diff --git a/hosts/xlab-gateway/networking.nix b/hosts/xlab-gateway/networking.nix
index eb24c27..6d50cae 100644
--- a/hosts/xlab-gateway/networking.nix
+++ b/hosts/xlab-gateway/networking.nix
@@ -74,11 +74,18 @@
         table inet mangle {
           chain forward_mss {
             type filter hook forward priority mangle; policy accept;
-            
-            # 终极修复：使用位掩码 & (syn) == syn，同时捕获 SYN 和 SYN-ACK。
-            # 无论数据包是进 WG 还是出 WG，都会根据出口路由(rt mtu)自动调整 MSS。
-            #tcp flags & (syn) == syn tcp option maxseg size set rt mtu
-            tcp flags & (syn|ack) == syn tcp option maxseg size set 1280
+
+            # MSS clamping for forwarded TCP, both directions. Old rule
+            # `& (syn|ack) == syn` ONLY matched plain SYN — SYN-ACK from
+            # the server came back unclamped, full-MTU segments overflowed
+            # the WG path, and large pages (YouTube, Microsoft) silently
+            # truncated. Use `& (syn|rst) == syn` so SYN-ACK still matches
+            # (it has SYN+ACK), only RST packets are excluded.
+            #
+            # `set rt mtu` picks MSS from the egress route's MTU
+            # (wg-to-wgnet=1420 → 1380 v4 / 1360 v6), instead of the
+            # one-size-fits-all 1280 that was too low AND one-directional.
+            tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu
           }
           chain postrouting {
             type filter hook postrouting priority filter; policy accept;