[SOLVED] Is icmp allowed on WAN by default?
Is it normal for the WAN interface to reply to ping requests internet-based sources? Tested this with 2.1.5 / 2.2.6 / 2.3.1 clean installs, very basic LAN-WAN configuration and I get a reply on the WAN when pinging.
I understood all is blocked by default on the WAN interface so I am surprised about this.
I've added specific rules under the WAN interface to disable all/all any/any (as a test), and similar to block icmp, however this doesn't make any difference.
I don't believe it should be like this. Any ideas?
Run your test from the outside from a host that is truly outside your own networks, for example with this online ping test:
Yes, I have been definitely running from an outside / internet connection.
That site you sent shows replies too!
Maybe the ISP I am using has some sort of NAT I don't understand well which replies, because if I packet capture on the WAN I don't see the icmp packets there, but do see others I test like ssh, telnet…
In ddition, strangely I see icmp between my pfsense and the ISP default gateway.
pfSense is sending icmp requests qnd I receive icmp replies from its default gateway (ISP).
14:45:41.001779 IP (PFSENSE WAN IP) > (MY ISP GATEWAY): ICMP echo request, id 22093, seq 15364, length 8
14:45:41.009195 IP (MY ISP GATEWAY) > (PFSENSE WAN IP): ICMP echo reply, id 22093, seq 15364, length 8
14:45:41.521450 IP (PFSENSE WAN IP) > (MY ISP GATEWAY): ICMP echo request, id 22093, seq 15365, length 8
Has anyone seen this behaviour before?
14:45:41.522477 IP (MY ISP GATEWAY) > (PFSENSE WAN IP): ICMP echo reply, id 22093, seq 15365, length 8
The default is to block everything on WAN so if everything is done correctly the pfSense WAN interface shouldn't respond to ICMP. Post your WAN rules if any and list all the packages you have installed and configured.
Edit: The "strange" pings are pfSense's own gateway monitoring, nothing to worry about.
Understood regarding the icmp between pfsense and its gw (I should have realised that), thanks for the edit.
Attached are screen shots of the fw and packages.
It seems the issue is not pfsense as it looks like ICMP packets do not even reach my pfsense WAN IP (see description of my testing below)! Is anyone aware of any ISP type features / setups that would allow reply from a WAN IP upstream of the nic where the WAN IP sits.
I re-ran a capture on the wan interface filtering by for my source IP. Running a ping first, telnet, ping again, ssh and then ping again to my pfsense WAN IP. (My source IP and pfsense device are in separate countries, separated by different internet ISP's).
As you see below, I don't even see the icmp packets at my pfsense WAN. This is the resultant capture of the test above:
15:14:48.079042 IP (MY SOURCE IP).46593 > (PFSENSE WAN IP).23: tcp 0
15:14:49.078814 IP MY SOURCE IP).46593 > (PFSENSE WAN IP).23: tcp 0
15:15:02.955362 IP MY SOURCE IP).50116 > (PFSENSE WAN IP).22: tcp 0
15:15:04.959121 IP MY SOURCE IP).50116 > (PFSENSE WAN IP).22: tcp 0
If I run an 'mtr' toward my pfsense device, again, I do not have any icmp's captured. However if I elect to send udp packets instead with the mtr, I have the output below..
15:28:00.245281 IP (MY SOURCE IP).31545 > (PFSENSE WAN IP).33013: UDP, length 36
15:28:00.345063 IP (MY SOURCE IP).31545 > (PFSENSE WAN IP).33014: UDP, length 36