Port Forwarding Ping from WAN to LAN–- does not work?

updates4

We are using v2.40 with a simple WAN LAN configuration that port forwards (and 1:1 NAT) other protocols perfectly.
But we are unable to ping a computer on the LAN from a source on the WAN.

We created a virtual IP on the WAN side, and port forward TCP to a corresponding computer on the LAN– this works fine for TCP.

If we create a firewall rule that forwards ICMP from the same virtual IP on the WAN to the same computer on the LAN, pinging the virtual IP gets no response.
(pfSense creates the appropriate firewall rule automatically).

If I disable the ICMP port forwarding and create a firewall rule that allows ICMP from any source to destination WAN net or restrict it to the Virtual IP on the WAN, ping works from the WAN network.
But the ping response is not coming from the corresponding computer on the LAN, it is coming directly from the virtual IP on the WAN.  If I turn off the computer on the LAN, the virtual IP still responds to pings.

Turn the ICMP port forwarding on again for the virtual IP, and ping responses stop.

I have read in this forum that you cannot use 1:1 NAT to forward ICMP.
Does port forwarding also not work for ICMP?

Elsewhere in this forum some have questioned the security risk of allowing PING from WAN to LAN.  This is required (temporarily) by our institution for their security scans to prove that the computers on our LAN are operational when the security scans are running.  I can't change this requirement.

Thanks in advance.
Hudson

updates4

And I have checked the suggestions in the Port Forward Troubleshooting post.

The firewall is off on the LAN computer for testing.  The LAN computer IS using pfSense as its gateway.

viragomann

Works flawlessly here.

updates4

And Ping forwarding works if 1:1 NAT is enabled as well?

If you have time, would you mind writing out the steps you used exactly?

viragomann

Yes, it works with port forwarding, port forwarding + NAT 1:1 (to the same internal host) and with NAT 1:1 only in combination with a firewall rule allowing ICMP.

Use Packet capture from the diagnostic menu to see if the ICMP packets are forwarded to the LAN interface and if you get responses from the internal host.

updates4

With port forwarding off, the virtual IP sees the packets and responds– and packet sniffer shows this.

17:00:51.322376 IP xxx.111.150.104 > xxx.145.101.51: ICMP echo request, id 1, seq 645, length 40  this is displayed 6 times, for a single set of 3 pings.

But as soon as port forwarding for ICMP is turned on, packet sniffer shows nothing at the Virtual IP and nothing at the LAN IP that it is forwarded to.

Hudson

updates4

Are you pinging a Windows box on the LAN or a Linux box?
I can't imagine it would make a difference.

viragomann

It was a Windows machine. But it should also work with Linux.

updates4

What firewall rules are you using to allow this to function?
The default firewall rules created by pfSense must be blocking something.

My port forwarding rule is
WAN
Protocol ICMP
Destination IP is the virtual IP on the WAN
redirection IP is the LAN IP for the Windows box.

Just like for any other port forward.

Hudson8

viragomann

@Hudson8:

17:00:51.322376 IP xxx.111.150.104 > xxx.145.101.51: ICMP echo request, id 1, seq 645, length 40  this is displayed 6 times, for a single set of 3 pings.

xxx.145.101.51 seems to be a public IP. Are you using public IPs in LAN network?

viragomann

@Hudson8:

What firewall rules are you using to allow this to function?

I let pfSene crate an associated rule.

When trying with NAT 1:1 only I created a pass rule manually with:
Interface = WAN
Protocol = ICMP
Source = any
Destination = internal IP

updates4

That is the WAN network.
xxx.145.101.x

The virtual IP was created on the WAN network and is xxx.145.101.51
It is being routed to an IP on the LAN
192.168.0.10

All the other ports redirect perfectly from WAN to LAN (remote desktop, etc.)

But not ICMP

updates4

And yes, I have that rule
WAN
ICMP
All sources
Destination is the IP on the LAN

updates4

For closure the answer is–

Windows 10  and Server 2016 (and probably other versions) automatically disable ping at the inbound firewall when the Windows device has a local IP (like 192.168 etc).
This is true, even if the active network profile is domain.  This was my issue.  Once I enabled echo at the Windows inbound firewall, ping forwarding worked Wan to LAN.

Ping is defaulted ON in Windows for the domain network profile in non-local IP situations, so I didn't check the Windows firewall until evidence from pfSense tcpdump showed the echo requests successfully arriving at the Windows box on the LAN.

ICMP from the WAN to local network is included in 1:1 NAT and can also be enabled through Port Forwarding (by selecting ICMP).  Both methods work.

Thanks to viragomann for leading me in the right direction.