Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP Intrusion Help

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4 Offline
      4o4rh
      last edited by

      I have ICMP disabled on the WAN and LAN segments and can see them being blocked successfully.
      WAN traffic is going over the OpenVPN connection.
      traceroute shows traffic going via the vpn and youtube defaults to the country of the vpn

      On my windows pc where on my 192.168 segment, i have comodo 10 firewall installed and have blocked all incoming and outgoing except basic services

      I am seeing in the log, source IP 81.169.145.156 ICMPv4 with the destination up of the PC.
      On one of the other source IPs , it resolved to google.

      the other devices on the same lan segment are;
      android phone, work pc - with vpn to work network, linux pc

      how can i find where the source i.e. which device the ICMP is getting onto the network from?
      I guess the work pc, can't access the 192.168 when work VPN is up, leaving on the linux or android phone.

      Help appreciated

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I am seeing in the log, source IP 81.169.145.156 ICMPv4 with the destination up of the PC. "

        Show what in the log??  Post up this log your seeing..

        Prob your box pinging that..

        ;; QUESTION SECTION:
        ;156.145.169.81.in-addr.arpa.  IN      PTR

        ;; ANSWER SECTION:
        156.145.169.81.in-addr.arpa. 86400 IN  PTR    w9c.rzone.de.

        inetnum:        81.169.144.0 - 81.169.148.255
        netname:        STRATO-RZG-KA
        org:            ORG-SRA1-RIPE
        descr:          Strato Rechenzentrum, Berlin

        Why would you think some icmp traffic with that IP is from your phone or linux pc??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • 4 Offline
          4o4rh
          last edited by

          I don't mean i am seeing in the pfsense log john, i mean on the Comodo 10 - Windows log.

          It seems something is getting into my lan segment, but not via the pfsense firewall

          I have pfsense configured to block ICMP on all interfaces, so it is not passing through the WAN, LAN via the pfsense box
          It has to be something directly on the LAN segment that is connected to my PC.

          that leaves the only possibilities;

          • linux pc directly connected with a route to the VPN gateway
          • work windows laptop with a route to the WAN and connected with work VPN
          • android phones connect to wifi.

          wifi tp-link devices have the wifi and lan bridged as a switch because as a router they would causes HD media to stutter.
          but the wifi is secure, so it have to be an authorised device

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            dude post up the log your viewing.

            Why don't you sniff on the machine your seeing this on and see what mac the traffic coming from..

            My guess is your machine is pinging this and your getting a response, or your getting a icmp redirect from you trying to go there.

            Post up your firewall rules for your wan and lan please.  If traffic was coming from some other device on your local network it sure for sure would not show that remote IP.  Do an actual sniff of the traffic your seeing on this machine.. This will show us for sure where its coming from to your machine via the mac address your box is seeing the traffic from - this will show us if from some other device on your network or via the pfsense lan mac address, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • H Offline
              Harvy66
              last edited by

              I would like to point out that ICMP is a required protocol for the Internet to work correctly. You can get strange performance issues in edge cases with ICMP disabled. IPv6 may not even work at all without ICMP if you hit a hop with a smaller MTU.

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott
                last edited by

                IPv6 may not even work at all without ICMP if you hit a hop with a smaller MTU.

                The same applies to IPv4, as MTU discovery is often used.  On IPv6, it also means no router, as router advertisements are no longer used.  Then there's also mapping IP to MAC, which uses neighbour solicitation on IPv6, etc..

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  blocking icmp outbound to the internet, or to your gateway (ie pfsense) from your own network seems beyond cut off blood to your brain tight tinfoil hat..

                  Even when I lock down my guest network and prevent them talking to anything on any my other networks, I still allow them to ping the pfsense address of the network they are on - this allows them to validate connectivity to their gateway.. And how that wifi is working as far as basic connectivity to the gateway, etc..

                  But to the point at hand - lets see the logs your looking at.. Whatever they are in, so we can hope to clean some insight to what its actually saying vs what you think or stating its saying.  Maybe your firewall on your machine is blocking your machine from trying to ping that IP?  And your reading it as inbound block?

                  Hard to guess without actually seeing what your seeing.  If you believe its coming in from something else on your network than a simple sniff on your device showing this traffic will allow us to see the mac its coming from which we can then trace to what device its coming from on your L2 network.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.