Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where to set MTU

    Scheduled Pinned Locked Moved WireGuard
    3 Posts 3 Posters 911 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McMurphy
      last edited by McMurphy

      My pfSense router has a fibre connection and has a VPN to a remote site via WireGuard.

      The WireGuard link has a lower MTU than the internet connection.

      The maximum packet size for the VPN link before fragmentation is 1392 (+28 = 1420)
      The maximum packet size for the internet link before fragmentation is 1472 (+28 = 1500)

      I can set 1420 in the WireGuard interface and 1500 on the Fibre interface however as everything goes out over the Fibre connection it would not make sent to specify the MTU there.

      Where should I set both these MTU values?

      Bonus Points:
      If the WG server has an MTU of 1420 and the pfSense peer has an MTU of 1500 does the server override the peer meaning the peer setting is irrelevant?

      rtorresR E 2 Replies Last reply Reply Quote 0
      • rtorresR
        rtorres Rebel Alliance @McMurphy
        last edited by rtorres

        @McMurphy I just set the same MTU (1400) on the Wireguard interface and on the peer (device) . Been working great for the past year and some change.

        626b52a8-1722-447f-93bc-ff32cf55a223-image.png

        My ISP (xFinity) is MTU 1500, I think pfSense automatically detected this and I have never had to manually change it.

        1 Reply Last reply Reply Quote 0
        • E
          eagle61 @McMurphy
          last edited by eagle61

          @McMurphy said in Where to set MTU:

          The maximum packet size for the internet link before fragmentation is 1472 (+28 = 1500)

          in your case 1440 is fine for IPv4 only Tunnel. If the Tunnel also shall transport IPv6-Trafic you shall not use a MT bigger 1420. The reason is the slightly bigger overhead of IPv6 compared to IPv4.

          Using tracepath you can check out pmtu and packet transfer, to find optimal results

          See: https://schroederdennis.de/vpn/wireguard-mtu-size-1420-1412-best-practices-ipv4-ipv6-mtu-berechnen/ (german language)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.