Magic WAN allows you to achieve any-to-any connectivity across branch and retail sites and data centers, with Cloudflare connectivity cloud.
Magic WAN set up options
Automatically: Through Magic WAN Connector (preferred method). You can
choose between the hardware version or the virtual version of the Magic WAN
Connector. The virtual version can be installed on your own machines. Refer to
Configure with Connector for more
information.
Magic WAN is an Enterprise-only product. Contact Cloudflare ↗ to acquire Magic WAN. If you plan on using Magic WAN Connector to automatically onboard your locations to Cloudflare, you will need to purchase Magic WAN first.
Prerequisites
Use compatible tunnel endpoint routers
Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
Allow configuration of at least one tunnel per Internet service provider (ISP).
Support maximum segment size (MSS) clamping.
Support the configuration parameters for IPsec mentioned in IPsec tunnels.
Set maximum segment size
Cloudflare Magic WAN uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network.
MSS clamping recommendations
GRE tunnels as off-ramp
The MSS value depends on how your network is set up.
On your Edge router: Apply the clamp to the GRE tunnel internal interface (meaning where the egress traffic will traverse). The MSS clamp should be 1,436 bytes. This may be done automatically once the tunnel is configured, but it depends on your devices.
IPsec tunnels
For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.
On your Edge router: Apply this on your Magic WAN IPsec tunnel internal interface (meaning where the Magic WAN egress traffic will traverse). This may be done automatically once the tunnel is configured but it depends on your devices. TCP MSS clamp should be 1,360 bytes maximum.