Draytek Vigor2500V Manual page 50

The port redirection can only be applied to external users only - i.e. the
incoming traffic. The Internet users behind your LAN can not access your
external public IP address and come back in; the internal users shall
access the server on its local private IP address, or you can set up an alias
in a Windows hosts file. Please only redirect the ports you know you have
to forward rather than forward all ports. Otherwise, you will compromise the
firewall-type security initially deployed by the NAT facility.
5.4 DMZ Host Setup
The Port Redirection can direct UDP/TCP traffic on particular ports to
specified internal clients on the LAN.
example Protocols 50 (ESP) and 51 (AH) do not have port numbers so you
can not decide which local client to forward the data to. Vigor router has a
facility called DMZ which you can specify a single local client (with private IP
address) to which ALL unsolicited data on all protocols shall be forwarded.
Regular web surfing and other such Internet activities from other clients will
continue to work without inappropriate interruption.
The inherent security properties of NAT are somewhat bypassed if you set
up DMZ. You can consider adding additional filter rules or a secondary
firewall.
There are some non-NAT-friendly protocols although a DMZ will pass all data.
The "AH" extension to IPSec is designed in such principle.
NAT – the header encodes the source IP address, which in this case would
be your private IP address. The receiving end will see the packet as having
come from your public IP address and thus reject the packet. AH protocol
therefore will not work. ESP is more tolerant.
NAT
However, other IP protocols, for
5-5
It prevents