.

If I connect this VM directly to the sys-firewall the problem is gone.
So, somehow sys-vpn brings much latency.

Is it maybe a problem of MTU?

cheers
qun

It could be MTU issue.
Set correct MTU values in the VPN configs and add TCP MSS clamping firewall rule in sys-vpn qubes:

nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu

just set 1380 MTU on the “VM uplink eth0” and it works like a charm!
As I understand, it’s because of routing through extra interface, it needs some overhead as it seems.