diff --git a/docs/changes.txt b/docs/changes.txt
index e325a71..7a84887 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -447,3 +447,4 @@ v70
 blockcheck: override all dialog questions and enable batch mode
 blockcheck: parallel attempts
 nfqws: weaken wireguard initiation recognition. use len=148 and data[0]=1 signature
+nfqws: apply split+seqovl only to the first reasm fragment
diff --git a/nfq/desync.c b/nfq/desync.c
index 0cfa059..06196b7 100644
--- a/nfq/desync.c
+++ b/nfq/desync.c
@@ -1327,7 +1327,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 						// do seqovl only to the first packet
 						// otherwise it's prone to race condition on server side
 						// what happens first : server pushes socket buffer to process or another packet with seqovl arrives
-						seqovl = i==0 ? seqovl_pos : 0;
+						seqovl = (i==0 && reasm_offset==0) ? seqovl_pos : 0;
 #ifdef __linux__
 // only linux return error if MTU is exceeded
 						for(;;seqovl=0)
@@ -1573,7 +1573,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 					if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , fakeseg, fakeseg_len))
 						return verdict;
 
-					unsigned int seqovl = seqovl_pos;
+					unsigned int seqovl = reasm_offset ? 0 : seqovl_pos;
 #ifdef __linux__
 // only linux return error if MTU is exceeded
 					for(;;seqovl=0)