Why does my VPN reduce MSS?

VPN encapsulation adds extra bytes around each packet. WireGuard, IPsec, and GRE consume part of MTU budget, so effective payload gets smaller. MSS clamping prevents fragmentation and keeps sessions stable.

What happens when a packet exceeds path MTU?

IPv4 may fragment (or drop with ICMP Fragmentation Needed when DF bit is set). IPv6 routers do not fragment and return ICMPv6 Packet Too Big. PMTUD uses these signals to converge on safe packet size.

What is minimum MTU for IPv4 and IPv6?

IPv4 practical link minimum is 68 bytes, while hosts must handle 576-byte reassembly. IPv6 requires minimum link MTU of 1280 bytes.

Why does my VPN reduce MSS?

VPN encapsulation adds extra bytes around each packet. WireGuard, IPsec, and GRE consume part of MTU budget, so effective payload gets smaller. MSS clamping prevents fragmentation and keeps sessions stable.

What happens when a packet exceeds path MTU?

IPv4 may fragment (or drop with ICMP Fragmentation Needed when DF bit is set). IPv6 routers do not fragment and return ICMPv6 Packet Too Big. PMTUD uses these signals to converge on safe packet size.

What is minimum MTU for IPv4 and IPv6?

IPv4 practical link minimum is 68 bytes, while hosts must handle 576-byte reassembly. IPv6 requires minimum link MTU of 1280 bytes.

PACKETRY BETA

All tools MTU/MSS Calculator

MTU/MSS Calculator

MTU preset

Standard Ethernet frame payload

Interface MTU (bytes)

Valid range: 68-65536 bytes.

Layer 3

Layer 4

Link/access overhead

VLAN, QinQ, and MPLS labels usually require Layer 2 headroom, not lower TCP MSS when IP MTU stays at 1500.

Tunneling

GRE and IP-in-IP entries include only tunnel header. Add Outer IPv4 or Outer IPv6 manually when modeling full outer stack.

Security

MTU1,500 bytes

- IPv420 bytes

- TCP20 bytes

MSS (payload)1,460 bytes

IP payload

1,480 bytes

TCP/UDP payload

1,460 bytes

Total overhead

40 bytes

Efficiency

97.3%

Packet visualization

MTU: 1,500 bytes

IPv420B

TCP20B

Payload (MSS)1460B

Total overhead: 40 bytes

Payload (MSS): 1,460 bytes

IPv420B

TCP20B

Payload (MSS)1460B

How it works

MTU (Maximum Transmission Unit) is maximum packet payload link can carry before fragmentation. MSS (Maximum Segment Size) is TCP data payload after subtracting transport and network headers. With standard IPv4 + TCP, MSS is usually MTU minus 40 bytes.

This calculator subtracts selected headers layer by layer from interface MTU. Added tunnel and security wrappers consume part of packet budget, so effective payload shrinks. That is why overlays like VXLAN, WireGuard, and IPsec need lower inner MTU or MSS clamping.

Use visual bar above to see exact byte split between overhead and payload. For deeper walk-through of fragmentation, PMTUD, black-hole symptoms, and field troubleshooting, readUnderstanding MTU, MSS, and Packet Fragmentation.

FAQ

What is the difference between MTU and MSS?

MTU is the largest packet size a link can carry. MSS is TCP payload after removing IP and TCP headers. On Ethernet MTU 1500 with IPv4/TCP, MSS is 1460 bytes.

Why does tunnel traffic reduce effective payload?

Tunnels add extra headers around original packet. Those bytes consume MTU budget, so less room remains for application payload.

Why can ping work while apps fail?

Small probes may pass, larger packets can exceed path MTU and get dropped when PMTUD fails. This creates classic black-hole behavior.

When should I clamp MSS?

Clamp MSS on PPPoE, VPN, and overlay edges when endpoints cannot discover path MTU reliably or ICMP is filtered.

Understanding MTU, MSS, and Packet Fragmentation Learn how Maximum Transmission Unit (MTU) and Maximum Segment Size (MSS) affect network performance. Covers fragmentation, Path MTU Discovery, tunnel overhead, and how to troubleshoot MTU issues. Subnetting Basics Learn how IP subnetting works, including CIDR notation, subnet masks, and how to calculate network and host addresses.

MTU/MSS Calculator

Packet visualization

How it works

FAQ

Related tools

Related articles