Issue
Under InvisaGig v1.0.10 and older, when using certain EdgeRouter models that lack hardware-accelerated switch capabilities such as the EdgeRouter 4 (ER-4), EdgeRouter Lite (ERL), EdgeRouter PoE (ERPoE-5), EdgeRouter 6P (ER-6P), or EdgeRouter Infinity (ER-8-XG) the InvisaGig configuration page is inaccessible via its defined local IP address (192.168.225.1, by default) from LAN clients when the IG is connected to a WAN interface of the EdgeRouter. This does not appear to affect EdgeRouter models that contain switch chips (ex. EdgeRouter X, EdgeRouter 12, etc.). Also, it does not appear that access to any other web pages is affected.
Cause
When LAN clients attempt to access the InvisaGig via the EdgeRouter WAN, it appears they are unable to negotiate correctly sized TCP packets required to complete the TLS handshake when accessing the configuration page which uses HTTPS. This causes the connection attempt to time out.
Resolution
Upgrading to InvisaGig v.1.0.12 or newer should resolve the issue. However, if this is not immediately possible, a targeted firewall rule should be created from the EdgeRouter CLI which enables MSS clamping on connections destined for the InvisaGig configuration page (NOTE: Replace ‘192.168.225.1’ with the actual IP of your InvisaGig if not default, and replace ‘eth0’ with the actual IG WAN interface of your EdgeRouter if it is not ‘eth0’):
configure
set firewall modify IG_ACCESS description "MSS clamping for LAN to modem traffic"
set firewall modify IG_ACCESS rule 10 action modify
set firewall modify IG_ACCESS rule 10 modify tcp-mss 1432
set firewall modify IG_ACCESS rule 10 description "Clamp MSS for traffic to modem"
set firewall modify IG_ACCESS rule 10 destination address 192.168.225.1
set firewall modify IG_ACCESS rule 10 destination port 443
set firewall modify IG_ACCESS rule 10 protocol tcp
set firewall modify IG_ACCESS rule 10 tcp flags SYN
set interfaces ethernet eth0 firewall out modify IG_ACCESS
commit
save
exit
‘Modify’ type rulesets such as the one created above will not be visible in the EdgeRouter web GUI but you can verify the rule is active by listing the active ‘modify’ firewall rules with the command ‘show firewall modify’. If you see the output below referencing ‘TCPMSS set’, creation of the rule was successful:
ubnt@EdgeRouter-4:~$ show firewall modify
----------------------------------------------------------------------
IPv4 Modify Firewall "IG_ACCESS":
Active on (eth0,OUT)
rule action proto packets bytes
---- ------ ----- ------- -----
10 modify tcp 4 208
condition - daddr config.invisagig.com tcp dpt:https tcp-flags SYN TCPMSS set
If you wish you remove the MSS clamping rule for any reason, you can do so using the following CLI command sequence (remember to replace ‘eth0’ with your actual WAN interface if not ‘eth0’):
configure
delete interfaces ethernet eth0 firewall out modify IG_ACCESS
commit
delete firewall modify IG_ACCESS
commit
save
exit