Re: [pfSense] MTU on TUN adapter in lossy conditions

Wed, 15 Jun 2016 13:49:29 -0700 

Extremely helpful.  I'll post our test results.


On 6/15/2016 2:10 PM, Heath Barnhart wrote:

Most VPN's I've worked with dropped the MTU to 1300 for that very reason.
I'd give it a try and see what happens. One thing I would check to see is
if OpenVPN also effects the MTU of the physical interface being used, and
if it permanently changes it. I ran into an issue where an application
would randomly quit working. After doing some digging I found that Cisco
AnyConnect had reconfigured the MTU on my wired NIC to 1300, even when the
tunnel was disabled.

On Wed, Jun 15, 2016 at 1:46 PM, Karl Fife <[email protected]> wrote:


Has anyone had success adjusting MTU on OpenVPN tunnel adapters to deal
with loss amplification across tunnel networks?

By default the MTU on an openVPN adapter(s) are set to 1500, but it seems
that performance in lossy conditions might be dramatically improved by
changing the MTU to something smaller to prevent packet fragmentation
across the tunnel network (e.g. to account for the encrypted packet's IP
overhead, such that one packet could be encapsulated by one packet of the
tunnel network).  It seems that if the MTU's are the same, one would
invariably end up with frequent fragmentation, greatly increasing the
packet loss amplification on lossy (e.g. wireless) networks, and
exaggerated falloff of application performance as packet loss increases.
This is also consistent with what I observe.

I understand that this artificial constraint would result in lower
performance in high quality connections, but am I on the right track to
dealing with performance on lossy networks?  If this is conceptually
correct, so would I also need to explicitly tell OpenVPN not to fragment in
general?  Any big-picture guidance would be much appreciated.



_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold






_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to