MTU (Maximum Transmission Unit) is the largest packet a network link can carry. Send larger and the packet is fragmented (split into pieces) or dropped. MTU mismatches are a subtle source of mysterious 'connection works for small requests but hangs on large ones' bugs.
Standard MTUs
Ethernet: 1500 bytes. PPPoE (some ISPs): 1492. IPv6 minimum: 1280. WiFi: 2304 but usually capped at Ethernet. VPN/tunnel overlays: smaller (after subtracting tunnel headers).
Path MTU Discovery (PMTUD)
Each router along the path may have a smaller MTU. PMTUD finds the path's minimum by sending packets with DF (Don't Fragment) flag and listening for ICMP 'too big' replies. When ICMP is blocked (common in corp networks), PMTUD breaks → black-hole MTU.
Symptoms of MTU bugs
'SSH connects but stalls.' 'Pages load but images don't.' 'Small API calls work, large ones time out.' Cause: TCP handshake (small packets) succeeds; data transfer hits MTU. Without PMTUD, packets silently dropped.
Fixes
Lower MSS (max segment size) on the server: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu. Or set MTU explicitly on the interface to a known-safe value (1400 for tunnel-heavy networks).
Jumbo frames
Some links (datacenter Ethernet, 10/40/100 Gbps) support 9000-byte MTUs ('jumbo frames'). Higher MTU = lower CPU overhead at high throughput. Enable end-to-end or you get fragmentation at every hop. Datacenter-only; never enable on internet-facing links.