Can't Change MTU, SIOCSIFMTU: Operation not permitted

I want to set my MTU to 1300 in my openwrt router.

Although I have listed the interfaces as being at 1300 inside the GUI, when I ssh into the interface, I find that the MTUs are at 1500

when i type ifconfig eth1 mtu 1300, the mtu changes for eth1

when i type ifconfig eth0 mtu 1300, i get an error:

SIOCSIFMTU: Operation not permitted

I have also tried:

ip link set mtu 1300 dev eth0 and that also doesn't work it says it's busy

when i try ip eth0 down, it does disable the interface, but I am unable to change the mtu during this time

I am not finding any way to change this, even when I look everywhere, including the Internet

how do i get my MTU for eth0 to the value I want?


which device?
which version of OpenWRT?

1 Like

Friendly NanoPi 4RS

I have the latest OpenWrt version available, just upgraded. It's an arm64 based chipset and it has wan and lan ports, that's it.

Not being able to change the MTU is really affecting my speed since I block ICMP and, for whatever reason, my entire network speed slows down if MTU isn't the same for every port.

I also have very aggressive firewall rules blocking port 53 and most network protocols aside from limited protocols that I want to leave and go out to WAN. It's not a whitelist, but it's close. (And if I had more skill, I would probably just implement a whitelist.) I really want to provide a list of IPs and that's the only thing that goes out of WAN. I am blocking ICMP and DNS and everything because I noticed some might have been leaking out.

I have no formal networking training and am still learning.

22.03.05 that's the version

IIRC icmp is used for path MTU discovery, in that case running into issues might be expected. If I might ask, why are you blocking ICMP unconditionally?

a lot of the ICMP packets are being sent to either Cisco or Google servers by default, including things like, and I don't want packets going to google for any reason. Even 1 packet ICMP bundles don't need to go there.

I am also using VPNs and I don't want any sort of leaks. A lot of the ICMP packets I see have destination addresses that have bad privacy policies. I prefer to look at a router just see a connection from a VPN and see the connection I am using to observe the router connections. ICMP packets happen outside the VPN even if they are just tiny packets going to DNS servers. And I am not confusing port 53 DNS queries with ICMP packets.

I also do not believe Google is not using things like ping time and AI to try to track people using VPNs. I am concerned ICMP packets provide information about my network. I would rather set the MTU manually. I also get faster speeds when I set the MTU manually even if I don't block ICMP, so this is something I need to do even if I allow every ICMP packet possible.

Well, please spend some time familiarizing yourself with the different ICMP tupes and what they are used for as well as path MTU discovery... and why pMTUd is not a bad thing.
Both IPv4 and IPv6 were designed under the premise that the network could use ICMPv4 and ICMPV6 to inform the endpoints about issues, if you remove that information channel some things will stop working properly... E.g. you could manually configure all your endpoints (let's assume for the sake of the argument that you can do so not only for the local but also the remote side) to use smaller MTUs then the internet default of 1500. Things will now work without path MTU discovery until you hit an intermediary network path with an MTU smaller than your configured MTU. In which case you might start to see fragmentation in IPv4 and complete loss of all large packets across that path with IPv6. You can obviously do that, but IMHO that is a rather haphazard way to operate a network. I am not saying you should stop caring about privacy, but please do more research about the tradeoffs involved. And with that I promise to shut up, since I have no answer to your actual question.


i appreciate the lecture. if i wanted my network to be working easily, and easily probable and hackable, even more than it already is as this porous mass of open holes, it would be a wonderful idea.

all my joking cattiness aside, i value the information, but already knew that ICMP packets are very useful for configuring MTU and doing other things

if there were a way to change the destination IPs of the ICMP packets, i might be more comfortable and that would be a much more useful digression. Even if I were pinging something that seems like an organization that respects privacy, I still don't know if it's a honeypot. I also don't know if not having MTU pings is something that can be seen by my WAN and looks strange. Does that make me stand out?

Now does anyone know how I can manually override these stupid messages when I ssh in? I don't have WiFI in this OpenWrt and i have 1 way in. It seems like it is saying this way is in use, so I can't change things.

That gives me an idea. Could I use cron to set up a program to modify the MTU after I exited the SSH connection? Is cron a default program on OpenWrt or is there a way to use a utility like cron to force the change once I disconnect? I think it's not letting me do things because I am using the port. Can I only install opkg packages?

I am so naive about these things. I just want google out of my life. Is that too much to ask?

If you're honestly seeking this, someone solved this with firewall rules for Cloudflare. Instead Cloudflare, you'd load Google IPs - and instead of the ACCEPT rule in the last step of this example, you'd make a DROP rule:


1 Like

Maybe have a look at what the OpenWrt firewall allows in that regard, I think you will be quite surprised...
That said, I would recommend to not spoof addresses, but simply drop specific packet types with 'problematic' external addresses.

You could just 'google' it, SCNR. Honestly, I understand where you seem to be comimg from (desire for some modicum of privacy), I am just not sure whether your current approach fixes more than it breaks, ICMP, the internet control message protocol was designed as a mandatory part of the internet protocol suite (both v4 and v6) so just dropping it will have some side effects. I would, respectfully, recommend a somewhat deeper research effort to accompany your configuration efforts.

Does anyone know the answer to the original question?

I'm not very good with technology. How do I use ip or ifconfig to change the MTU without getting SIOCSIFMTU: Operation Not Permitted?

Even if I enabled ICMP, I get this error.

Instead of mansplaining to me why I need ICMP packets, can someone please tell me how to stop the Operation Not Permitted error?

  • What version of OpenWrt are you running?
  • Where did you make the MTU setting?
  • Can you show a screenshot?