How can I determine the MTU size of WAN interfaces manually?
05/23/2024 2,253 People found this article helpful 545,098 Views
Description
The term MTU (Maximum Transmission Unit) refers to the size (in bytes) of the largest packet that a given layer of a communications protocol can pass onwards. MTU parameters usually appear in association with a communications interface (NIC, serial port, etc.).
The default MTU size is 1500, however for some networking technologies reducing the MTU size and allowing fragmentation can help eliminate some connectivity problems occurring at the protocol level.
Contact your ISP for the recommended MTU size for your Internet connection (cable, DSL, T1, etc...).
As a workaround you can use the PING command at the Operating System prompt to determine the MTU size through your network:
NOTE: reduce buffer size by 8 byte (1472-8 = 1464, 1456, 1404, etc.) until you get 0% packet LOSS. As per RFC 791, the valid range of MTU is from 68 to 65535, and although there is no requirement for the MTU to be a multiple of 8 based on the RFC, SonicWall Firewall interface will only take increments of 8. The numeric value actually represents a count of octets
Before running the test, make sure you first set the SonicWall's WAN Interface to the default 1500 value.
EXAMPLE: Ping -f -l 1472 8.8.8.8
Explanation of parameters: The switch -f (minus sign followed by lowercase F) indicates "do not fragment". The second switch -l (minus sign followed by lowercase L) is for "size", and the number following it indicates the payload size you will be sending.
When testing MTU behind the SonicWall start at 1472 payload size, as the additional 28 bytes are the packet header (20 bytes for the IP header, and 8 bytes for the ICMP header).
- If the ping is successful (no packet loss) at 1472 payload size, the MTU will be "1472 (payload size) + 20 (IP Header) + 8 (ICMP Header)" = 1500.
- If the packet was too large you will get the message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS).
- Reduce the buffer size by 8 bytes until you are successfully connected (i.e. 1464, 1456, 1448, etc.)
- In the above example, the correct MTU to be set on the WAN Interface is 1492 (1464+28bytes).
TIP: Add 28 to that number, and the result will be the value being set to SonicWall "Interface MTU".
Cause
A wrong MTU set on the WAN Interface can cause multiple issues such as lower throughput, instability and unreachable websites. Please set this carefully and contact your ISP for more information.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Changing the MTU settings on the SonicWall appliance
- Click Network, Navigate to System| Interfaces
- Click Configure (edit) icon next to the WAN (X1) interface. Click Advanced tab
Interface MTU - Specifies the largest packet size that the interface can forward without fragmenting the packet.
Fragment non-VPN outbound packets larger than this Interface's MTU - Specifies all non-VPN outbound packets larger than this Interface's MTU be fragmented. Specifying the fragmenting of VPN outbound packets is set in the VPN | Advanced page.
Ignore Don't Fragment (DF) Bit - Overrides DF bits in packets.
Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU - blocks notification that this interface can receive fragmented packets.
NOTE: It is recommended to check the 'Fragment non-VPN outbound packets larger than this Interface's MTU' box if the MTU is set below the default of 1500. Press the OK to process the changes entered.
Allowing Fragmentation on the SonicWall appliance
An additional setting allowing fragmentation should be made to the default outbound rule. Navigate to Policies |Rules and Policies | Access Rules (SonicOS Standard and Enhanced) of the management interface. Find the default rule that allows default from LAN to WAN . Click the Edit icon next to that rule, and check the 'Allow fragmented packets' option. Click OK to update the changes.
Making these settings changes will allow fragmented packets to pass from the LAN, and will also allow the SonicWall to decrease the MTU size of the packet. This can make a big difference on outbound packets that are having trouble getting through.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Changing the MTU settings on the SonicWall appliance
- Click MANAGE , Navigate to Network | Interfaces
- Click Configure (edit) icon next to the WAN (X1) interface. Click Advanced tab
Interface MTU - Specifies the largest packet size that the interface can forward without fragmenting the packet.
Fragment non-VPN outbound packets larger than this Interface's MTU - Specifies all non-VPN outbound packets larger than this Interface's MTU be fragmented. Specifying the fragmenting of VPN outbound packets is set in the VPN | Advanced page.
Ignore Don't Fragment (DF) Bit - Overrides DF bits in packets.
Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU - blocks notification that this interface can receive fragmented packets.
NOTE: It is recommended to check the 'Fragment non-VPN outbound packets larger than this Interface's MTU' box if the MTU is set below the default of 1500. Press the OK to process the changes entered.
Allowing Fragmentation on the SonicWall appliance
An additional setting allowing fragmentation should be made to the default outbound rule. Navigate to Policies | Access Rules (SonicOS Standard and Enhanced) of the management interface. Find the default rule that allows default from LAN to Wan . Click the Edit icon next to that rule, and check the 'Allow fragmented packets' option. Click OK to update the changes.
Making these settings changes will allow fragmented packets to pass from the LAN, and will also allow the SonicWall to decrease the MTU size of the packet. This can make a big difference on outbound packets that are having trouble getting through.
CAUTION: Due to additional complications, VPNs require a different type of MTU test: Set MTU In VPN Environment In Case Of Throughput Issues
Related Articles
Categories