A smiley for a start, since I've setup a first working tunnel !!!
Now for the remarks with questions :
This here machine is running Windows 2k SP4, connected to ADSL thru a Speedtouch ST510 modem/router/switch. The Speedtouch has the IPv4 addie assigned by ppp0A, and the LAN machines use non routable 10.x.x.x addresses assigned by the router's DHCP server. Quite classical home installment. Also, the NAT passes 'protocol 41' packets to the selected machine.
For the setup page to work, I had to (temporarily):
1- allow the ST to reply ICMP 'pings',
2- define the Win 2k machine as a "default server"
Apparently this is no more necessary once I received my parameters, the tunnel is happily humming.
The remark is that settings 1 and 2 were not evident to find.
The question is why should they be necessary, and if so why only for the setup phase ?
Also, I assume/fear that, should I have to make a change in the setup page (as I'll have to), I'll have to redo all the temporary changes to the modem config, which is a chore :=(
I have another question ,which I'll open another thread for.
Thank you!
I believe HE requires your tunnel gateway endpoint IPv4 to respond to pings in order for it to allow tunnel setup. In your case, since your tunnel gateway is behind your NAT router (speedtouch), so the NAT router needed to respond to the pings. This just allowed the tunnel to be set up.
Setting up your tunnel gateway as the "default server" caused all unsolicited traffic to be NATed and mapped to your tunnel gateway. So, when IP protocol 41 traffic arrived at your speedtouch's public IP, it was routed to your tunnel server automatically.
In all likelihood, this wasn't actually needed. If you had your tunnel gateway fully configured, and caused it to generate tunnel traffic by doing something like pinging the other side of the tunnel by IPv6 address, it likely would have caused the speedtouch to create a NAT/connection table entry associating traffic for IP proto 41 with the IP of your tunnel gateway, like this:
Outside IP | Outside SPort | Outside DPort | Protocol | Inside IP | Inside SPort | Inside DPort | TTL |
123.45.67.89 | N/A | N/A | 41 | 10.0.0.10 | N/A | N/A | 300 |
(where 123.45.67.89 is your public IP, and 10.0.0.10 is your tunnel gateway's IP on your LAN)
This would have caused the same effect as putting in that "default server" entry. This is why it's working after removed it.
However, not the TTL field. When the router/firewall stops receiving traffic matching that entry, it will start counting down from whatever the TTL is on your router. Once it hits zero, the entry will be removed. When that happens, it will only be recreated when your tunnel gateway generates traffic again. This means that if the HE tunnel server sends traffic down the tunnel when this entry is not present, your firewall will simply drop it and your tunnel will be down until your gateway triggers another entry.
This is why I say it's always best to create a static NAT entry on the router specifically pointing that traffic to your tunnel gateway. That way, it will never time out. Unfortunately, not all consumer grade router/firewalls are capable of doing this.