Setting the MTU across my network devices
-
Hey guys,
So I am a little confused about my MTU settings on my network and I was hoping to gain some clarification. I'm trying to mitigate some bandwidth loss on my internet connection.
my setup:
Connection type: PPPoeDSL (1492 bits)
Speed without pfsense: 7-8 MB p/s
Speed with pfsense: 2.5-3.2 MB p/spfsense hardware: supermicro X7SPE-HF-D525 (atom D525 processor)
network layout:
LAN -> managed switch -> pfsense firewall (running openvpn client) -> router -> internet
MTU settings:
router: 1492
openvpn client: tun-mtu 1492, fragment 1423, mssfix 1423
windows 7 unit (changed at command line): 1464I understand the general concept behind MTU; it's a maximum transmission unit before fragmentation. What I'm confused about is the ip header and openvpn overhead, as well as how many times the ip header is added each network hop, before hitting the internet.
The confusing thing is that when I ping, from the windows machine, at 1436 bytes (i.e. ping www.google.com -f -l 1436) it sends and recieves just fine. However, when I send at 1437 bytes it fragments the packet. This is a difference of 28 bits (from the set limit of 1464), equivalent to the size of an ip header. But then why does it not fragment at 1423, as is the value set by the fragment option in openvpn??
So, what I really want to know is this: do I need to factor in a 28 bit difference each hop i.e. 28 from windows, 28 from the managed switch, 28 from the firewall (+69 for openvpn overhead) and then another 28 from the router??
If so, this would mean the following settings:
router: 1492
firewall: 1423
managed switch: 1395 (not sure if I can actually set this value, but I would just factor in the extra 28 bits into the machines value)
each machine: 1367If not, what would be the optimal settings so that I may eliminate fragmentation?
EDIT: would there also be a 28 bit header between LAN and WAN interfaces on the firewall?
Thanks in advance
Medicineman25
-
Upon further testing I have ascertained that the MTU for the network as a whole, is set within the VPN.
I tested with these settings:
host: 1500
openvpn: 1500
router: 1492Pings at 1473 were fragmented and pings at 1472 passed. When I set the openvpn client back to 1492, pings at 1465 fragmented and pings at 1464 passed.
So it appears that the router MTU setting, has no effect on an encrypted tunnel.
As per the description "maximum transmission unit", I can only assume that if I set my host to limit at 1492 it will formulate packets of 1464 bytes and append a 28 bit header to make up the 1492.
Someone please correct me if I'm wrong. For now this is solved.