Where to set MTU

McMurphy

My pfSense router has a fibre connection and has a VPN to a remote site via WireGuard.

The WireGuard link has a lower MTU than the internet connection.

The maximum packet size for the VPN link before fragmentation is 1392 (+28 = 1420)
The maximum packet size for the internet link before fragmentation is 1472 (+28 = 1500)

I can set 1420 in the WireGuard interface and 1500 on the Fibre interface however as everything goes out over the Fibre connection it would not make sent to specify the MTU there.

Where should I set both these MTU values?

Bonus Points:
If the WG server has an MTU of 1420 and the pfSense peer has an MTU of 1500 does the server override the peer meaning the peer setting is irrelevant?

rtorres

@McMurphy I just set the same MTU (1400) on the Wireguard interface and on the peer (device) . Been working great for the past year and some change.

My ISP (xFinity) is MTU 1500, I think pfSense automatically detected this and I have never had to manually change it.

eagle61

@McMurphy said in Where to set MTU:

The maximum packet size for the internet link before fragmentation is 1472 (+28 = 1500)

in your case 1440 is fine for IPv4 only Tunnel. If the Tunnel also shall transport IPv6-Trafic you shall not use a MT bigger 1420. The reason is the slightly bigger overhead of IPv6 compared to IPv4.

Using tracepath you can check out pmtu and packet transfer, to find optimal results

See: https://schroederdennis.de/vpn/wireguard-mtu-size-1420-1412-best-practices-ipv4-ipv6-mtu-berechnen/ (german language)