18 Oct
2016
18 Oct
'16
3:10 a.m.
No, it is not ok.
It is working because of connection tracking if YOU
access the page.
Here the output ofhttp://yo2tm.ampr.org/nettools.php
ping:
Ping Output:
PING 44.153.32.97 (44.153.32.97) 56(84) bytes of data.
--- 44.153.32.97 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
Indeed, it is not working correctly.
He sent me a mail telling me that he could ping me at 44.137.41.97 and I happened to be
at the computer when it came in, I immediatelu tried to ping back and it worked.
Then I waited an hour, tried again, and again it did not work.
So all symptoms point to a stateful firewall of IPIP traffic, probably in his ISP router.
I suspect that some NAT routers do a connection tracking firewall even when the DMZ HOST
is set in the config. The DMZ HOST only receives all TCP and UDP traffic, but not
protocol-4.
However, just like all other hosts on the LAN, it can send out protocol-4 traffic and
receive the "reply" traffic. So doing outbound connections works, but inbound
on an
idle tunnel is not working.
It would be interesting to investigate which routers suffer from this bug, so a list can
be made on the WiKi page. I think quite some gateway stations have this fault.
The operator believes he has a working gateway because he can connect whatever other
gateway station he tries, but incoming connects do not work when there has been no
prior traffic.
(of course the same thing happens when DMZ HOST is not set at all, so this has to be
properly investigated)
Rob