Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.3.1 default icmp setting - using custom udp ports

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mprog
      last edited by

      I've searched and found that icmp is blocked incoming by default but cannot seem to find anything about outgoing using different ports.

      For example, we are using udp ports 40001-40004 on a server to get a sort of icmp response.

      The principal of sending a UDP packet to each hop and checking for ICMP "port unreachable" responses simply does not work at some locations, including the one we are testing from which has a brand new pfsense firewall installed.

      In other words, while this works in some cases, for some reason, we cannot get any response when trying from the LAN through this new firewall.

      Does pfsense block all icmp traffic unless configured to not?

      1 Reply Last reply Reply Quote 0
      • H Offline
        Harvy66
        last edited by

        PFSense blocks all ingress traffic by default. It is stateful, so if your protocol is following standard protocols, it should work, but if you have your own custom something going on, the statefulness will not be able to create states to allow your custom traffic.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          So your wanting your icmp response to a closed port, like a default linux traceroute.

          Pfsense wan is not going to answer you like that.  But you can create a rule to do that..  I like traceroute to work as well ;)  and I do it remotely to my pfsense, so I have pfsense reject on those ports used by traceroute via udp

          Notice to pfsense wan I have a reject, for ipv6 same but also allow those ports through to the ipv6 behind so that box itself can send the response.  In the attached sniff you will see where I was doing a traceroute to pfsense wan from the outside and it sends back the icmp response that your looking for.

          tracerouteports.jpg
          tracerouteports.jpg_thumb
          unreach.jpg
          unreach.jpg_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M Offline
            mprog
            last edited by

            Wait now, is everyone understanding that the request is outgoing? It is originating on the LAN side.
            So, you're saying that even so, the firewall will block the replies unless specifically allowed?

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              Huh?  What rules do you have on your lan.. There is nothing special required to be done if the request is done via lan side client.

              so from a linux client on my lan I do a traceroute to outside IP, 8.8.8.8 in this example..  As you see I am getting back the icmp messages saying that port is not open.  you can see the ttl expired and then the unreachables.

              Might be helpful if you post up your wan and lan rules and if anything in your floating, etc.

              tracerouteoutbound.jpg
              tracerouteoutbound.jpg_thumb
              icmpunreach.jpg
              icmpunreach.jpg_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M Offline
                mprog
                last edited by

                I don't have anything interesting to post really, it's a very basic setup. I've not enabled incoming ICMP for example but I figured so long as the requests are LAN initiated, they should work.

                That kind of testing certainly does work when using standard ping/traceroute/mtr tools for example, only using our custom ports doesn't ever return anything back to the LAN from a remote network IP.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  did you validate that your actually getting back the icmp unreachable message on your wan?

                  So your lan rules are any any?  So your probing IPs you control on the public internet and you know they send back icmp redirects when hit on nonlistening/closed port?

                  As I showed many firewalls will not do that.. Since then every single noise packet they get would generate a icmp answer..  That would be bad! ;)  You need to validate that your packet is getting to the server from the client, and then validate it is actually sending back an icmp redirect and pfsense is seeing it on its wan.  If it does then yes it should send that back into your client that created the traffic.  As you can see from my above traceroute test.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.