Skip to content

Get started

There are two ways to set up Magic WAN:

  • Automatically: Through Magic WAN Connector (preferred). You can use the hardware or the virtual versions of Magic WAN Connector. The latter, you can install on your own machines. Refer to Configure with Connector for more information.
  • Manually: Through a third-party device. Read the Prerequisites below before following the steps in Manual configuration.

Prerequisites

Magic WAN is an Enterprise-only product. Contact Cloudflare to acquire Magic WAN. If you plan on using Magic WAN Connector to automatically onboard your locations to Cloudflare, you will need to purchase Magic WAN first.

The preferred way to onboard your network locations to Cloudflare One is through Magic WAN Connector. The list of prerequisites below is only for customers planning to connect manually to Cloudflare with a third-party device.

Use compatible tunnel endpoint routers

Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:

  • Allow configuration of at least one tunnel per Internet service provider (ISP).
  • Support maximum segment size (MSS) clamping.
  • Support the configuration parameters for IPsec mentioned in IPsec tunnels.

Set maximum segment size

sequenceDiagram
accTitle: Magic WAN
accDescr: Maximum segment size
participant A as Client machine
participant B as Cloudflare Magic WAN/Transit
participant C as Origin router
A->>B: MSS = 1460 bytes <br> Protocol (20 bytes) <br> IP header (20 bytes)
Note left of A: SYN
B->>C: MSS = 1436 bytes <br> Protocol (20 bytes) <br> IP header (20 bytes) <br> GRE header (4 bytes) <br> IP header (20 bytes)
C->>A: MSS = 1436 bytes <br> IP <br> Protocol
Note right of C: SYN-ACK
A->>B: MSS = 1436 bytes <br> Protocol <br> IP
Note left of A: ACK
B->>C: Protocol <br> IP <br> GRE <br> IP

The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.

Cloudflare Magic WAN uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers.

To accommodate the additional header data, **you must set the MSS value to 1436 bytes at your tunnel interfaces** (not the physical interfaces).
Standard Internet Routable MTU1500 bytes
-     Original IP header20 bytes
-     Original protocol header (TCP)20 bytes
-     New IP header20 bytes
-     New protocol header (GRE)4 bytes
=     Maximum segment size (MSS)1436 bytes

Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.

Follow router vendor guidelines

Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.

The following table lists several commonly used router vendors with links to MSS clamping instructions:

Router deviceURL
CiscoTCP IP Adjust MSS
JuniperTCP MSS – Edit System