MTU & “DF flag” best practice on GreenNode

The default MTU on the Internet is 1500 bytes, but virtualization technology requires additional Extended Headers, which makes the actual value less than 1500 bytes.

Currently, GreenNode infrastructure supports Interface MTU values of 1450 bytes. Therefore, after encapsulation of protocol/application headers, the packet sent out of the VM is recommended to be ≤ 1450 bytes (1).

If the VM sends packets with an MTU larger than the supported MTU value, it leads to "packet fragmentation." The original packet will be divided into smaller packets for transmission and reassembled at the destination. This is a normal process that occurs when data is transmitted over the Internet. "Packet fragmentation" will meet most customer needs.

However, for certain specific services like Voice SIP (UDP), VPN Tunnel (IPSec/GRE), there are two issues that often lead to problems:

• Packets are transmitted with the "Do Not Fragment" (DF flag) (2).

• Custom SIP Headers or IPSec/GRE Headers are added to the original packet, making the packet size larger than 1450 Bytes.

When both conditions occur simultaneously, the infrastructure may drop the packet from the virtual machine.

Therefore, GreenNode encourages customers to proactively reduce the MTU value during initialization if they are using "MTU-sensitive services that require the 'DF flag'" in one of the following ways to minimize risks when using the service:

1. Modify the Application/Service configuration to remove unnecessary Headers (e.g., custom SIP Headers, IPSec Authentication and Encryption Algorithm).

2. Change the VM's MTU (for VMs using custom flavors not following the standard GreenNode) to 1450 (or smaller if needed).

   • PFSense: WEB UI - Interfaces - WAN - MTU = 1450

     
   • FortiGate CLI:Bash

     Copy

     FTG_GW # config system interface
     edit <interface-name>
     set mtu-override enable
     set mtu 
     next
     end

     
   • Ubuntu/LinuxBash

     Copy

     $ ifconfig <interface_name> mtu <mtu_size> up

     Hãy thận trọng khi sử dụng các đoạn mã.Or add to the interfaces configuration file:Bash

     Copy

     post-up /sbin/ifconfig <interface_name> mtu <mtu_size>

     Hãy thận trọng khi sử dụng các đoạn mã.

3. Contact the support team via the Portal.

Note: (1) For IPSec Tunnels requiring high authentication and encryption, the Headers value can be more than 100 bytes. Therefore, depending on usage needs, customers should choose an appropriate MTU value of 1200 - 1300 - 1450 bytes. The table below illustrates an example of IPSec Headers Size added, affecting the actual MTU value for a packet with an initial Payload of 1340 bytes.

Table 1: NAT-T and GRE not enabled

Table 2: NAT-T enabled, GRE not enabled

Table 3: NAT-T and GRE enabled