On Jul 26, 2011, at 11:07 37AM, Nate Burke wrote:
> Hello, I'm hoping that someone here might have run into a similar issue and
> might be able to offer me some pointers.
>
> I have a customer that I am providing redundant paths to, one link over a
> microwave connection, and a backup link over a Comcast Business Class
> Connection. Everything on the Microwave link is working fine. On the
> Comcast Connection, I have a Static IP from Comcast, and I want to setup a
> vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static
> IP Address. It looks like the SPI Firewall inside the SMC Gateway required
> by comcast is blocking the GRE packets, I'm basing this on the fact that when
> I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the
> modem is booting up, then it stops again. I have gotten to Tier2 support who
> swears that all Firewalls on the SMC Gateway are disabled.
>
> As a workaround, I was able to establish a PPTP tunnel to my NOC, however it
> seems like the tunnel will only run for a few hours, then becomes slow to the
> point of being unusable. In my mind this would be no different than setting
> up a permanent VPN back to a corporate office, which I would think happens
> all the time, so I'm not sure why I'm running into issues with it.
>
I had to make the LAN end of the tunnel the "DMZ host" (under Firewall settings
on my SMC).
--Steve Bellovin, https://www.cs.columbia.edu/~smb
