Cloudflare has implemented Dynamic Path MTU Discovery (PMTUD) in the Cloudflare One Client, based on RFC 8899. The feature eliminates the classic 'PMTUD Black Hole' problem where firewalls silently drop ICMP feedback messages, causing large packets to be lost without notification. Instead of relying on fragile ICMP error messages, the client actively probes the network path by sending encrypted packets of varying sizes to the Cloudflare edge using the MASQUE protocol over QUIC. It dynamically adjusts the virtual interface MTU on the fly, ensuring seamless transitions between networks (e.g., Wi-Fi to cellular) without disrupting application sessions. The feature is available now for free on Windows, macOS, and Linux for users of the MASQUE protocol.
Table of contents
The “modern security meets legacy infrastructure” challengeCloudflare’s solution: active probing with PMTUDReal-world impact, from first responders to hybrid workersGet PMTUD for your devicesSort: