[ZT] WARP PMTUD (#26296)

* new PMTUD page

* add minimum warp version

* update parameter reference

* update system requirements

* add warp_tunnel_protocol

* how to check PMTU

* update recommended MTUs

* edit wording

Author: ranbel

src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx

@@ -101,6 +101,17 @@ Identifies a Zero Trust organization in the WARP GUI when WARP is deployed with
 
 **Value:** Organization nickname shown to users in the WARP GUI (for example, `Test environment`).
 
+### `enable_pmtud`
+
+[Path MTU Discovery (PMTUD)](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery/) allows WARP to discover the largest packet size that can be sent over the current network and optimize connection performance.
+
+**Value Type:** `boolean`
+
+**Value:**
+
+* `false` — (default) Disables PMTUD.
+* `true` — Enables PMTUD on the WARP tunnel interface.
+
 ### `enable_post_quantum`
 
 <Details header="Feature availability">
@@ -120,7 +131,7 @@ Identifies a Zero Trust organization in the WARP GUI when WARP is deployed with
 
 </Details>
 
-WARP uses [post-quantum cryptography](/ssl/post-quantum-cryptography/) to secure connections from the device to Cloudflare's network. Post-quantum cryptography requires the [MASQUE protocol](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-tunnel-protocol) and is enabled by default on all devices using MASQUE.
+WARP uses [post-quantum cryptography](/ssl/post-quantum-cryptography/) to secure connections from the device to Cloudflare's network. Post-quantum cryptography requires the [MASQUE protocol](#warp_tunnel_protocol) and is enabled by default on all devices using MASQUE.
 
 **Value Type:** `boolean`
 
@@ -245,6 +256,17 @@ Assigns a unique identifier to the device for the [device UUID posture check](/c
 
 **Value:** UUID for the device (for example, `496c6124-db89-4735-bc4e-7f759109a6f1`).
 
+### `warp_tunnel_protocol`
+
+Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. For more information, refer to [Device tunnel protocol](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-tunnel-protocol).
+
+**Value Type:** `string`
+
+**Value:**
+
+* `masque` — (default) [MASQUE](https://datatracker.ietf.org/wg/masque/about/) protocol
+* `wireguard` — [WireGuard](https://www.wireguard.com/) protocol
+
 ## Top-level parameters
 
 Top-level parameters determine how WARP manages device registrations.

src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery.mdx

@@ -0,0 +1,120 @@
+---
+pcx_content_type: concept
+title: Path MTU Discovery (PMTUD)
+sidebar:
+  order: 5
+  label: Path MTU Discovery
+---
+
+import { Details, Render } from "~/components";
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/)                                               | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| <ul><li> Gateway with WARP</li><li> Secure Web Gateway without DNS filtering </li></ul> | All plans                                                     |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           | 2025.9.173.1         |
+| macOS    | ✅           | 2025.9.173.1         |
+| Linux    | ✅           | 2025.9.173.1         |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+The [Maximum Transmission Unit (MTU)](https://www.cloudflare.com/learning/network-layer/what-is-mtu/) is the largest data packet size that a device can send over a network without fragmentation. When you connect to services through WARP, your data is encapsulated, which adds extra headers and increases the overall packet size. On some networks, especially cellular or guest Wi-Fi networks, the network's MTU may be smaller than WARP's [default packet size](#recommended-mtu). This mismatch forces packets to be fragmented or dropped entirely, leading to connection instability or complete connection failures.
+
+WARP's Path MTU Discovery (PMTUD) feature solves this problem by actively probing for the minimum MTU along the entire network path between the device and Cloudflare. WARP will then dynamically adjust its [tunnel interface](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface) MTU based on the probe results. This allows WARP to maintain a stable connection on low MTU networks and take advantage of higher MTUs when available.
+
+:::note
+Certain features may be disabled or degraded at low MTU thresholds. For details, refer to [Minimum MTUs](#minimum-mtus).
+:::
+
+## Prerequisites
+
+- WARP must be configured to use the [MASQUE tunnel protocol](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-tunnel-protocol).
+
+## Enable Path MTU Discovery
+
+To enable Path MTU Discovery on your devices, [deploy an MDM file](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/#windows) with the `enable_pmtud` key set to `true`. For example:
+
+```xml
+<dict>
+	<key>organization</key>
+	<string>your-team-name</string>
+	<key>warp_tunnel_protocol</key>
+  <string>masque</string>
+	<key>enable_pmtud</key>
+  <true/>
+</dict>
+```
+
+This configuration enables the PMTUD feature and explicitly configures the MASQUE tunnel protocol.
+
+WARP will now send active probes to detect the network path MTU and will update its tunnel interface MTU accordingly. You can expect PMTUD probes to generate an extra 25 Mb/day of traffic coming from the device.
+
+## Minimum MTUs
+
+### Recommended MTU
+
+WARP requires the following MTUs for full functionality and performance:
+
+| Device tunnel protocol| IPv4 | IPv6 |
+| --- | --- | --- |
+| WireGuard | 1340 bytes | 1360 bytes |
+| MASQUE    | 1361 bytes | 1381 bytes |
+
+### Path MTU Discovery
+
+For the PMTUD feature to work, the network path must support an MTU of at least 1281 bytes. The 1281 bytes consists of:
+
+- 1200 bytes: Minimum QUIC datagram
+- 53 bytes: WARP MASQUE encapsulation
+- 28 bytes: WARP PMTUD probe
+
+### IPv6
+
+To send IPv6 traffic through WARP, the network path must support an MTU of at least 1333 bytes. The 1333 bytes consists of:
+
+- 1280 bytes: Minimum IPv6 packet size
+- 53 bytes: WARP MASQUE encapsulation
+
+If PMTUD is enabled and the MTU is less than 1333 bytes, then WARP will automatically disable IPv6 on the tunnel interface.
+
+### WebRTC
+
+To send WebRTC traffic through WARP, the network path must support an MTU of at least 1333 bytes. Below 1333 bytes, WebRTC connections will experience progressively degraded performance. This minimum MTU impacts [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) and any other website that uses WebRTC (such as video conferencing and media streaming services).
+
+## Check your MTU
+
+You can check your current network path MTU by collecting [WARP diagnostic logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/).
+
+1. Run the `warp-diag` command on the device or [collect logs via the the dashboard](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/#collect-logs-via-the-dashboard).
+2. Open the resulting `warp-debugging-info-<date>-<time>.zip` file.
+3. Open `connectivity.txt` and search for `PMTU`.
+
+	```txt title="connectivity.txt" {16-17}
+	====================================================================
+	H3 Quic Connect
+	====================================================================
+
+	Testing H3 QUIC connectivity to 'https://cloudflare-quic.com/cdn-cgi/l4-stats' result: Successful
+	IPv4:
+	"
+	Headers:
+		server address=104.18.26.14:443
+		...
+
+	Body:
+		transport=TCP
+		...
+
+	PMTU:
+		1500 bytes
+	"
+	```
+
+The example above shows an MTU of 1500 bytes, which meets the [recommended MTU requirements](#recommended-mtu) for WARP. If your MTU falls below the recommended threshold, consider [enabling Path MTU Discovery](#enable-path-mtu-discovery) to optimize connection performance.

src/content/partials/cloudflare-one/warp/system-requirements/linux.mdx

@@ -10,6 +10,6 @@
 | **HD space**          | 75 MB                                                                         |
 | **Memory**            | 35 MB                                                                         |
 | **Network interface type**  | WIFI or LAN |
-| **Minimum MTU** | 1360 bytes[^1] |
+| **MTU** | 1381 bytes recommended [^1] |
 
-[^1]: WireGuard requires 1360 bytes for IPv6 and 1340 bytes for IPv4. MASQUE requires 1350 bytes for IPv6 and 1330 bytes for IPv4.
+[^1]: Minimum 1281 bytes with [Path MTU Discovery](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery/)

src/content/partials/cloudflare-one/warp/system-requirements/macOS.mdx

@@ -10,6 +10,6 @@
 | **HD space**          | 75 MB                                             |
 | **Memory**            | 35 MB                                             |
 | **Network interface type**  | WIFI or LAN |
-| **Minimum MTU** | 1360 bytes[^1]|
+| **MTU** | 1381 bytes recommended [^1] |
 
-[^1]: WireGuard requires 1360 bytes for IPv6 and 1340 bytes for IPv4. MASQUE requires 1350 bytes for IPv6 and 1330 bytes for IPv4.
+[^1]: Minimum 1281 bytes with [Path MTU Discovery](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery/)

src/content/partials/cloudflare-one/warp/system-requirements/windows.mdx

@@ -11,6 +11,6 @@
 | **HD space**               | 184 MB                                            |
 | **Memory**                 | 3 MB                                              |
 | **Network interface type**  | WIFI or LAN |
-| **Minimum MTU** | 1360 bytes[^1]|
+| **MTU** | 1381 bytes recommended [^1] |
 
-[^1]: WireGuard requires 1360 bytes for IPv6 and 1340 bytes for IPv4. MASQUE requires 1350 bytes for IPv6 and 1330 bytes for IPv4.
+[^1]: Minimum 1281 bytes with [Path MTU Discovery](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/path-mtu-discovery/)