16 Jun
2017
16 Jun
'17
9:11 a.m.
My vdsl modem is a Huawei HG659b. The modem routes all
DMZ traffic to an
interface on a Broadcom based AP running OpenWRT via a cisco WS-C3750g-24PS.
I can see all manner of connections hitting my DMZ interface from my
public IP (typical portscans etc) so the modem->DMZ forwarding seems ok.
But do you ever see any unsolicited incoming traffic that is not ICMP, TCP or UDP?
A "quite common" DMZ bug is that the router actually forwards only these
protocols
to the DMZ host, and not protocols like IPIP (4).
However, it DOES return the replies on outgoing IPIP packets you send.
So, when you try to ping someone on a tunnel it works, but when the NAT translation
rule has disappeared (after a few seconds up to 3 minutes or so) an outgoing ping
from the same host you just pinged does not work anymore.
I have seen this several times on the IPIP mesh. People claiming their system
works fine but still it is unreachable for unsolicited connections.
Rob