Floating rule not effective for ICMP
SuMeRbOaRd last edited by
I have an odd issue I can't seem to explain. The specific issue I'm seeing is that ICMP to WAN2 from a specific source isn't working, but the rule works for the WAN interface. The goal is to allow my datacenter probes to monitor if the device is online using ICMP Ping (as well as other services using various ports). I have a single floating rule that I thought should be enough to accomplish what I want, but I'm finding that it's not working on all of the interfaces correctly for some reason. I have an Alias list made up of FQDNs and IPs (as well as my home IP I'm using to test with simultaneously) named SSIT_Services which includes where the datacenter probe IP that's doing the pinging. Running 2.4.2-Release(amd64), there are 2 WAN's (WAN1 and WAN2), 1 LAN, and 1 OpenVPN interface. The LAN network is setup with a failover gateway group for any outbound traffic.
My Floating rule is as such; Pass, Quick Apply, I've selected both of the WAN interfaces that I want the rules to apply to for incoming traffic, Direction is Any, IPv4, Protocol Any, Source is my Alias group named SSIT_Services, Destination is Any, Logging packets, and no Advanced rules set. When I apply that rule, all of the other services NATing through seem to work fine, but the WAN2 just won't reply to pings from the IP of my monitor, but does reply to other Alias locations, such as my home computer I'm testing with.
To get the ICMP pings working on WAN2, I have to create an additional rule on the WAN2 rule set as such; Pass, WAN2, IPv4, ICMP - Any, Source SSIT_Services, Destination Any, Log Packets, no other advanced settings. After applying that the pings begin working. Now what's also odd is if i mess with disabling / enabling the two rules, the firewall doesn't seem to respond right away, like the rules were not even implemented, I'm assuming this may have something to do with the States so I have now been resetting all states after applying the rules and things seem to respond better, but the original rule still isn't working for the WAN2 ICMP pings.
Why doesn't my Floating rule handle the WAN2 interface like it does with the primary WAN interface?
"Pass, WAN2, IPv4, ICMP - Any, Source SSIT_Services, Destination Any"
Why would you create a rule dest any? When the dest would be to your wan2 IP? You should never create rules on your want that would allow dest any..
As to why your floating rule doesn't work.. Did you create an alias for your dest to the specific dest IPs the rule would be going to? Why would you create floating rule for such a setup would be my question?
SuMeRbOaRd last edited by
My intent was to create a single floating rule that would allow anything incoming from the Source addresses on the Alias SSIT_Services into either WAN1 or WAN2. I thought the significance of a floating rule was that it would apply to all of the interfaces if you wanted it to, rather than having to setup the rules on a Dual WAN on both interfaces.
I thought that floating rule should have covered the two ICMP echo reply rules I needed for each WAN interface, as well as SNMP and the various other services that would be connecting into this network or firewall directly from the Alias networks. As far as the Destination being any, I figured that would allow the traffic to reach the LAN network, OpenVPN, and both WAN1 and WAN2 interface IPs.
As long as the incoming traffic was coming from the source Alias SSIT_Services, all traffic into this firewall should be allowed. Would there still be a reason to remove the any destination from this? I'm likely missing best practice as I'm just not sure on what it should look like.
Firewall rules inbound should always be specific to the address. Creating floating you sure you picked inbound and picked both interfaces.. Without seeing the rules its impossible to figure out what is going wrong.
There are also rules that get applied before floating, or the interface rules.. I am just not a fan of the floating rules unless really required for some say outbound block… Now if you had lots of interfaces, but you have 2 create the rules directly on the interfaces so its CLEAR when you look on the interfaces what is open, etc.
That is my advice..