The Basic Idea
MTU stands for Maximum Transmission Unit. It is the largest packet a link can carry without fragmentation at that layer. Standard Ethernet commonly supports a 1500-byte IP MTU. If a packet is too large for a link in the path, something must shrink it, fragment it, or drop it. The 1500-byte limit dates to original Ethernet specifications from the 1970s and was chosen to balance per-packet overhead against memory constraints of the era. It has remained the internet standard ever since, inherited by Wi-Fi, cable, fiber, and virtually every broadband technology that needs to interoperate with the public internet.
Common MTU Values
| MTU (bytes) | Where You See It | Why It Differs From 1500 |
|---|---|---|
| 1500 | Standard Ethernet, most home LANs, Wi-Fi | Default; the baseline everything else is measured against |
| 1492 | PPPoE broadband (DSL, some fiber) | PPPoE header is 8 bytes, leaving 1492 for the IP payload |
| 1480 | PPPoE over IPv6 with IPv6 PPP header | Additional 12 bytes consumed by IPv6 PPP negotiation |
| 1420–1450 | WireGuard, OpenVPN, IPsec tunnels | Encapsulation headers (UDP+WireGuard or ESP+UDP) consume 60–80 bytes |
| 576 | Minimum required IPv4 MTU (RFC 791) | Every IPv4 host must accept at least this size; rarely seen in practice today |
| 1280 | Minimum required IPv6 MTU (RFC 8200) | IPv6 drops fragmentation support in routers, so the minimum link MTU is higher |
| 9000 | Jumbo frame data-center and NAS LANs | Reduces per-GB frame count and CPU interrupt load on high-throughput LAN segments |
Path MTU and How It Is Discovered
Your device's local MTU is only half the story. What matters for end-to-end communication is the Path MTU (PMTU) — the smallest MTU of every link between your machine and the destination server. A path crossing Ethernet, a PPPoE DSL segment, and a VPN tunnel might have an effective PMTU well below 1500.
Path MTU Discovery (PMTUD) is the mechanism hosts use to learn this limit without guessing. A sender sets the IPv4 Don't Fragment (DF) bit in outgoing packets. If a router in the path cannot forward the packet without fragmenting it, it drops the packet and returns an ICMP "Fragmentation Needed" message that includes the next-hop MTU. The sender then reduces its packet size and retries. IPv6 removes per-router fragmentation entirely; routers simply drop oversized packets and send an ICMPv6 "Packet Too Big" message.
The problem is that many firewalls and routers block ICMP, which silently breaks PMTUD. The sender never receives the feedback, keeps sending large packets, and traffic stalls — a condition called an MTU black hole. This is why MTU problems produce such frustrating symptoms: the connection establishes (small handshake packets get through) but data transfer hangs as soon as larger packets are attempted.
Why MTU Problems Feel Weird
MTU trouble often affects only some traffic. A small DNS query or a plain-text HTTP response fits in one packet and works fine. A TLS handshake, an HTTPS upload, or large VPN encapsulated packets may not. The result is confusing asymmetry: "Google loads but Netflix hangs," "pings work but downloads stall," or "everything works except when connected to the VPN." The selective nature of the failure is the diagnostic clue that MTU is involved.
MTU vs MSS
MTU is the packet size limit at the IP/link level. MSS (Maximum Segment Size) is the largest TCP payload that fits inside one IP packet without fragmentation. On a standard IPv4 connection with a 1500-byte MTU, TCP MSS is 1460 bytes because the IPv4 header (20 bytes) and the TCP header (20 bytes minimum) consume 40 bytes of the available 1500.
Routers and firewalls can perform MSS clamping — rewriting the MSS value advertised during the TCP handshake to a lower number that accounts for tunnel or PPPoE overhead. This sidesteps PMTUD entirely and is commonly used on DSL routers and VPN gateways to prevent MTU black holes without relying on ICMP. If your router has a "MSS clamping" or "TCP MSS Fix" option, enabling it can resolve many mysterious upload-stall problems.
MTU and VPNs
VPNs are the most common place users encounter MTU problems outside of PPPoE. Every VPN protocol adds header bytes that reduce the space available for the original (inner) packet:
- WireGuard: adds roughly 60 bytes of UDP + WireGuard headers. A 1500-byte outer link means the tunnel MTU should be set to around 1420.
- OpenVPN (UDP): overhead varies by cipher and compression settings, typically 50–80 bytes. The
fragmentandmssfixdirectives handle this. - IPsec/ESP: adds 50–80 bytes depending on cipher, authentication, and whether UDP encapsulation is used for NAT traversal.
Most VPN clients set the tunnel interface MTU automatically. If yours does not, or if you are configuring a router-level VPN, set the tunnel MTU explicitly to 1420 as a safe starting point, then test with a large ping: ping -M do -s 1372 8.8.8.8 (Linux) or ping -f -l 1372 8.8.8.8 (Windows). The 1372 payload plus 28 bytes of ICMP+IP headers equals 1400, a safe probe size to confirm the tunnel is not fragmenting.
How to Diagnose MTU Problems
- Ping with DF bit: Use
ping -M do -s <size> <host>on Linux orping -f -l <size> <host>on Windows. Start at 1400 and increase until packets are dropped. The last working size plus 28 equals your effective PMTU. - Tracepath (Linux):
tracepath example.comreports the PMTU at each hop, making it easy to see exactly where the path narrows. - Wireshark / tcpdump: Filter for ICMP type 3 code 4 (fragmentation needed) or ICMPv6 type 2 (packet too big). If you see these and the sender is ignoring them, PMTUD is broken by a firewall.
- Symptom pattern: If large transfers hang but small ones succeed, and a VPN or PPPoE connection is involved, MTU is almost certainly the cause.
When to Change MTU
- Your ISP or connection type specifically requires it — PPPoE connections almost always need 1492.
- A VPN vendor recommends a specific tunnel MTU for their protocol.
- Packet captures confirm fragmentation or black-hole PMTUD behavior.
- A controlled LAN segment (NAS, storage cluster) is designed end to end for jumbo frames.
- You are fixing a confirmed, diagnosed problem — not guessing at a speed optimization.
Lowering MTU as a general "speed tweak" on a working connection does not improve throughput and can hurt it by increasing the number of packets needed to transfer the same data.
Frequently Asked Questions
What does MTU stand for?
MTU stands for Maximum Transmission Unit. It is the largest packet size a network link can carry without needing fragmentation at that layer.
What is the normal Ethernet MTU?
Standard Ethernet commonly has a 1500-byte IP MTU. Jumbo frame networks use 9000 bytes, but every device in the path must support them or packets will be dropped.
Why do MTU problems affect VPNs?
VPN protocols add encapsulation headers — typically 40–80 bytes — which reduce the space available for the original packet. If the tunnel interface MTU is not reduced to account for this overhead, large packets will be dropped or fragmented, causing stalls and asymmetric failures.
What is an MTU black hole?
An MTU black hole occurs when a firewall blocks the ICMP "Fragmentation Needed" messages that Path MTU Discovery relies on. The sender keeps transmitting oversized packets, never receives feedback that they are being dropped, and the connection stalls silently. MSS clamping on the router is the standard workaround.