Get started
There are two ways to set up Magic WAN:
- Automatically: Through Magic WAN Connector (preferred). You can use the hardware or the virtual versions of Magic WAN Connector. The latter, you can install on your own machines. Refer to Configure with Connector for more information.
- Manually: Through a third-party device. Read the Prerequisites below before following the steps in Manual configuration.
Magic WAN is an Enterprise-only product. Contact Cloudflare to acquire Magic WAN. If you plan on using Magic WAN Connector to automatically onboard your locations to Cloudflare, you will need to purchase Magic WAN first.
The preferred way to onboard your network locations to Cloudflare One is through Magic WAN Connector. The list of prerequisites below is only for customers planning to connect manually to Cloudflare with a third-party device.
Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
- Allow configuration of at least one tunnel per Internet service provider (ISP).
- Support maximum segment size (MSS) clamping.
- Support the configuration parameters for IPsec mentioned in IPsec tunnels.
sequenceDiagram accTitle: Magic WAN accDescr: Maximum segment size participant A as Client machine participant B as Cloudflare Magic WAN/Transit participant C as Origin router A->>B: MSS = 1460 bytes <br> Protocol (20 bytes) <br> IP header (20 bytes) Note left of A: SYN B->>C: MSS = 1436 bytes <br> Protocol (20 bytes) <br> IP header (20 bytes) <br> GRE header (4 bytes) <br> IP header (20 bytes) C->>A: MSS = 1436 bytes <br> IP <br> Protocol Note right of C: SYN-ACK A->>B: MSS = 1436 bytes <br> Protocol <br> IP Note left of A: ACK B->>C: Protocol <br> IP <br> GRE <br> IP
The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.
Cloudflare Magic WAN uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers.
To accommodate the additional header data, **you must set the MSS value to 1436 bytes at your tunnel interfaces** (not the physical interfaces).Standard Internet Routable MTU | 1500 bytes |
---|---|
- Original IP header | 20 bytes |
- Original protocol header (TCP) | 20 bytes |
- New IP header | 20 bytes |
- New protocol header (GRE) | 4 bytes |
= Maximum segment size (MSS) | 1436 bytes |
Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.
Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.
The following table lists several commonly used router vendors with links to MSS clamping instructions:
Router device | URL |
---|---|
Cisco | TCP IP Adjust MSS |
Juniper | TCP MSS – Edit System |