Prerequisites

Magic WAN is an Enterprise-only product. Contact Cloudflare Open external link to acquire Magic WAN. If you plan on using Magic WAN Connector to automatically onboard your locations to Cloudflare, you will need to purchase Magic WAN first.

The preferred way to onboard your network locations to Cloudflare One is through Magic WAN Connector. The list of prerequisites below is only for customers planning to connect manually to Cloudflare with a third-party device.

​​ Use compatible tunnel endpoint routers

Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:

• Allow configuration of at least one tunnel per Internet service provider (ISP).
• Support maximum segment size (MSS) clamping.
• Support the configuration parameters for IPsec mentioned in IPsec tunnels.

​​ Set maximum segment size

The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.

Cloudflare Magic WAN uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers.

To accommodate the additional header data, you must set the MSS value to 1436 bytes at your tunnel interfaces (not the physical interfaces).

Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.

​​ Follow router vendor guidelines

Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.

The following table lists several commonly used router vendors with links to MSS clamping instructions: