My IP Help

MTU

Also known as: Maximum Transmission Unit

The Maximum Transmission Unit — the largest packet size that a network link can carry in one go without fragmentation. The standard Ethernet MTU is 1,500 bytes.

Last updated:

What is MTU?

MTU (Maximum Transmission Unit) is the largest packet size, in bytes, that a given network link can carry in a single frame. Any IP packet larger than the MTU has to be either fragmented into smaller pieces or rejected outright. The default MTU on most Ethernet networks is 1,500 bytes, a value locked in by the physical and electrical limits of early Ethernet in the 1980s.

Different links have different MTUs:

| Link type | Typical MTU | |------------------------|------------:| | Ethernet (standard) | 1,500 bytes | | Ethernet (jumbo frames) | 9,000 bytes | | Wi-Fi | 2,304 bytes (MAC), 1,500 (typical IP) | | PPPoE (DSL) | 1,492 bytes | | IPv6 minimum (guaranteed) | 1,280 bytes | | VPN tunnel (IPsec / WireGuard) | 1,380-1,450 bytes |

Path MTU Discovery

When a packet crosses multiple links, the path MTU is the minimum MTU of any link along the way — a Jumbo Ethernet packet at 9,000 bytes that needs to pass through a 1,500-byte link can't fit. Hosts need to discover this minimum so they can pick a packet size that works end-to-end.

Path MTU Discovery (PMTUD) works like this:

  1. Sender sets the DF (Don't Fragment) bit on IP packets at some starting size
  2. If a router along the path has a smaller MTU, it drops the packet and sends back an ICMP "Fragmentation Needed" message indicating the correct size
  3. Sender reduces its packet size accordingly and retries

This is why blocking all ICMP at firewalls breaks things in subtle ways: PMTUD messages never come back, so large TCP transfers on VPN or jumbo-frame paths hang silently instead of downsizing. This is called the PMTUD black hole.

MTU and MSS

For TCP connections specifically, the handshake negotiates MSS (Maximum Segment Size) — the largest TCP payload that fits inside the path MTU minus the TCP+IP headers. On a standard 1,500-byte Ethernet path: MSS = 1,500 - 20 (IPv4) - 20 (TCP) = 1,460 bytes. IPv6's 40-byte header cuts that to 1,440.

For UDP and application-layer protocols like QUIC (HTTP/3), the application manages sizing itself — which is why QUIC uses a conservative 1,252-byte initial packet to stay under almost every real-world path MTU without requiring PMTUD to work.

Frequently Asked Questions

Stick with the defaults unless you have a specific reason. On standard Ethernet that means 1,500 bytes; on a VPN tunnel (WireGuard, IPsec) the OS picks something between 1,380 and 1,450 bytes automatically. Setting MTU manually is only useful when you are diagnosing a PMTUD black hole or running across a DSL/PPPoE link that requires 1,492. Setting it lower than the path supports just wastes bandwidth on extra headers; setting it higher than any link supports causes silent packet drops.
On Linux/macOS, `ip link show` or `ifconfig` shows the configured MTU per interface. To find the actual path MTU to a remote host, run `ping -M do -s <size> <host>` (Linux) or `ping -D -s <size> <host>` (macOS) — start with size 1472 (MTU 1500 minus 28-byte ICMP+IP overhead) and decrease until pings succeed without "Frag needed" errors. Tools like `tracepath` and `mtr --psize` also discover path MTU automatically.
A jumbo frame is an Ethernet frame larger than the standard 1,500-byte MTU — typically 9,000 bytes. Inside data centers and high-throughput networks, jumbo frames cut per-packet overhead and reduce CPU load on the NIC and kernel for bulk transfers (storage replication, backup, cluster traffic). They are useless or counterproductive on the public internet because almost no path supports them end-to-end without fragmentation, and PMTUD will downsize traffic anyway. Always jumbo-frame both ends and every switch in between, never just one.
A PMTUD black hole is a network path where Path MTU Discovery cannot work because some firewall along the way silently drops the ICMP "Fragmentation Needed" messages that hosts need to learn the correct packet size. Result: small packets flow normally, large packets disappear with no error, and large file transfers or VPN sessions hang or stall mysteriously. The fix is either to allow ICMP type 3 code 4 through the offending firewall, or to reduce TCP MSS via MSS-clamping at the affected gateway.
Because each packet sent over the VPN gets wrapped in an additional outer IP header plus the VPN protocol's own header — IPsec ESP adds about 50-80 bytes; WireGuard adds about 60 bytes; OpenVPN adds about 40-60 bytes. The original payload plus the wrapping has to fit inside the underlying link's 1,500-byte MTU, so the inner MTU shrinks accordingly to 1,420-1,460 bytes. Modern VPN clients set this automatically; old or misconfigured ones cause exactly the black-hole hangs described above.
Back to glossary