Hi Rob, Bob VE3TOK tested connectivity from his gateway and had no issues getting in to mine, which should rule out a conntrack issue. I've also ran traceroute and ping tests from other gateways via a different internet connection to asses this as well. Another test I tried along that line was sending ipip packets to amprgw for 15 minutes straight to see if any encapsulated rip packets might find their way in, but nothing. It seems like every gateway except the new amprgw can send and receive ipip packets to/from my gateway which is why I thought it might be a very specific host+protocol block implemented by my ISP. Everything was working fine for me up until a week or so ago. Josh - VK2HFF
-------- Original message -------- From: Rob Janssen pe1chl@amsat.org Date: 16/06/2017 19:11 (GMT+10:00) To: 44net@hamradio.ucsd.edu Subject: Re: [44net] 44 net connectivity problems ?
My vdsl modem is a Huawei HG659b. The modem routes all DMZ traffic to an interface on a Broadcom based AP running OpenWRT via a cisco WS-C3750g-24PS. I can see all manner of connections hitting my DMZ interface from my public IP (typical portscans etc) so the modem->DMZ forwarding seems ok.
But do you ever see any unsolicited incoming traffic that is not ICMP, TCP or UDP?
A "quite common" DMZ bug is that the router actually forwards only these protocols to the DMZ host, and not protocols like IPIP (4). However, it DOES return the replies on outgoing IPIP packets you send.
So, when you try to ping someone on a tunnel it works, but when the NAT translation rule has disappeared (after a few seconds up to 3 minutes or so) an outgoing ping from the same host you just pinged does not work anymore.
I have seen this several times on the IPIP mesh. People claiming their system works fine but still it is unreachable for unsolicited connections.
Rob
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net