Routing for small files breaks

I have one NUC i511TNK box with F37 server and extra USB giga NIC (Tp-Link), and as soon as I set it up as a router with cable modem via TP-Link NIC it will give me issues transferring small files some websites, while YT working fine. DNS is setup well and it returns results OK.
Funny enough it does dnf -y up with no problem, establishes openvpn with no problem, but when I connect either within server to another server via SSH in term (through tunnel or directly via IP#) and do something as simple as ls /etc it will break after listing a few lines. Same thing happen when I do it from within LAN from my laptop for example. Also rsync small files also breaks. When I replace F37 box with regular WiFi router it all works fine, so cable modem and connection is good. I’ve changed 3 different USB NICs and same issue.
Kernel log doesn’t report any issues with the any of the cards, I’ve turned off firewall, also no help. I’ve checked cat /proc/sys/net/ipv4/ip_forward to be 1
When I put F37 box on LAN and access internet via router using internal or USB NIC it works normal.
What else could be the cause? I ran out of ideas. NUC is new and I’ve installed 3 same ones last year to similar setups with no issues. This one is on different location (country) so I can’t really run back home and try another one.
Maybe MTU setup, but I don’t know much about it? Any ideas?
F37 is updated to latest kernel 6.1.5 as of Jan 16 2023. Also no extra/3rdparty/unusual software packages are installed, it has a server environment, so even no GUI, relatively clean install (copied from other servers that I run.

Is there a direct command I can issue with iptables, that you know off, to test if it changes. I don’t use firewalld at all. I have my own script to run for firewall that I use always.

Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)

Unless you have deliberately disabled firewalld it is running. You might have disabled it, but doing so must be deliberate since it is enabled by default on fedora.

I am not sure what you would be looking at to test for changes. Firewalls should never change the config unless done deliberately by the user.

As far as commands to use with iptables, there is the man page for that, as well as a lot of info to be found online. I cannot point you to anything other than what has already been said since I don’t know precisely what the desire is.

I do know that sometimes the issue you described may be related to problems with conflicting IPv4 & IPv6 routing.
What is the output of route -n?
What is the output of ip route?
Is IPv6 enabled or disabled in the network control panel?

For my desktop at home I have this


and for my laptop which travels I have this.

I’ve tried, and now it is working from within lan, but not directly from server machine. I’ve added
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128 I’ve tried to insert it into OUTPUT and PREROUTING table, but it’s the same effect. whereas kernel does not allow to insert it into INPUT table

You can try with the following tables and chains for the host itself:

iptables -t mangle -A POSTROUTING ...
iptables -t raw -A OUTPUT ...

Otherwise consider decreasing MTU on the upstream interface:

But mangle and raw are not builtin tables? Dpn’t they get created by firewalld?
Now another issue is that bandwidth decreased significantly from 500/50 to 50/15. Anyway to regulate that?
and if I use
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
it breaks again terminal when using ssh

I manually disabled firewalld as I use my own one, and I"m careful that it doesn’t get activated on updates. I have no GUI, it’s a server environment. Routing is very simple.

ip ro ls

default via 85.72.30.1 dev en1 proto dhcp src 85.72.31.166 metric 101 
85.72.30.0/22 dev en1 proto kernel scope link src 85.72.31.166 metric 101 
192.168.0.0/16 via 192.168.94.169 dev tun0 
192.168.14.0/24 dev en0 proto kernel scope link src 192.168.14.1 metric 100 
192.168.94.0/24 via 192.168.94.169 dev tun0 
192.168.94.169 dev tun0 proto kernel scope link src 192.168.94.170

and I don’t use ipv6

Thanks for this @vgaetera , I was testing max MTU (as suggested by the article) with ping -M do -s 1202 myserv and it came down to 1230 (from current 1280) yet term still wasn’t working so I was just decreasing mtu directly via ifconfig en1 mtu 1100 and it started working at 1100. Considerably lower than ping max would be, but it’s working and also speed is not much degraded 500Mbs to 470Mbs which is not a problem. Still have to play with it a bit to get stable operation.
Strange how come this ISP have such settings. I checked my WiFi router, that I was using in between, and there were no MTU values (I have openwrt on it)

Make sure ICMP is allowed in the INPUT/OUTPUT/FORWARD chains of the filter table for PMTUD to work properly.