Re: Comcast Bussiness Class and GRE Tunnels

[Steven Bellovin <smb () cs columbia edu>]

On Jul 26, 2011, at 11:07 37AM, Nate Burke wrote:

> Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers.
>
> I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link 
> over a Comcast Business Class Connection.  Everything on the Microwave link is working fine.  On the Comcast 
> Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my 
> NOC to the Comcast Static IP Address.  It looks like the SPI Firewall inside the SMC Gateway required by comcast is 
> blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through 
> the GRE Tunnel while the modem is booting up, then it stops again.  I have gotten to Tier2 support who swears that 
> all Firewalls on the SMC Gateway are disabled.
>
> As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for 
> a few hours, then becomes slow to the point of being unusable.  In my mind this would be no different than setting up 
> a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running 
> into issues with it.
I had to make the LAN end of the tunnel the "DMZ host" (under Firewall settings on my SMC).


                --Steve Bellovin, https://www.cs.columbia.edu/~smb