|
| 1 | +--- |
| 2 | +pcx_content_type: concept |
| 3 | +title: Path MTU Discovery (PMTUD) |
| 4 | +sidebar: |
| 5 | + order: 5 |
| 6 | + label: Path MTU Discovery |
| 7 | +--- |
| 8 | + |
| 9 | +import { Details, Render } from "~/components"; |
| 10 | + |
| 11 | +<Details header="Feature availability"> |
| 12 | + |
| 13 | +| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | |
| 14 | +| --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | |
| 15 | +| <ul><li> Gateway with WARP</li><li> Secure Web Gateway without DNS filtering </li></ul> | All plans | |
| 16 | + |
| 17 | +| System | Availability | Minimum WARP version | |
| 18 | +| -------- | ------------ | -------------------- | |
| 19 | +| Windows | ✅ | 2025.6.1400.0 | |
| 20 | +| macOS | ✅ | | |
| 21 | +| Linux | ✅ | | |
| 22 | +| iOS | ❌ | | |
| 23 | +| Android | ❌ | | |
| 24 | +| ChromeOS | ❌ | | |
| 25 | + |
| 26 | +</Details> |
| 27 | + |
| 28 | +The [Maximum Transmission Unit (MTU)](/learning/network-layer/what-is-mtu/) is the largest data packet size that a device can send over a network without fragmentation. When you connect to services through WARP, your data is encapsulated, which adds extra headers and increases the overall packet size. |
| 29 | +On some networks, especially cellular or guest Wi-Fi networks, the network's MTU may be smaller than WARP's [default packet size](#default-warp-mtu). This mismatch forces packets to be fragmented or dropped entirely, leading to connection instability or complete connection failures. |
| 30 | + |
| 31 | +WARP's Path MTU Discovery (PMTUD) feature solves this problem by actively probing for the minimum MTU along the entire network path between the device and Cloudflare. WARP will then dynamically adjust its [tunnel interface](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface) MTU based on the probe results. This allows WARP to maintain a stable connection on low MTU networks and take advantage of higher MTUs when available. |
| 32 | + |
| 33 | +:::note |
| 34 | +Certain features may be disabled or degraded at low MTU thresholds. For details, refer to [Minimum MTUs](#minimum-mtus). |
| 35 | +::: |
| 36 | + |
| 37 | +## Prerequisites |
| 38 | + |
| 39 | +- WARP must be configured to use the [MASQUE tunnel protocol](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-tunnel-protocol). |
| 40 | + |
| 41 | +## Enable Path MTU Discovery |
| 42 | + |
| 43 | +To enable Path MTU Discovery on your devices, [deploy an MDM file](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/#windows) with the `enable_pmtud` key set to `true`. For example: |
| 44 | + |
| 45 | +```xml |
| 46 | +<dict> |
| 47 | + <key>organization</key> |
| 48 | + <string>your-team-name</string> |
| 49 | + <key>warp_tunnel_protocol</key> |
| 50 | + <string>masque</string> |
| 51 | + <key>enable_pmtud</key> |
| 52 | + <true/> |
| 53 | +</dict> |
| 54 | +``` |
| 55 | + |
| 56 | +This configuration enables the PMTUD feature and explicitly configures the MASQUE tunnel protocol. |
| 57 | + |
| 58 | +WARP will now send active probes to detect the network path MTU and will update its tunnel interface MTU accordingly. You can expect PMTUD probes to generate an extra 25 Mb/day of traffic coming from the device. |
| 59 | + |
| 60 | +## Minimum MTUs |
| 61 | + |
| 62 | +### Default WARP MTU |
| 63 | + |
| 64 | +WARP requires the following MTUs for full functionality and performance: |
| 65 | + |
| 66 | +| Device tunnel protocol| IPv4 | IPv6 | |
| 67 | +| --- | --- | --- | |
| 68 | +| WireGuard | 1340 bytes | 1360 bytes | |
| 69 | +| MASQUE | 1330 bytes | 1350 bytes | |
| 70 | + |
| 71 | +### Path MTU Discovery |
| 72 | + |
| 73 | +For the PMTUD feature to work, the network path must support an MTU of at least 1281 bytes. The 1281 bytes consists of: |
| 74 | + |
| 75 | +- 1200 bytes: Minimum QUIC datagram |
| 76 | +- 53 bytes: WARP MASQUE encapsulation |
| 77 | +- 28 bytes: WARP PMTUD probe |
| 78 | + |
| 79 | +### IPv6 |
| 80 | + |
| 81 | +To send IPv6 traffic through WARP, the network path must support an MTU of at least 1333 bytes. The 1333 bytes consists of: |
| 82 | + |
| 83 | +- 1280 bytes: Minimum IPv6 packet size |
| 84 | +- 53 bytes: WARP MASQUE encapsulation |
| 85 | + |
| 86 | +If PMTUD is enabled and the MTU is less than 1333 bytes, then WARP will automatically disable IPv6 on the tunnel interface. |
| 87 | + |
| 88 | +### WebRTC |
| 89 | + |
| 90 | +To send WebRTC traffic through WARP, the network path must support an MTU of at least 1333 bytes. Below 1333 bytes, WebRTC connections will experience progressively degraded performance. This minimum MTU impacts [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) and any other website that uses WebRTC (such as video conferencing and media streaming services). |
| 91 | + |
| 92 | + |
| 93 | + |
0 commit comments