How can I test and change the MTU size of WAN interfaces?

04/19/2021 1886 63374

DESCRIPTION:

The term MTU (Maximum Transmission Unit) refers to the size (in bytes) of the largest packet that a given layer of a communications protocol can pass onwards. MTU parameters usually appear in association with a communications interface (NIC, serial port, etc.). The default MTU size is 1500, however for some networking technologies reducing the MTU size and allowing fragmentation can help eliminate some connectivity problems occurring at the protocol level.

Contact your ISP for the recommended MTU size for your Internet connection (cable, DSL, T1, etc...) or you can also use the PING command at the Operating System prompt to determine the MTU size.

 EXAMPLE: Ping -f -l 1500 www.yahoo.com

 NOTE: reduce buffer size by 8 byte (1472-8 = 1464, 1456, 1404, etc.) until you get 0% packet LOSS. As per RFC 791, the valid range of MTU is from 68 to 65535, and although there is no requirement for the MTU to be a multiple of 8 based on the RFC, SonicWall Firewall interface will only take increments of 8. The numeric value actually represents a count of octets

 EXAMPLE: Ping -f -l 1492 www.yahoo.com

Explanation of parameters: The switch -f (minus sign followed by lowercase F) indicates "do not fragment". The second switch -l (minus sign followed by lowercase L) is for "size", and the number following it indicates the payload size you will be sending.

When testing MTU behind the SonicWall start at 1472 payload size, as the additional 28 bytes are the packet header (20 bytes for the IP header, and 8 bytes for the ICMP header).

 NOTE: If the ping is successful (no packet loss) at 1464 payload size, the MTU will be "1464 (payload size) + 20 (IP Header) + 8 (ICMP Header)" = 1492.

If the ping test is successful, you will get a reply from the IP address specified. If the packet was too large you will get the message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS). Reduce the buffer size until you are successfully connected.

 TIP: Add 28 to that number, and the result will be the value being set to SonicWall "Interface MTU".

RESOLUTION:

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Changing the MTU settings on the SonicWall appliance

1. Click Network, Navigate to System| Interfaces
2. Click Configure (edit) icon next to the WAN (X1) interface. Click Advanced tab
   

Interface MTU - Specifies the largest packet size that the interface can forward without fragmenting the packet.

Fragment non-VPN outbound packets larger than this Interface's MTU - Specifies all non-VPN outbound packets larger than this Interface's MTU be fragmented. Specifying the fragmenting of VPN outbound packets is set in the VPN | Advanced page.

Ignore Don't Fragment (DF) Bit - Overrides DF bits in packets.

Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU - blocks notification that this interface can receive fragmented packets.
NOTE:  It is recommended to check the 'Fragment non-VPN outbound packets larger than this Interface's MTU' box if the MTU is set below the default of 1500. Press the OK to process the changes entered. 

Allowing Fragmentation on the SonicWall appliance

An additional setting allowing fragmentation should be made to the default outbound rule. Navigate to Policies |Rules and Policies | Access Rules (SonicOS Standard and Enhanced) of the management interface. Find the default rule that allows default from LAN to WAN . Click the Edit icon next to that rule, and check the 'Allow fragmented packets' option. Click OK to update the changes.

Making these settings changes will allow fragmented packets to pass from the LAN, and will also allow the SonicWall to decrease the MTU size of the packet. This can make a big difference on outbound packets that are having trouble getting through.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Changing the MTU settings on the SonicWall appliance

1. Click MANAGE , Navigate to Network | Interfaces
2. Click Configure (edit) icon next to the WAN (X1) interface. Click Advanced tab
   

Interface MTU - Specifies the largest packet size that the interface can forward without fragmenting the packet.

Fragment non-VPN outbound packets larger than this Interface's MTU - Specifies all non-VPN outbound packets larger than this Interface's MTU be fragmented. Specifying the fragmenting of VPN outbound packets is set in the VPN | Advanced page.

Ignore Don't Fragment (DF) Bit - Overrides DF bits in packets.

Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU - blocks notification that this interface can receive fragmented packets.

NOTE: It is recommended to check the 'Fragment non-VPN outbound packets larger than this Interface's MTU' box if the MTU is set below the default of 1500. Press the OK to process the changes entered.

Allowing Fragmentation on the SonicWall appliance

An additional setting allowing fragmentation should be made to the default outbound rule. Navigate to Policies | Access Rules (SonicOS Standard and Enhanced) of the management interface. Find the default rule that allows default from LAN to Wan . Click the Edit icon next to that rule, and check the 'Allow fragmented packets' option. Click OK to update the changes.

Making these settings changes will allow fragmented packets to pass from the LAN, and will also allow the SonicWall to decrease the MTU size of the packet. This can make a big difference on outbound packets that are having trouble getting through.

CAUTION: Due to additional complications, VPNs require a different type of MTU test: Set MTU in VPN Environment