diff --git a/hosts/xlab-gateway/networking.nix b/hosts/xlab-gateway/networking.nix
index 853d347..8a8af86 100644
--- a/hosts/xlab-gateway/networking.nix
+++ b/hosts/xlab-gateway/networking.nix
@@ -72,12 +72,15 @@
         }
 
         table inet mangle {
+          chain forward_mss {
+            type filter hook forward priority mangle; policy accept;
+            
+            # 终极修复：使用位掩码 & (syn) == syn，同时捕获 SYN 和 SYN-ACK。
+            # 无论数据包是进 WG 还是出 WG，都会根据出口路由(rt mtu)自动调整 MSS。
+            tcp flags & (syn) == syn tcp option maxseg size set rt mtu
+          }
           chain postrouting {
             type filter hook postrouting priority filter; policy accept;
-            # oifname "wg-*" tcp flags syn tcp option maxseg size set 1380
-            # 完美替代 "clamp mss to pmtu"
-            # 它会自动计算：如果是 IPv4 流量设为 1380，IPv6 流量设为 1360
-            tcp flags syn tcp option maxseg size set rt mtu
           }
         }
       '';