Jumbo Frames with VPN

[TechBoyJK]

HI All,

I have a basic home network, with a DLINK 24 port GigE switch that supports 9000MTU jumbo frames, and a netgear X6 router that does not.

I get pretty significant data transfer speed gains on my local network with jumbo frames enabled. Local transfers went from 85MBs max to about 105MBs max when transferring files 10GB or larger in size.

I've set all my local machines to use jumbo frames with 9000MTU. I haven't noticed any problems surfing the web or doing anything across the router that doesn't support jumbo frames.

That said, I also have a VPN connection I make to a datacenter I have a few servers at, and the VPN connection is not working if jumbo frames are enabled on the local machine. It's a local Shrewsoft VPN client running on Win 10

Am I missing something in regards to jumbo frames and their usefulness that would negate the need for pursuing a hybrid solution such as a 2nd nic with jumboframes disabled for VPN traffic?

I've read that I can get faster network performance with a lower MTU, so I'm wondering if a faster transmission rate for large files isn't the complete picture. I also do a lot of gaming, so I'd hate to interfere with ping times and the like.

Thoughts? Just looking for some general advice on how to pursue this.

 

[sdifox]

I doubt any vpn will support jumbo frame. jumbo frame is really more of a lan thing.

 

[mnewsham]

Yeah, no ISP or VPN that I can think of supports Jumbo frames.

Jumbo frames are really about LAN file transfers.

 

[mv2devnull]

The VPN payload has some integrity checks, does it not? If you pack encrypted data into jumbo frames, but the VPN at the other end expects small MTU, then what happens to integrity? A (IPv4) router in between them fragments the jumbos.

Can one tell for Windows to use different MTU for a specific route?


Note: The MTU inside the VPN tunnel can in fact be big (really big) even if everything else is MTU 1500. The encrypt/decrypt is more efficient with larger chunks of data. Unlike other traffic, the MTU of tunnel is set by the VPN implementation.

 

[TechBoyJK]

My client (shrewsoft) won't do an mtu larger than 1500.

It seems the MTU is hardset per each adapter, so that's kind of what I'm asking. Can I set a different MTU for a specific route, aka the vpn route out, and leave the default mtu on the adapter at 9000mtu?

 

[sdifox]

The VPN payload has some integrity checks, does it not? If you pack encrypted data into jumbo frames, but the VPN at the other end expects small MTU, then what happens to integrity? A (IPv4) router in between them fragments the jumbos.

Can one tell for Windows to use different MTU for a specific route?


Note: The MTU inside the VPN tunnel can in fact be big (really big) even if everything else is MTU 1500. The encrypt/decrypt is more efficient with larger chunks of data. Unlike other traffic, the MTU of tunnel is set by the VPN implementation.

Generally speaking you want to use smaller mtu since vpn has overhead. Making sure your mtu plus overhead is less than isp mtu size will prevent fragmentation, which reduces performance since you have to reassemble the fragments on the other end.

https://www.cisco.com/c/en/us/td/do...FjABegQIAhAB&usg=AOvVaw39WcMVEii5u-LsFanyVkoy

 

[mxnerd]

Even Amazon does not support Jumbo Frame on traffic that goes through internet

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

outside of a given AWS region (EC2-Classic), a single VPC, or a VPC peering connection, you will experience a maximum path of 1500 MTU. VPN connections and traffic sent over an Internet gateway are limited to 1500 MTU. If packets are over 1500 bytes, they are fragmented, or they are dropped if the Don't Fragment flag is set in the IP header.

Jumbo frames should be used with caution for Internet-bound traffic or any traffic that leaves a VPC. Packets are fragmented by intermediate systems, which slows down this traffic

 

[TechBoyJK]

Even Amazon does not support Jumbo Frame on traffic that goes through internet

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

I get that.

I'm leaning towards the idea that if you want different MTU sizes, you need different adapters.

Aka.. in a datacenter you'd have a server with multiple nics.. Lower MTU on public nic and Jumboframes on private nic that handles storage.

Does this seem right?

 

[sdifox]

I get that.

I'm leaning towards the idea that if you want different MTU sizes, you need different adapters.

Aka.. in a datacenter you'd have a server with multiple nics.. Lower MTU on public nic and Jumboframes on private nic that handles storage.

Does this seem right?

Or just leave the mtu at 1500.

 

[mxnerd]

I get that.
Aka.. in a datacenter you'd have a server with multiple nics.. Lower MTU on public nic and Jumboframes on private nic that handles storage.

I believe you can do that.

 

[Gryz]

RTFM.

Shrewsoft documentation.
https://www.shrew.net/static/help-2.1.x/files/GeneralSettings.html

Set the MTU settings on that page to 1380.
If that setting does what it suggests it does, the IP MTU of the Shrewsoft virtual interface is set 1380. After adding tunnel headers, the outer ip-header, and maybe other overhead, the packet that hits the wire should stay under 1500 bytes. And 1500 byte packets should be able to go anywhere over the Internet without fragmentation.

 

[TechBoyJK]

I did read the manual. That's how I've had it working without issue for several years now.

I have the MTU set as described in the manual. It works fine as long as the physical adapter that the vpn is traversing is using the same standard 1500 MTU.

The issue I'm having is that by enabling jumbo frames and using a 9000mtu, I am able to connect to the vpn endpoint, but not send/receive any traffic.

What I was hoping to achieve is a way to leave jumbo frames enabled so I can enjoy the added throughput on my LAN while still being able to encapsulate my vpn traffic with the standard mtu.

Fortunately my home office has 2 hardwired ethernet ports side by side and I'm only using 1 currently. If anything, I'm going to add a 2nd nic, enable jumboframes on that, and use static routes to separate LAN/WAN.

 

[Gryz]

Look at the setting "use a virtual adapter and assigned address". That option should give you an IP-address that is part of the remote network to which your VPN-tunnel connect. I read somewhere that when you use the other option ("Use an existing adapter and current address") the MTU option in those settings doesn't do anything.
Maybe that's it.