Understanding MTU Size and Issue on Tunnel interface


Do you know what happened when you transmit data on the network? Your data will go through the OSI layer and learn how big is the data that can put in to each packet. The big data that it can transmit each time the faster it can complete the task. By default Ethernet networks is set to 1500 bytes. Ethernet Version 2 networks have a standard frame size of 1518 bytes (including the 14-byte Ethernet II header and 4-byte Frame Check Sequence (FCS)).


MTU:  The Maximum Transmission Unit (MTU) is the maximum length of data that can be transmitted by a protocol in one instance. 

PMTUD: Path MTU Discovery is used to avoid the fragmentaion of the packet in the path between endpoint by discover the lowest MTU size of the link.

MSS: Maximum Segment Size  is the largest amount of bytes of payload data able to be sent in a single TCP packet. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. TCP MSS=1500(Full MTU) – 20(tcp header) – 20(IP header) = 1460

DF: Don't Fragment bit is an IPV4 header parameter. The packets with this bit enable are never fragmented, but it will drop when a router sees that the packet does not fit outgoing link’s MTU.

Encapsulation Overhead: is an extra size of the header that protocol do encapulation. The following lists is the interface encapsulation overhead.

  • GRE (IP Protocol 47) adds 24 bytes (20 byte IPv4 header, 4 byte GRE header)
  • 6in4 encapsulation (IP Protocol 41) adds 20 bytes
  • 4in6 encapsulation  (e.g. DS-Lite) adds 40 bytes
  • MPLS adds 4 bytes for each label in the stack
  • IEEE 802.1Q tag adds 4 bytes (Q-in-Q would add 8 bytes)

Below is the example of GRE Header.


Ex: Source datagram 1500Byte after encapsulate GRE header (24Byte), it would be 1524Byte
If the sum of the protocol MTU and the encapsulation overhead greater then media MTU, it will do  as in the followling case.
Case 1: If DF bit is not set (DF=0), the router will fregment the packet and encapsulate GRE on every fregment of the packet.
Case 2: If DF bit is set(DF=1)  the router will drop the datagram and send an "ICMP fragmentation needed but DF bit set" message to the source of the datagram. The ICMP message will alert the sender that the MTU is 1476 (1476+24=1500). After sender receive the ICMP message, it will resend datagram again with MTU 1476 byte.
Case 3: If DF bit is set(DF=1) and there is firewall in the middle, the packet cannot fregment and cannot send icmp message to inform the sender about MTU, PMTUD is brokend.

Solution for Case 3

1. Clear DF bit (DF=0) it will add a new task to the sender, receiver and router. Router not only forward the packet but it has new task is create the fregment so it will consume abit more on CPU resource.
2. Change TCP MSS option value on SYN packets that traverse the router. Below is we change tcp mss to 1436 and set tcp-flags=syn.  
1436 = 1460 – 24(GRE Header).  

/ip firewall mangle 

add action=change-mss chain=forward log-prefix="" new-mss=1436 passthrough=yes protocol=tcp src-address= tcp-flags=syn tcp-mss=1437-65535
add action=change-mss chain=forward dst-address= log-prefix="" new-mss=1436 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1437-65535


For Client-server tunnel like PPPOE, it will automatically add TCP MSS when establish the tunnel if you set the setting in the profile.

Leave a Reply

Your email address will not be published. Required fields are marked *