[143021] in North American Network Operators' Group
Re: Comcast Bussiness Class and GRE Tunnels
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Tue Jul 26 13:02:12 2011
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4E2ED839.5090709@blastcomm.com>
Date: Tue, 26 Jul 2011 13:01:38 -0400
To: Nate Burke <nate@blastcomm.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 26, 2011, at 11:07 37AM, Nate Burke wrote:
> Hello, I'm hoping that someone here might have run into a similar =
issue and might be able to offer me some pointers.
>=20
> I have a customer that I am providing redundant paths to, one link =
over a microwave connection, and a backup link over a Comcast Business =
Class Connection. Everything on the Microwave link is working fine. On =
the Comcast Connection, I have a Static IP from Comcast, and I want to =
setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the =
Comcast Static IP Address. It looks like the SPI Firewall inside the =
SMC Gateway required by comcast is blocking the GRE packets, I'm basing =
this on the fact that when I power cycle the modem, I get 1 ICMP Packet =
through the GRE Tunnel while the modem is booting up, then it stops =
again. I have gotten to Tier2 support who swears that all Firewalls on =
the SMC Gateway are disabled.
>=20
> As a workaround, I was able to establish a PPTP tunnel to my NOC, =
however it seems like the tunnel will only run for a few hours, then =
becomes slow to the point of being unusable. In my mind this would be =
no different than setting up a permanent VPN back to a corporate office, =
which I would think happens all the time, so I'm not sure why I'm =
running into issues with it.
>=20
I had to make the LAN end of the tunnel the "DMZ host" (under Firewall =
settings on my SMC).
--Steve Bellovin, https://www.cs.columbia.edu/~smb
