11310 questions

13472 answers

21149 comments

31512 members

0 votes
1,064 views 2 comments
by
i've configured bridge mode on my RUTX09, but i have some questions. 4G mobile connection is my WAN connection on my RUTX09.

is the firewall completely disabled on the RUTX09 when in bridge mode? no need to worry about the drop/reject/zoning/masqarading/mss clamping configuration displayed in the webinterface then?

i seem to be having MTU / MSS clamping issues after enabling bridge mode. Some websites do not work at all when i try to access them from behind my Ubiquiti USG firewall/router receiving the public ip. I think all of those websites that do not work, use TLS / HTTPS in a way that's not coming through. Google works, i can search etc. but clicking on search results always fails to load the websites, which are all https nowadays.

So i'm now troubleshooting MTU/MSS-clamping issues , but any help would be appreciated.

2 Answers

0 votes
by

Hello,

When you set Bridge mode, it disables most of router features (firewall, webfilter, DHCP server…) and simply gives single specified device its WAN IP address.

Configuring Bridge mode, make sure that WAN failover is turned off in Network → Failover page and mobile is set as main WAN in the Network → WAN page. Then in the Network → WAN → Mobile Configuration page select Mode: Bridge in the mobile configuration section. You will then see an additional configuration field for entering a MAC address appear. MAC address is mandatory parameter, must be entered correctly.

I think you should temporally disconnect Ubiquiti USG firewall/router and use only PC. Connect it to RUTX09 LAN port. Set your PC’s MAC address on Bridge tab (Network → WAN → Mobile Configuration). Test websites that did not work earlier. This test will show which device couses issues.

We will wait for your feedback

Regards

by
Leaves me with one question:

is there an explanation for the fact that the MTU changes when in bridge mode compared to NAT? My USG has a default MTU value on the WAN and i can't imagine the USG changing MTU dynamically between the situation where the RUTX09 is in NAT mode or bridge mode. the mss-clamp setting on the USG does not set MTU, it only lowers the limit further within the max of the MTU.

I suspect the RUTX09 is changing the MTU somehow. I'm not sure where or if i can configure MTU on the RUTX09. The fact is that my actual MTU is 1470 when bridged and 1500 when in NAT mode (as seen/checked by https://www.speedguide.net/analyzer.php)
0 votes
by
ok i figured it out.

Putting the RUTX09 in bridge mode works like described in the docs and like suggested. I put in the mac address of the WAN interface of the USG, eth0 in my case. The USG gets the IP.

I needed to powercycle the RUTX09 in order to function again after configuring bridge mode. But ok, no problem.

After that, i had TLS handshake issues. This means MTU/MSS issues most of the time. after searching for my options, i found out (after quite some time/trying) the unifi controller was not able to properly set the MSS value from the Web GUI for the WAN interface. It did not work, no matter what value i would set for MSS on the USG WAN interface advanced settings. So i fell back to the CLI. that worked.

i found out that a "mss" value had to be set for "all" interfaces on the usg. the commands below will do just that. I think the controller interface tries something different under the hood, with less success. the maximum value i could set was 1430. 1431 gave problems, 1430 was ok.

i had to configure the USG with the following commands. You can find out the value that works best for you by using the commands and just see where it breaks.

Looking good, i'll test some more.

This website is usefull to display your MSS and MTU settings as a result of this configuration changes.

https://www.speedguide.net/analyzer.php

USG Commands:

configure
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1430
commit
save
exit
by
i found out the unifi controller is actually able to properly set the mss-clamping value, to 1430 in my case. The problem is that the default usg config does not have the "interface-type all" scope activated. So the configured mss-clamping value would only apply to ppoe, pptp and vti. all of which do not apply when using the rutx09 in bridge mode.

Configuring 1430 for mss-clamping in the controller and after that also enter usg cli command "set firewall options mss-clamp interface-type all"  (dont forget to "commit" and "save" made it persistently working.