Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding Ping from WAN to LAN–- does not work?

    Scheduled Pinned Locked Moved NAT
    14 Posts 2 Posters 10.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      updates4
      last edited by

      We are using v2.40 with a simple WAN LAN configuration that port forwards (and 1:1 NAT) other protocols perfectly.
      But we are unable to ping a computer on the LAN from a source on the WAN.

      We created a virtual IP on the WAN side, and port forward TCP to a corresponding computer on the LAN– this works fine for TCP.

      If we create a firewall rule that forwards ICMP from the same virtual IP on the WAN to the same computer on the LAN, pinging the virtual IP gets no response.
      (pfSense creates the appropriate firewall rule automatically).

      If I disable the ICMP port forwarding and create a firewall rule that allows ICMP from any source to destination WAN net or restrict it to the Virtual IP on the WAN, ping works from the WAN network.
      But the ping response is not coming from the corresponding computer on the LAN, it is coming directly from the virtual IP on the WAN.  If I turn off the computer on the LAN, the virtual IP still responds to pings.

      Turn the ICMP port forwarding on again for the virtual IP, and ping responses stop.

      I have read in this forum that you cannot use 1:1 NAT to forward ICMP.
      Does port forwarding also not work for ICMP?

      Elsewhere in this forum some have questioned the security risk of allowing PING from WAN to LAN.  This is required (temporarily) by our institution for their security scans to prove that the computers on our LAN are operational when the security scans are running.  I can't change this requirement.

      Thanks in advance.
      Hudson

      1 Reply Last reply Reply Quote 0
      • U
        updates4
        last edited by

        And I have checked the suggestions in the Port Forward Troubleshooting post.

        The firewall is off on the LAN computer for testing.  The LAN computer IS using pfSense as its gateway.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Works flawlessly here.

          1 Reply Last reply Reply Quote 0
          • U
            updates4
            last edited by

            And Ping forwarding works if 1:1 NAT is enabled as well?

            If you have time, would you mind writing out the steps you used exactly?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              Yes, it works with port forwarding, port forwarding + NAT 1:1 (to the same internal host) and with NAT 1:1 only in combination with a firewall rule allowing ICMP.

              Use Packet capture from the diagnostic menu to see if the ICMP packets are forwarded to the LAN interface and if you get responses from the internal host.

              1 Reply Last reply Reply Quote 0
              • U
                updates4
                last edited by

                With port forwarding off, the virtual IP sees the packets and responds– and packet sniffer shows this.

                17:00:51.322376 IP xxx.111.150.104 > xxx.145.101.51: ICMP echo request, id 1, seq 645, length 40  this is displayed 6 times, for a single set of 3 pings.

                But as soon as port forwarding for ICMP is turned on, packet sniffer shows nothing at the Virtual IP and nothing at the LAN IP that it is forwarded to.

                Hudson

                1 Reply Last reply Reply Quote 0
                • U
                  updates4
                  last edited by

                  Are you pinging a Windows box on the LAN or a Linux box?
                  I can't imagine it would make a difference.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    It was a Windows machine. But it should also work with Linux.

                    1 Reply Last reply Reply Quote 0
                    • U
                      updates4
                      last edited by

                      What firewall rules are you using to allow this to function?
                      The default firewall rules created by pfSense must be blocking something.

                      My port forwarding rule is
                      WAN
                      Protocol ICMP
                      Destination IP is the virtual IP on the WAN
                      redirection IP is the LAN IP for the Windows box.

                      Just like for any other port forward.

                      Hudson8

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        @Hudson8:

                        17:00:51.322376 IP xxx.111.150.104 > xxx.145.101.51: ICMP echo request, id 1, seq 645, length 40  this is displayed 6 times, for a single set of 3 pings.

                        xxx.145.101.51 seems to be a public IP. Are you using public IPs in LAN network?

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          @Hudson8:

                          What firewall rules are you using to allow this to function?

                          I let pfSene crate an associated rule.

                          When trying with NAT 1:1 only I created a pass rule manually with:
                          Interface = WAN
                          Protocol = ICMP
                          Source = any
                          Destination = internal IP

                          1 Reply Last reply Reply Quote 0
                          • U
                            updates4
                            last edited by

                            That is the WAN network.
                            xxx.145.101.x

                            The virtual IP was created on the WAN network and is xxx.145.101.51
                            It is being routed to an IP on the LAN
                            192.168.0.10

                            All the other ports redirect perfectly from WAN to LAN (remote desktop, etc.)

                            But not ICMP

                            1 Reply Last reply Reply Quote 0
                            • U
                              updates4
                              last edited by

                              And yes, I have that rule
                              WAN
                              ICMP
                              All sources
                              Destination is the IP on the LAN

                              1 Reply Last reply Reply Quote 0
                              • U
                                updates4
                                last edited by

                                For closure the answer is–

                                Windows 10  and Server 2016 (and probably other versions) automatically disable ping at the inbound firewall when the Windows device has a local IP (like 192.168 etc).
                                This is true, even if the active network profile is domain.  This was my issue.  Once I enabled echo at the Windows inbound firewall, ping forwarding worked Wan to LAN.

                                Ping is defaulted ON in Windows for the domain network profile in non-local IP situations, so I didn't check the Windows firewall until evidence from pfSense tcpdump showed the echo requests successfully arriving at the Windows box on the LAN.

                                ICMP from the WAN to local network is included in 1:1 NAT and can also be enabled through Port Forwarding (by selecting ICMP).  Both methods work.

                                Thanks to viragomann for leading me in the right direction.

                                1 Reply Last reply Reply Quote 0
                                • patient0P patient0 referenced this topic on
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.