Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting the MTU across my network devices

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      medicineman25
      last edited by

      Hey guys,

      So I am a little confused about my MTU settings on my network and I was hoping to gain some clarification. I'm trying to mitigate some bandwidth loss on my internet connection.

      my setup:

      Connection type: PPPoeDSL (1492 bits)
      Speed without pfsense: 7-8 MB p/s
      Speed with pfsense: 2.5-3.2 MB p/s

      pfsense hardware: supermicro X7SPE-HF-D525 (atom D525 processor)

      network layout:

      LAN -> managed switch -> pfsense firewall (running openvpn client) -> router -> internet

      MTU settings:

      router: 1492
      openvpn client: tun-mtu 1492, fragment 1423, mssfix 1423
      windows 7 unit (changed at command line): 1464

      I understand the general concept behind MTU; it's a maximum transmission unit before fragmentation. What I'm confused about is the ip header and openvpn overhead, as well as how many times the ip header is added each network hop, before hitting the internet.

      The confusing thing is that when I ping, from the windows machine, at 1436 bytes (i.e. ping www.google.com -f -l 1436) it sends and recieves just fine. However, when I send at 1437 bytes it fragments the packet. This is a difference of 28 bits (from the set limit of 1464), equivalent to the size of an ip header. But then why does it not fragment at 1423, as is the value set by the fragment option in openvpn??

      So, what I really want to know is this: do I need to factor in a 28 bit difference each hop i.e. 28 from windows, 28 from the managed switch, 28 from the firewall (+69 for openvpn overhead) and then another 28 from the router??

      If so, this would mean the following settings:

      router: 1492
      firewall: 1423
      managed switch: 1395 (not sure if I can actually set this value, but I would just factor in the extra 28 bits into the machines value)
      each machine: 1367

      If not, what would be the optimal settings so that I may eliminate fragmentation?

      EDIT: would there also be a 28 bit header between LAN and WAN interfaces on the firewall?

      Thanks in advance

      Medicineman25

      1 Reply Last reply Reply Quote 0
      • M Offline
        medicineman25
        last edited by

        Upon further testing I have ascertained that the MTU for the network as a whole, is set within the VPN.

        I tested with these settings:

        host: 1500
        openvpn: 1500
        router: 1492

        Pings at 1473 were fragmented and pings at 1472 passed. When I set the openvpn client back to 1492, pings at 1465 fragmented and pings at 1464 passed.

        So it appears that the router MTU setting, has no effect on an encrypted tunnel.

        As per the description "maximum transmission unit", I can only assume that if I set my host to limit at 1492 it will formulate packets of 1464 bytes and append a 28 bit header to make up the 1492.

        Someone please correct me if I'm wrong. For now this is solved.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.