The IPIP / IPEncap, Protocol 4 forwarding bug

Brain, N1URO, was the first to figure out and document a bug that is unfortunately fairly common when it comes to forwarding ipencap (protocol 4) in CPE (customer-premises equipment/ home routers etc).

If you find that other folks on the amprnet are saying they can't reach you (pings, telnet etc)  but you have no problem reaching them.  And you clearly to-and-from the internet is working, then this may be your problem.  If you find that shortly after pinging them then can ping you, but some time later they cannot get a reply from you then is likely this case.

The problem is that Protocol 4 is being forwarded with an internal watchdog timer, much like how anything with network address translation works.  

In the NAT world, outgoing packets from your PC with internal (RFC1918) address pass your router, and when they do a return socket for active TCP connections is established.  And after a period of inactivity that return socket closes. You might be familiar with the netstat tool that shows the status of these tracked and open ports and connections.

The result is protocol 4 isn't always open to everyone as we would like.

To help understand and diagnose this problem you need to coordinate with another person on the amprnet.  Or use a web based network tool, that some folks host that lets you ping yourself from their network.


If you determine the problem is in equipment that you do not own, such as a cable or DSL modem, putting the thing in a bridge mode is the cure.

If the problem is with your own equipment, try pointing DMZ to your gateway instead of explicitly forwarding protocol 4.


Go back to the TCP/IP page.

Go to the WAPR Home Page and index