Prerequisites
Before you can begin using Magic WAN, verify that you meet Cloudflare’s onboarding requirements.
Use compatible tunnel endpoint routers
Magic WAN relies on Generic Routing Encapsulation (GRE) tunnels to transmit packets from Cloudflare’s edge to your origin network. To ensure compatibility with Magic WAN, the routers at your Anycast GRE or IPsec tunnel endpoints must:
- Support Anycast GRE or IPsec tunnels
- Allow configuration of at least one tunnel per Internet service provider (ISP)
- Support maximum segment size (MSS) clamping
Set maximum segment size
The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.
Cloudflare uses Anycast GRE or IPsec tunnels to deliver packets from our edge to your locations, while Cloudflare Magic WAN encapsulates these packets, adding a new IP header and GRE protocol header.
To accommodate the additional header data, you must set the MSS value to 1436 bytes at your physical egress interfaces (not the Anycast GRE or IPsec tunnel interfaces):
Standard Internet Routable MTU | 1500 bytes |
---|---|
- Original IP header | 20 bytes |
- Original protocol header (TCP) | 20 bytes |
- New IP header | 20 bytes |
- New protocol header (GRE) | 4 bytes |
= Maximum segment size (MSS) | 1436 bytes |
Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.
Follow router vendor guidelines
Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.
The table lists several commonly used router vendors with links to MSS clamping instructions:
Router device | URL |
---|---|
Cisco | TC IP Adjust MSS |
Juniper | TCP MSS – Edit System |
Verify MSS settings at your origin
To verify that your routers have the correct MSS setting (1436 bytes) at your origin, run the following command on the servers egressing the prefixes you want to add to Magic WAN:
$ curl 167.71.125.57:8080
You should see the following result:
Local: 167.71.125.57:8080
Remote: 172.68.141.62:44108
Local MSS: 1436
Remote MSS: 1436