Community discussions

 
User avatar
jspool
Member
Member
Topic Author
Posts: 386
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

MTU Question

Fri Nov 02, 2018 9:21 pm

When pinging across a L2TP tunnel w/ ipsec enabled I can send packet size of 1450 with no fragmentation.
When I try to do a UDP Mikrotik bandwidth test I have to set Tx size to 1400 to get the max speed of 111Mbps Otherwise with Tx size at 1450 it only gets 19Mbps,

Whats the reason for this?
 
User avatar
xvo
Member
Member
Posts: 321
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MTU Question

Fri Nov 02, 2018 10:49 pm

When using L2TP + ipsec you can't be sure, that the packet is not fragmented, even if you specifically restrict fragmentation of the original packet.

The original packet first packed into l2tp (that can, by the way, also perform fragmentation and defragmentation, but only if asked to), then it is processed by ipsec, and then, already encrypted packet can be fragmented if it is needed. And on the other end the just the same actions but in reverse.

This being said - substract at least another 100 for ipsec overhead: down to 1350

And possibly even more if you have clients connecting from the cellular network: but that needs to be tested.
I ended up with MTU 1230, because larger packets didn't make it through the tunnels established by mobile devices via LTE.
 
User avatar
jspool
Member
Member
Topic Author
Posts: 386
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: MTU Question

Fri Nov 02, 2018 11:01 pm

When using L2TP + ipsec you can't be sure, that the packet is not fragmented, even if you specifically restrict fragmentation of the original packet.

The original packet first packed into l2tp (that can, by the way, also perform fragmentation and defragmentation, but only if asked to), then it is processed by ipsec, and then, already encrypted packet can be fragmented if it is needed. And on the other end the just the same actions but in reverse.

This being said - substract at least another 100 for ipsec overhead: down to 1350

And possibly even more if you have clients connecting from the cellular network: but that needs to be tested.
I ended up with MTU 1230, because larger packets didn't make it through the tunnels established by mobile devices via LTE.
Thanks for the detailed explanation and the info regarding your experiences with the cellular networks. It is wild how many variables must be considered with regards to MTU's on tunnels.

Who is online

Users browsing this forum: No registered users and 66 guests