Port Forwarding Ping from WAN to LAN–- does not work?
-
And Ping forwarding works if 1:1 NAT is enabled as well?
If you have time, would you mind writing out the steps you used exactly?
-
Yes, it works with port forwarding, port forwarding + NAT 1:1 (to the same internal host) and with NAT 1:1 only in combination with a firewall rule allowing ICMP.
Use Packet capture from the diagnostic menu to see if the ICMP packets are forwarded to the LAN interface and if you get responses from the internal host.
-
With port forwarding off, the virtual IP sees the packets and responds– and packet sniffer shows this.
17:00:51.322376 IP xxx.111.150.104 > xxx.145.101.51: ICMP echo request, id 1, seq 645, length 40 this is displayed 6 times, for a single set of 3 pings.
But as soon as port forwarding for ICMP is turned on, packet sniffer shows nothing at the Virtual IP and nothing at the LAN IP that it is forwarded to.
Hudson
-
Are you pinging a Windows box on the LAN or a Linux box?
I can't imagine it would make a difference. -
It was a Windows machine. But it should also work with Linux.
-
What firewall rules are you using to allow this to function?
The default firewall rules created by pfSense must be blocking something.My port forwarding rule is
WAN
Protocol ICMP
Destination IP is the virtual IP on the WAN
redirection IP is the LAN IP for the Windows box.Just like for any other port forward.
Hudson8
-
@Hudson8:
17:00:51.322376 IP xxx.111.150.104 > xxx.145.101.51: ICMP echo request, id 1, seq 645, length 40 this is displayed 6 times, for a single set of 3 pings.
xxx.145.101.51 seems to be a public IP. Are you using public IPs in LAN network?
-
@Hudson8:
What firewall rules are you using to allow this to function?
I let pfSene crate an associated rule.
When trying with NAT 1:1 only I created a pass rule manually with:
Interface = WAN
Protocol = ICMP
Source = any
Destination = internal IP -
That is the WAN network.
xxx.145.101.xThe virtual IP was created on the WAN network and is xxx.145.101.51
It is being routed to an IP on the LAN
192.168.0.10All the other ports redirect perfectly from WAN to LAN (remote desktop, etc.)
But not ICMP
-
And yes, I have that rule
WAN
ICMP
All sources
Destination is the IP on the LAN -
For closure the answer is–
Windows 10 and Server 2016 (and probably other versions) automatically disable ping at the inbound firewall when the Windows device has a local IP (like 192.168 etc).
This is true, even if the active network profile is domain. This was my issue. Once I enabled echo at the Windows inbound firewall, ping forwarding worked Wan to LAN.Ping is defaulted ON in Windows for the domain network profile in non-local IP situations, so I didn't check the Windows firewall until evidence from pfSense tcpdump showed the echo requests successfully arriving at the Windows box on the LAN.
ICMP from the WAN to local network is included in 1:1 NAT and can also be enabled through Port Forwarding (by selecting ICMP). Both methods work.
Thanks to viragomann for leading me in the right direction.
-
P patient0 referenced this topic on