• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setting the MTU across my network devices

Scheduled Pinned Locked Moved General pfSense Questions
2 Posts 1 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    medicineman25
    last edited by Apr 23, 2017, 8:38 PM Apr 23, 2017, 8:14 PM

    Hey guys,

    So I am a little confused about my MTU settings on my network and I was hoping to gain some clarification. I'm trying to mitigate some bandwidth loss on my internet connection.

    my setup:

    Connection type: PPPoeDSL (1492 bits)
    Speed without pfsense: 7-8 MB p/s
    Speed with pfsense: 2.5-3.2 MB p/s

    pfsense hardware: supermicro X7SPE-HF-D525 (atom D525 processor)

    network layout:

    LAN -> managed switch -> pfsense firewall (running openvpn client) -> router -> internet

    MTU settings:

    router: 1492
    openvpn client: tun-mtu 1492, fragment 1423, mssfix 1423
    windows 7 unit (changed at command line): 1464

    I understand the general concept behind MTU; it's a maximum transmission unit before fragmentation. What I'm confused about is the ip header and openvpn overhead, as well as how many times the ip header is added each network hop, before hitting the internet.

    The confusing thing is that when I ping, from the windows machine, at 1436 bytes (i.e. ping www.google.com -f -l 1436) it sends and recieves just fine. However, when I send at 1437 bytes it fragments the packet. This is a difference of 28 bits (from the set limit of 1464), equivalent to the size of an ip header. But then why does it not fragment at 1423, as is the value set by the fragment option in openvpn??

    So, what I really want to know is this: do I need to factor in a 28 bit difference each hop i.e. 28 from windows, 28 from the managed switch, 28 from the firewall (+69 for openvpn overhead) and then another 28 from the router??

    If so, this would mean the following settings:

    router: 1492
    firewall: 1423
    managed switch: 1395 (not sure if I can actually set this value, but I would just factor in the extra 28 bits into the machines value)
    each machine: 1367

    If not, what would be the optimal settings so that I may eliminate fragmentation?

    EDIT: would there also be a 28 bit header between LAN and WAN interfaces on the firewall?

    Thanks in advance

    Medicineman25

    1 Reply Last reply Reply Quote 0
    • M
      medicineman25
      last edited by Apr 23, 2017, 10:35 PM

      Upon further testing I have ascertained that the MTU for the network as a whole, is set within the VPN.

      I tested with these settings:

      host: 1500
      openvpn: 1500
      router: 1492

      Pings at 1473 were fragmented and pings at 1472 passed. When I set the openvpn client back to 1492, pings at 1465 fragmented and pings at 1464 passed.

      So it appears that the router MTU setting, has no effect on an encrypted tunnel.

      As per the description "maximum transmission unit", I can only assume that if I set my host to limit at 1492 it will formulate packets of 1464 bytes and append a 28 bit header to make up the 1492.

      Someone please correct me if I'm wrong. For now this is solved.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received