Veteran Member
Posts: 16,762
Registered: ‎06-23-2010
Kudos: 5292
Solutions: 78
Accepted Solution

Correct way to apply this rule?

Let's say I have this firewall rule:

firewall {
    modify gre-out {
        rule 1 {
            action modify
            modify {
                tcp-mss 1420
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }
}

interfaces {
    bridge br0 {
        address 192.168.1.1/24
        aging 300
        firewall {
            out {
                modify gre-out
            }
        }
        hello-time 2
        max-age 20
        priority 0
        stp false
    }
}

 But I only want to apply it (rule 1) to traffic coming from the IP range of 10.1.1.1/24.  What do I need to modify on that firewall rule to do that?

Interface br0 is both a bridge and a termination point for traffic.


Accepted Solutions
Highlighted
Regular Member
Posts: 335
Registered: ‎04-25-2014
Kudos: 319
Solutions: 13

Re: Correct way to apply this rule?

You have to specify a 'source' filter for 10.1.1.1/24:

admin@ubnt-er-poe# set firewall name NAME rule 1 source address
Possible completions:
  <x.x.x.x>	IP address to match
  <x.x.x.x/x>	Subnet to match
  <x.x.x.x>-<x.x.x.x>
  		IP range to match
  !<x.x.x.x>	Match everything except the specified address
  !<x.x.x.x/x>	Match everything except the specified subnet
  !<x.x.x.x>-<x.x.x.x>
  		Match everything except the specified range

[edit]
admin@ubnt-er-poe#

 

 

View solution in original post

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3143
Solutions: 945
Contributions: 16

Re: Correct way to apply this rule?

Instead of using the old modify way of doing mss-clamp why not do it the new way that doesn't disable offload.

configure
set firewall options mss-clamp
commit
save
exit

 

EdgeMAX Router Software Development

View solution in original post


All Replies
Highlighted
Regular Member
Posts: 335
Registered: ‎04-25-2014
Kudos: 319
Solutions: 13

Re: Correct way to apply this rule?

You have to specify a 'source' filter for 10.1.1.1/24:

admin@ubnt-er-poe# set firewall name NAME rule 1 source address
Possible completions:
  <x.x.x.x>	IP address to match
  <x.x.x.x/x>	Subnet to match
  <x.x.x.x>-<x.x.x.x>
  		IP range to match
  !<x.x.x.x>	Match everything except the specified address
  !<x.x.x.x/x>	Match everything except the specified subnet
  !<x.x.x.x>-<x.x.x.x>
  		Match everything except the specified range

[edit]
admin@ubnt-er-poe#

 

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3143
Solutions: 945
Contributions: 16

Re: Correct way to apply this rule?

Instead of using the old modify way of doing mss-clamp why not do it the new way that doesn't disable offload.

configure
set firewall options mss-clamp
commit
save
exit

 

EdgeMAX Router Software Development
Veteran Member
Posts: 16,762
Registered: ‎06-23-2010
Kudos: 5292
Solutions: 78

Re: Correct way to apply this rule?

Because I'm a scaredie cat... and the old way is working? Man Tongue

Thanks Stig!