Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting the right firewall rules for allowing Ping

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 889 Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      Crysion
      last edited by

      @Udbytossen said in Setting the right firewall rules for allowing Ping:

      WAN <--

      Hi @Udbytossen,
      your firewall rule allows public hosts to ping hosts on the internal network. I think you want the other way around. For this to work, you need a firewall rule on an internal device. For example, on the LAN device to send pings from the LAN network to the public network.

      1 Reply Last reply Reply Quote 1
      • GertjanG Offline
        Gertjan
        last edited by

        The default firewall rule on LAN will handle ICMP just fine, as it is setup to 'include all protocols.
        For other LAN type interface : add the same pass all rule, or be more specific and chose one or more ICMP sub types.

        Stay away from WAN or Floating rules.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • U Offline
          Udbytossen
          last edited by

          Hi Gyúys - Thanks for the answer.
          I've have now deleted all rules regarding ICMP on Floating and WAN

          On my ADMIN interface I've created this rule:
          https://ibb.co/QbF09RQ
          But when trying to ping from a host in the ADMIN Zone - I'm still getting this error :
          https://ibb.co/M2QqMnq destination host unreachable

          I'm only starting with getting the ADMIN interface to ping ublic host and from there I can add the rules for the other Interfaces.
          But as I see it here my total rules set for the ADMIN interface - so I do not get it why I can't ping but do anything else
          https://ibb.co/P9x56H0

          So hopefully we can make this work - and you are able to see my error somewhere

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN Offline
            NogBadTheBad
            last edited by NogBadTheBad

            Try killing the firewall states.

            Looking at the current rules, even if you didn't have the ICMP rule it should hit the very last rule.

            Also don't use ADMIN net use ADMIN address or This Firewall when you're refering to the firewall itself.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • U Offline
              Udbytossen
              last edited by

              I changed the Admin Net to Admin Address ( Couldn't choose this firewall )
              Then I do not get a reply at all https://ibb.co/ZWfR0Pb

              My Guess should be that the final rule would allow this ICMP - but I do not get an reply from anywhere other than internal.

              My Zones are now looking like this ( Still only trying to be able to ping public osts from ADMIN zone)
              Floating Rules: https://ibb.co/7NRwbH6
              Wan https://ibb.co/dB56BCZ
              admin: https://ibb.co/8XR7Rnn

              I'm using the DNS resolver - don't know if this have any impact - I just do not get why I can ping anything outside the firewall

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN Offline
                NogBadTheBad
                last edited by NogBadTheBad

                Do a packet capture on the ADMIN interface, filter on ICMP.

                Is it hitting the firewall?

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • U Offline
                  Udbytossen
                  last edited by

                  Well the packet capture looks like this when pinging google and other hosts:

                  11:23:51.443171 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1100, length 64
11:23:51.945692 IP 172.16.10.11 > 172.217.168.195: ICMP echo request, id 10010, seq 7, length 64
11:23:52.505265 IP 172.16.10.11 > 172.217.168.227: ICMP echo request, id 20248, seq 834, length 64
11:23:52.505406 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1101, length 64
11:23:52.505489 IP 172.16.10.11 > 5.103.139.219: ICMP echo request, id 535, seq 1273, length 64

                  Where the 172.16.10.11 is my freenas that I'm trying to ping from

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN Offline
                    NogBadTheBad
                    last edited by NogBadTheBad

                    You're not getting any echo reply packets.

                    10:27:39.161782 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 0, length 64
                    10:27:39.169946 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 0, length 64
                    10:27:40.166007 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 1, length 64
                    10:27:40.174158 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 1, length 64
                    10:27:41.165764 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 2, length 64
                    10:27:41.173831 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 2, length 64
                    10:27:42.166986 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 3, length 64
                    10:27:42.174966 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 3, length 64
                    10:27:43.167346 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 4, length 64
                    10:27:43.175442 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 4, length 64

                    Also try a packet capture on the WAN interface.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      Crysion
                      last edited by

                      Please check if your outbound Nat is set to automatic. You can find the settings under "Firewall" --> "NAT" --> "Outbound".
                      This should be on automatic, if not, you have to create a rule for your networks.

                      1 Reply Last reply Reply Quote 0
                      • U Offline
                        Udbytossen
                        last edited by

                        OK
                        What to do to get these replies Ind.
                        I cannot see where my mistake is - so that's the reason why ?
                        If I don't get any reply - is this a configuration error of the Zone Rules og DNS ?
                        Is this a rule I need to add to WAN interface - that it should allow ICMP response ?

                        Notrmally my understanding is that it will allow response trafic

                        My Outbiund NAT looks like this :
                        https://ibb.co/p3Cpp7B

                        From my ISP I have a /29 subnet woith public IP's - so hopefully I set this up correctly

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.