My vdsl modem is a Huawei HG659b. The modem routes all DMZ traffic to an interface on a Broadcom based AP running OpenWRT via a cisco WS-C3750g-24PS. I can see all manner of connections hitting my DMZ interface from my public IP (typical portscans etc) so the modem->DMZ forwarding seems ok.
But do you ever see any unsolicited incoming traffic that is not ICMP, TCP or UDP?
A "quite common" DMZ bug is that the router actually forwards only these protocols to the DMZ host, and not protocols like IPIP (4). However, it DOES return the replies on outgoing IPIP packets you send.
So, when you try to ping someone on a tunnel it works, but when the NAT translation rule has disappeared (after a few seconds up to 3 minutes or so) an outgoing ping from the same host you just pinged does not work anymore.
I have seen this several times on the IPIP mesh. People claiming their system works fine but still it is unreachable for unsolicited connections.
Rob