Setting the right firewall rules for allowing Ping
-
Hi Guys.
Just trying setup my new XG-7100-1U - but having some issues regarding ping.
MySetup
ADMIN LAN - 172.16.10.1/24
Private DMZ - 172.16.20.1/24
Public DMZ - 192.168.19.1/24
LAN - 172.16.250.1/24I have internet access on all my LANS - can browse the internet - but I'm not able to ping anything.
I've added a floating rule -
Action : PASS
Interface WAN <-- should this be all Interfaces ?
IPv4
ICMP
ANY
Source ANY
Destination ANYBut wen I trying to ping a public host from my Internal networks - I'm getting the message Destination not available and no answers. but all local machines are answering ping - so it looks like the firewall rules that should be the issue.
So right now - I can access the internet - but cannot ping any hosts in public Area - and I cannot see why I can't do this ? I have look in this topic and seing others with the same problems - but not with the same setup as I have - but I haven't found any solution for this -
@Udbytossen said in Setting the right firewall rules for allowing Ping:
WAN <--
Hi @Udbytossen,
your firewall rule allows public hosts to ping hosts on the internal network. I think you want the other way around. For this to work, you need a firewall rule on an internal device. For example, on the LAN device to send pings from the LAN network to the public network. -
The default firewall rule on LAN will handle ICMP just fine, as it is setup to 'include all protocols.
For other LAN type interface : add the same pass all rule, or be more specific and chose one or more ICMP sub types.Stay away from WAN or Floating rules.
-
Hi Gyúys - Thanks for the answer.
I've have now deleted all rules regarding ICMP on Floating and WANOn my ADMIN interface I've created this rule:
https://ibb.co/QbF09RQ
But when trying to ping from a host in the ADMIN Zone - I'm still getting this error :
https://ibb.co/M2QqMnq destination host unreachableI'm only starting with getting the ADMIN interface to ping ublic host and from there I can add the rules for the other Interfaces.
But as I see it here my total rules set for the ADMIN interface - so I do not get it why I can't ping but do anything else
https://ibb.co/P9x56H0So hopefully we can make this work - and you are able to see my error somewhere
-
Try killing the firewall states.
Looking at the current rules, even if you didn't have the ICMP rule it should hit the very last rule.
Also don't use ADMIN net use ADMIN address or This Firewall when you're refering to the firewall itself.
-
I changed the Admin Net to Admin Address ( Couldn't choose this firewall )
Then I do not get a reply at all https://ibb.co/ZWfR0PbMy Guess should be that the final rule would allow this ICMP - but I do not get an reply from anywhere other than internal.
My Zones are now looking like this ( Still only trying to be able to ping public osts from ADMIN zone)
Floating Rules: https://ibb.co/7NRwbH6
Wan https://ibb.co/dB56BCZ
admin: https://ibb.co/8XR7RnnI'm using the DNS resolver - don't know if this have any impact - I just do not get why I can ping anything outside the firewall
-
Do a packet capture on the ADMIN interface, filter on ICMP.
Is it hitting the firewall?
-
Well the packet capture looks like this when pinging google and other hosts:
11:23:51.443171 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1100, length 64 11:23:51.945692 IP 172.16.10.11 > 172.217.168.195: ICMP echo request, id 10010, seq 7, length 64 11:23:52.505265 IP 172.16.10.11 > 172.217.168.227: ICMP echo request, id 20248, seq 834, length 64 11:23:52.505406 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1101, length 64 11:23:52.505489 IP 172.16.10.11 > 5.103.139.219: ICMP echo request, id 535, seq 1273, length 64
Where the 172.16.10.11 is my freenas that I'm trying to ping from
-
You're not getting any echo reply packets.
10:27:39.161782 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 0, length 64
10:27:39.169946 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 0, length 64
10:27:40.166007 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 1, length 64
10:27:40.174158 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 1, length 64
10:27:41.165764 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 2, length 64
10:27:41.173831 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 2, length 64
10:27:42.166986 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 3, length 64
10:27:42.174966 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 3, length 64
10:27:43.167346 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 4, length 64
10:27:43.175442 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 4, length 64Also try a packet capture on the WAN interface.
-
Please check if your outbound Nat is set to automatic. You can find the settings under "Firewall" --> "NAT" --> "Outbound".
This should be on automatic, if not, you have to create a rule for your networks. -
OK
What to do to get these replies Ind.
I cannot see where my mistake is - so that's the reason why ?
If I don't get any reply - is this a configuration error of the Zone Rules og DNS ?
Is this a rule I need to add to WAN interface - that it should allow ICMP response ?Notrmally my understanding is that it will allow response trafic
My Outbiund NAT looks like this :
https://ibb.co/p3Cpp7BFrom my ISP I have a /29 subnet woith public IP's - so hopefully I set this up correctly