ICMP Intrusion Help



  • I have ICMP disabled on the WAN and LAN segments and can see them being blocked successfully.
    WAN traffic is going over the OpenVPN connection.
    traceroute shows traffic going via the vpn and youtube defaults to the country of the vpn

    On my windows pc where on my 192.168 segment, i have comodo 10 firewall installed and have blocked all incoming and outgoing except basic services

    I am seeing in the log, source IP 81.169.145.156 ICMPv4 with the destination up of the PC.
    On one of the other source IPs , it resolved to google.

    the other devices on the same lan segment are;
    android phone, work pc - with vpn to work network, linux pc

    how can i find where the source i.e. which device the ICMP is getting onto the network from?
    I guess the work pc, can't access the 192.168 when work VPN is up, leaving on the linux or android phone.

    Help appreciated


  • LAYER 8 Global Moderator

    "I am seeing in the log, source IP 81.169.145.156 ICMPv4 with the destination up of the PC. "

    Show what in the log??  Post up this log your seeing..

    Prob your box pinging that..

    ;; QUESTION SECTION:
    ;156.145.169.81.in-addr.arpa.  IN      PTR

    ;; ANSWER SECTION:
    156.145.169.81.in-addr.arpa. 86400 IN  PTR    w9c.rzone.de.

    inetnum:        81.169.144.0 - 81.169.148.255
    netname:        STRATO-RZG-KA
    org:            ORG-SRA1-RIPE
    descr:          Strato Rechenzentrum, Berlin

    Why would you think some icmp traffic with that IP is from your phone or linux pc??



  • I don't mean i am seeing in the pfsense log john, i mean on the Comodo 10 - Windows log.

    It seems something is getting into my lan segment, but not via the pfsense firewall

    I have pfsense configured to block ICMP on all interfaces, so it is not passing through the WAN, LAN via the pfsense box
    It has to be something directly on the LAN segment that is connected to my PC.

    that leaves the only possibilities;

    • linux pc directly connected with a route to the VPN gateway
    • work windows laptop with a route to the WAN and connected with work VPN
    • android phones connect to wifi.

    wifi tp-link devices have the wifi and lan bridged as a switch because as a router they would causes HD media to stutter.
    but the wifi is secure, so it have to be an authorised device


  • LAYER 8 Global Moderator

    dude post up the log your viewing.

    Why don't you sniff on the machine your seeing this on and see what mac the traffic coming from..

    My guess is your machine is pinging this and your getting a response, or your getting a icmp redirect from you trying to go there.

    Post up your firewall rules for your wan and lan please.  If traffic was coming from some other device on your local network it sure for sure would not show that remote IP.  Do an actual sniff of the traffic your seeing on this machine.. This will show us for sure where its coming from to your machine via the mac address your box is seeing the traffic from - this will show us if from some other device on your network or via the pfsense lan mac address, etc.



  • I would like to point out that ICMP is a required protocol for the Internet to work correctly. You can get strange performance issues in edge cases with ICMP disabled. IPv6 may not even work at all without ICMP if you hit a hop with a smaller MTU.



  • IPv6 may not even work at all without ICMP if you hit a hop with a smaller MTU.

    The same applies to IPv4, as MTU discovery is often used.  On IPv6, it also means no router, as router advertisements are no longer used.  Then there's also mapping IP to MAC, which uses neighbour solicitation on IPv6, etc..


  • LAYER 8 Global Moderator

    blocking icmp outbound to the internet, or to your gateway (ie pfsense) from your own network seems beyond cut off blood to your brain tight tinfoil hat..

    Even when I lock down my guest network and prevent them talking to anything on any my other networks, I still allow them to ping the pfsense address of the network they are on - this allows them to validate connectivity to their gateway.. And how that wifi is working as far as basic connectivity to the gateway, etc..

    But to the point at hand - lets see the logs your looking at.. Whatever they are in, so we can hope to clean some insight to what its actually saying vs what you think or stating its saying.  Maybe your firewall on your machine is blocking your machine from trying to ping that IP?  And your reading it as inbound block?

    Hard to guess without actually seeing what your seeing.  If you believe its coming in from something else on your network than a simple sniff on your device showing this traffic will allow us to see the mac its coming from which we can then trace to what device its coming from on your L2 network.


Log in to reply