Comments (6)
Yeah, the performance gain from increasing MTU is marginal, but the potential hard-to-debug and diagnose issues are large.
The only case I can think of where MTU might make a difference is #4129 but we should make sure the MTU is not the problem there.
from firezone.
Yeah, the performance gain from increasing MTU is marginal, but the potential hard-to-debug and diagnose issues are large.
I am not this is true. The performance gains from an increased MTU can be quite large. This is why cloud providers use jumbo frames in their backbone (MTU 9000).
However, in order to achieve that, we would need to deploy a path MTU discovery algorithm (QUIC has one) do figure out what the largest MTU is we can use on the nominated candidate pair. Once we have discovered that, we can manually set the MTU of our device to a larger number.
What we have today does not make any sense to me. The TUN device cannot magically discover a larger MTU, yet we have a "refresh MTU" functionality. Or am I missing something?
from firezone.
That was done IIRC in case the admin overrode the MTU that we set on the WG interface.
It may not hurt to keep it around.
The max MTU we'd ever be able to use is 1420, and probably more like 1370 safely (cloud providers eat another ~50 bytes).
At that point we are looking at a difference of about 7%. In practice the gains are negligible. We did a lot of testing with this for 0.7 and concluded with a default of 1280 because if you're wrong about that it can even break SSL.
See here for some more tests -- optimal MTU vs 1280 is about 10% difference max in the best cases
from firezone.
See here for some more tests -- optimal MTU vs 1280 is about 10% difference max in the best cases
None of these seem to test jumbo frames though?
If you are not doing path MTU discovery, then 1280 seems safe yes. But you can get real performance improvements out of it if you probe for a higher MTU on the network path. See https://datatracker.ietf.org/doc/html/draft-ietf-tram-stun-pmtud-15 for example.
If a customer runs both a gateway and a client on AWS for example, dynamically discovering the path MTU would allow for performance improvements there.
That was done IIRC in case the admin overrode the MTU that we set on the WG interface.
What is the usecase here? Do we really need to keep code around for this?
It may not hurt to keep it around.
Sending ioctl requests are some of the few places where we have unsafe code and it would be nice to remove as much of that as possible.
from firezone.
None of these seem to test jumbo frames though?
Do jumbo frames work across the internet? I don't think we've ever seen a use case where jumbo frames could work reliably. The interface MTU would still need to support the lowest common denominator client, right?
What is the usecase here? Do we really need to keep code around for this?
We don't know yet. One customer is reporting issues with their application that wanted to try adjusting the MTU for: #4129 we have yet to confirm if MTU is the issue.
I guess we'll know if we remove it ;-). I am OK removing it and re-adding it if we find someone that needs it.
from firezone.
None of these seem to test jumbo frames though?
Do jumbo frames work across the internet? I don't think we've ever seen a use case where jumbo frames could work reliably. The interface MTU would still need to support the lowest common denominator client, right?
Yes, I just realized that from the gateway's perspective, we are likely connected to a lot of clients so it would be the lowest MTU across all clients.
from firezone.
Related Issues (20)
- connlib: perform mangling of DNS requests to resolvers that are CIDR resources before we look up the peer HOT 1
- connlib: implement reconnect as "drop all connections and wait for new packets to trigger new ones"
- Allow FIREZONE_TOKEN to point to file HOT 2
- chore(connlib/android): revert possible Android regression from #4788
- Tracking issue for extensions to `tunnel_test`
- techdebt(connlib): use emitted events to update DNS servers in clients HOT 1
- connlib: unify packet routing between CIDR and DNS resources HOT 4
- Show warning if admin enters only IPv4 or IPv6 upstream resolvers
- Autostart Linux GUI on boot HOT 6
- Add a new `General` section to Settings
- Allow removing a Resource from a Site when multi-site Resources is not active
- Policy flexibility
- Allow removing Resources and Groups from a Policy HOT 1
- Add resource to favorites HOT 11
- Docker Gateway not starting on Raspberry Pi HOT 9
- Gateway upgrade notification HOT 8
- Gateway script doesn't have a default log level HOT 4
- bug(gui-client/Windows): Access is denied for named pipe HOT 2
- docs(gateway): inconsistency between portal and docs HOT 2
- bug(tauri_client): update check should list the URL it tried, if it has an error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firezone.