Architecture

Last change on 2025-04-25 • Created on 2025-04-25 • ID: CL-46C47

Routing through several networks

Gateway 10.0.0.1
public network
Cloud Server router
Private IP
10.0.0.2
Public IP
203.0.113.1
Cloud Server client
Private IP
10.0.0.3


When you send packets between the Internet and the client, they pass through two networks — the private network and the public network.

As explained in the FAQ about technical details, the MTU of Hetzner cloud servers is different in private and public interfaces.

Public Network to Private Client
public
network
1500 B
⸺>
Server
router
1450 B
⸺>
Gateway

1450 B
⸺>
Server
client

In the example above, an incoming packet with an MTU of 1500 bytes should be able to reach the cloud server router without any issues. However, if the router cannot perform IP fragmentation, it cannot forward the packet through the private interface and the packet is dropped.

You can run ip link show to check the MTUs of all interfaces on your system.

Routing from network-isolated environments

If you have a network-isolated environment on your system (e.g. Docker container or LXC), it will usually have its own interface settings.

In the example below, the network-isolated environment and the underlying host can exchange packets with an MTU of 1500 bytes:

Cloud Server client
Host
private interface
MTU 1450
bridge interface
MTU 1500

network-isolated env
bridge interface
MTU 1500

If the network-isolated environment uses the underlying host as a router, the host from the example above will forward the packet via the private interface with an MTU of 1450 bytes.

If the network-isolated environment sends a packet with an MTU of 1500 bytes, it should be able to reach the underlying host without any issues. However, if the host cannot perform IP fragmentation, it cannot forward the packet through the private interface and the packet is dropped.

Table of Contents