I have griped to AT&T several times about how their 2wire 3800hgv-b router (used for their UVerse service) is broken when you set up pass-through to an internal box. They call this "DMZplus".
What happens is that when icmp packets relating to connections from the DMZplus host arrive at the 2wire router, the 2wire drops them. This breaks path MTU discovery, unix-style traceroutes, etc. It is not a general limitation of the 2wire box, since hosts that are not using DMZplus can receive related icmp just fine. It's caused by the pathologically stupid way that the 2wire router implements "DMZplus". It basically assigns itself AND the internal host the same external IP address, and uses its best guess which traffic to forward and which not to. They missed some corner case relating to ICMP in the state tracker, and AT&T's response is that since it's a "feature" that few people complain about, if I want it fixed I shouldn't be using UVerse. Even after I've pointed out that this behavior violates the tcp/ip standard.
What happens is that when icmp packets relating to connections from the DMZplus host arrive at the 2wire router, the 2wire drops them. This breaks path MTU discovery, unix-style traceroutes, etc. It is not a general limitation of the 2wire box, since hosts that are not using DMZplus can receive related icmp just fine. It's caused by the pathologically stupid way that the 2wire router implements "DMZplus". It basically assigns itself AND the internal host the same external IP address, and uses its best guess which traffic to forward and which not to. They missed some corner case relating to ICMP in the state tracker, and AT&T's response is that since it's a "feature" that few people complain about, if I want it fixed I shouldn't be using UVerse. Even after I've pointed out that this behavior violates the tcp/ip standard.