On Thu, 2024-01-18 at 12:51 +0000, Tixy wrote: > > I have the same options in the forward chain except that I haven't > qualified them with an interface name. Didn't occur to me that I > would > need to do that as there are only two networks my LAN and 'the > internet'.
You probably don't need to, I just copied the example from the nftables wiki. For my setup it might in theory make a difference because maybe it could interfere with the use of jumbo frames on my lan, but as the machine in question is a lowly Rasbperry Pi 4, it is a rather theoretical aspect. Thanks for your reply, and confirming that the maxseg line is in principle looked sane. In looking at all the configuration again, I noticed something else: In testing I seemingly had set the mtu of the internal LAN interface en0 lower, to 1400. When I set that back to the ethernet default of 1500, my setup started working suddenly, with or without interface qualification in the maxseg (line/lines). It never occured that I broke the MTU on the LAN side. Oh well. Ralph -- I'll read the stackexchange links
