SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Mitigating MTU filter at a port

    Posted 04-30-2019 18:02
    I have created a filter to clear MTU at the value of 1522. I have wireless AP's on ports ge-0/0/13.0 - 15.0 .

    The code is at the 'Firewall' statement.

    Firewall ->
    Filter ->
    and so on...

    Is there anything I can do to make the filter work across each port without parsing the signal. Make it route properly. My opinion is that I'd have to create the filtered environment on the other device itself. But I want to do it this way because I haven't found a way to filter MTU on Asus/dd-wrt or a juniper ax411 yet.

    firewall {
    filter 1522mtu {
    term 1 {
    from {
    packet-length 1522-1522;
    }
    then {
    count 1522mtu_DROP;
    discard;
    }
    }
    }
    }


  • 2.  RE: Mitigating MTU filter at a port
    Best Answer

     
    Posted 04-30-2019 19:27

    Hello,

     

    I am not sure if I understand the question completely. You want to apply this filter to multiple interfaces. Is that right?

     

    You can do that by simply apply the filter to the interface:

    > set interfaces ge-0/0/13.0 family inet filter input 1522mtu 

    > set interfaces ge-0/0/15.0 family inet filter input 1522mtu 

     

    I also noticed that you do not have a default accept statement in the filter to allow the rest of the traffic. So you would need to add the following:

    set filter 1522mtu term 2 then accept

     

    Your eventual filter would look like this.

    filter 1522mtu {
    term 1 {
    from {
    packet-length 1522-1522;
    }
    then {
    count 1522mtu_DROP;
    discard;
    }
    }
    term 2 {
    then accept;
    }
    }

     

    I hope this helps. Regards,

     

    Vikas



  • 3.  RE: Mitigating MTU filter at a port

    Posted 04-30-2019 19:46
    I have chosen to filter out the traffic completely. I assume that term 2 is the parsed signal. To me it doesn't matter I think because the srx will create a parsed either way. I'm assuming. But MTU at value 1522 is damaged(I think) on our electrical service. You know the electric company has computers of their own. So what is happening is when I filter the srx the other devices on the ports are still getting a damaged signal, but only the srx is now getting the remainder completely in the box at the proper amount. I'm going to try the filters at the ports instead of the firewall.

    Any comments are appreciated.

    My point was to make the round trip proper without filtering on other boxes connected to the srx.