On 2/19/20 2:54 PM, Fred Baker wrote:
The argument I have heard is that residential firewalls often block anything that is*not* UDP or TCP. The question for the googlers was existential - can it work at all?
I'm not sure that they "block" it, per se, though some probably do have an explicit rule to that effect. I would think the bigger issue is that they don't know how to 1:N NAT arbitrary L4s (and how would they), so the absolute best you might get is that the first device behind the NAT to establish a mapping sees all the relevant L4 traffic and everybody else is locked out. I'd suspect the normal case is simply that they drop it on the floor unless there's a specified "DMZ" host. Perhaps this is just a semantic difference, but I think it's actually an even more difficult issue to resolve. If it were simply blocked, that's usually "easy" (either for the user, via a management interface, or for the vendor, via policy template) to fix. Writing an entirely new L4 NAT helper is a different matter entirely. IPv6 would of course render this moot, but we all know how well IPv6 traffic gets treated... -- Brandon Martin