4 Aug
2015
4 Aug
'15
2:11 a.m.
Brian wrote:
At any rate, it looks like there is some stateful firewall inbetween that blocks IPIP
packets from me to you until you
"open" it by sending packets from you to me.
I tried an hour or so later and again there was no reply. When I ping now, no reply.
However, from the other gateway
I can still ping you (and deliver these mails).
Do you have some script that causes regular traffic, e.g. pinging or otherwise, to my
personal gateway?
(external address 89.18.172.156, serving 44.137.40.1 and 44.137.40.2, the one you pinged
first yesterday)
When trying from our 44.137.0.0/16 gateway that has external address 213.222.29.194 I get
no replies.
But when I ping your external IP from there, no problem.
Both these systems are in (different) ISP datacenters with their ethernet interface
directly connected to a switch
on a subnet routed by an ISP-grade router. No consumer NAT routers involved at all.
Recently, I assisted a local ham who had set up a gateway and had a similar problem. When
he pinged outward from
his system he could reach many others, but when he asked others to access his system from
the outside it did not
work, or sometimes it worked and sometimes not.
It turned out he was using some cable modem/router where he had set up 1 system to receive
the IPIP traffic, I think
by declaring it a "dmz host", and it did not receive IPIP traffic until he sent
outward IPIP traffic to the tunnel he wanted
to receive traffic from.
He switched from IPIP tunnel mesh to a VPN to our gateway because he could not find any
user configurable item in
his router that would remove this unwanted stateful firewall item.
It may well be that some people on this list suffer the same problem, maybe even without
knowing.
(because when they connect outward from their own system there never is a problem)
Rob
On Mon, 2015-08-03 at 22:32 +0200, Rob Janssen wrote:
As I mentioned: it suddenly starts working. I had started that ping to allow you to trace
what comes in and
what goes out. At my end I see encapsulated IPIP packets going out to your gateway, but
no replies.
After sending 1011 packets without reply, suddenly replies started coming back.
I interrupted the ping after 106 replies.
At that time, a mail from you came in stating that you could ping me.
Apparently once you did that, the tunnel started to work from my side as well.
Now it suddenly starts to work!
--- 44.88.0.9 ping statistics ---
1117 packets transmitted, 106 received, 90% packet loss, time 1122044ms
rtt min/avg/max/mdev = 116.516/119.247/130.393/2.411 ms
I wouldn't consider
90% packet loss working. Is there some stateful firewall e.g. in a router
that you have set to "forward a protocol" or "dmz"?
Not at
all.