Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Should I Unblock ICMP on the WAN?

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 12 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tagit446
      last edited by

      Sorry if this is a dumb question but I was wondering if since everything is blocked by default on the WAN, should I create a WAN firewall rule to allow ICMP to pass?

      If so what options should be chosen for the rule, such as ICMP Subtypes, Source and destination?

      S AKEGECA 3 Replies Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I generally allow ICMP from WAN.  You only need to allow ICMP Echo request, I believe.

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          Depending on your setup blocking incoming ICMP may not make sense, for example if you already have ports open for incoming HTTP(S) traffic to your servers blocking ICMP buys you absolutely nothing and can in fact hamper the usability of your services for some users. If you have no ports open to the internet then you might block ICMP as well to make you effectively "stealth up".

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I pass ICMP on all my WANs. I do not care about "stealth."

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              mlsbraves
              last edited by

              should I create a WAN firewall rule to allow ICMP to pass?

              Thats really up to you. Not allowing means you will be more hidden as your device won't reply to online scanners. If this is a home setup than I would just leave it as is unless you have a reason. For me, I create Aliases with our ALCs that allow ICMP and remote access and don't leave anything open to the public unless it is required. Its not a security risk if you want to let it reply so you can ping it from anywhere. If you don't have a reason to ping it from unknown sources than I would keep it blocked but doesn't really hurt if you do.

              If so what options should be chosen for the rule, such as ICMP Subtypes, Source and destination?

              If your wanting your firewall to reply from anyone than:

              Protocol: ICMP
              TYPE: Echo Request
              Source: Any
              Destination: This Firewall
              and choose if you want to log this.

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                @KOM:

                I generally allow ICMP from WAN.  You only need to allow ICMP Echo request, I believe.

                Also, the unreachable ones, too big, timeouts etc.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • R
                  remlei
                  last edited by

                  well if youre planning to use ipv6 over ipv4, icmp over wan is mandatory.

                  else, mostly you dont need it.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tagit446
                    last edited by

                    I had initially asked my question after reading this article, "http://www.znep.com/~marcs/mtu/". I found this article while trying to find information on MTU which I am having a problem with.

                    For more details on the MTU problem I am having, see my other post "https://forum.pfsense.org/index.php?topic=146791.msg797486#msg797486" So far no one has replied to that post.

                    I am still trying to wrap my head around the above article I linked to but if I understand correctly ICMP is needed for proper MTU discovery.

                    The article also mentions filtering RFC 1918 addresses could cause similar problems as if ICMP is being filtered. From the article "If you are using such addresses, then ICMP messages (including "can't fragment" errors) will normally be generated using such addresses. Since many networks filter incoming traffic from such reserved addresses, the net result is the same as if all ICMP were being filtered and can cause the same problems."

                    I am probably misunderstanding but the article seems to suggest enabling ICMP would have no real effect if bogons are being blocked on the pfsense WAN (which they are).

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott
                      last edited by

                      I am still trying to wrap my head around the above article I linked to but if I understand correctly ICMP is needed for proper MTU discovery.

                      Yes that's true and ICMP is also used for other error or status messages.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        I am probably misunderstanding but the article seems to suggest enabling ICMP would have no real effect if bogons are being blocked on the pfsense WAN (which they are).

                        My understanding of that is it will only fail, if the ICMP messages originates on a device with an RFC1918 address.  How likely is that?  If there's an RFC 1918 address that you can reach via the Internet, it's behind NAT, which should translate it back to whatever the public IP is.  The only other instance I can think of is when packets are passed through a tunnel or VPN using an RFC 1918 address.

                        Also, that article mentions disabling do not fragment.  Well, that's simply not an option on IPv6, as routers are not allowed to fragment at all,  so no do not fragment flag.

                        Also from that article:

                        576 X.25 Networks

                        Way back in the dark ages, that was a common MTU for dial up connections (I used it with SLIP¹ to my first ISP, before switching to another ISP that supported PPP and 1500 MTU).  I often wondered if there was some reason other than the efficiency vs data loss trade off over what were often noisy connections.  But quite often, dial up was used to access X.25 networks.  These were quite common way back then, with services such as Compuserve, The Source and others.  My employer, at the time, provided a service called "Telenet" in Canada, which was an X.25 network.  We had racks of X.25 "PADs" (Packet Assembler Disassembler) which connected dial in modems to a PR1ME computer

                        1. SLIP https://en.wikipedia.org/wiki/Serial_Line_Internet_Protocol

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Yeah. Block bogons and RFC1918 only affects connections coming into WAN with a SOURCE ADDRESS in those ranges. That should never happen with actual internet traffic and if it does you probably want it blocked anyway which is why that feature exists in the first place.

                          The only way that might happen is connections from the ISP device itself unless the firewall is inside your private network for whatever reason in which case you want to disable that feature.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User
                            last edited by A Former User

                            if I sent out an echo request most likely I would need an echo reply to pass in, isn't it ?
                            the question is: how automatically generated outbound NAT can help me with this?

                            P.S.
                            or maybe there is a hidden set of rules comes into play
                            ( not visible from our side of the fence... ) ?

                            1 Reply Last reply Reply Quote 0
                            • NollipfSenseN
                              NollipfSense
                              last edited by

                              I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.

                              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                              GertjanG JKnottJ 2 Replies Last reply Reply Quote 0
                              • GertjanG
                                Gertjan @NollipfSense
                                last edited by

                                @nollipfsense said in Should I Unblock ICMP on the WAN?:

                                I cannot stand it tapping on my WAN door ... so I drop them.

                                It's still tapping then, it's still there.
                                Dropping just means you spend a minimal of CPU cycles on it: "pfSense" doesn't react == send something back - on its arrival.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                NollipfSenseN 1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @NollipfSense
                                  last edited by

                                  @nollipfsense said in Should I Unblock ICMP on the WAN?:

                                  I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.

                                  If you're running IPv6, you have to allow some in.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  NollipfSenseN 1 Reply Last reply Reply Quote 0
                                  • S
                                    slimypizza @tagit446
                                    last edited by

                                    @tagit446
                                    I wrote a heartbeat function on my external hosted site that will ping my pfsense router every few minutes through the WAN. If my router doesn’t respond then I get notified. So I have a rule that only allows ICMP (any) from the block of IP’s that my web host uses to ping me. Otherwise all other ICMP are blocked and I have not noticed any issues. I’m only using IPV4.

                                    1 Reply Last reply Reply Quote 0
                                    • AKEGECA
                                      AKEGEC @tagit446
                                      last edited by

                                      @tagit446 Some ICMP types are dangerous. But some are needed like

                                      • 3 Destination Unreachable
                                      • 8 ICMP Echo Request (Ping)
                                      • 11 Time Exceeded
                                      • 12 Parameter Problem

                                      But the authors of pfSense book advise you to allow any type ICMP. That is a NO NO!
                                      If you don't need it then just block it.

                                      1 Reply Last reply Reply Quote 0
                                      • NollipfSenseN
                                        NollipfSense @Gertjan
                                        last edited by

                                        @gertjan said in Should I Unblock ICMP on the WAN?:

                                        @nollipfsense said in Should I Unblock ICMP on the WAN?:

                                        I cannot stand it tapping on my WAN door ... so I drop them.

                                        It's still tapping then, it's still there.
                                        Dropping just means you spend a minimal of CPU cycles on it: "pfSense" doesn't react == send something back - on its arrival.

                                        Suricata drops them and don't notify me anymore ... not dropped at the firewall.

                                        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                        1 Reply Last reply Reply Quote 0
                                        • NollipfSenseN
                                          NollipfSense @JKnott
                                          last edited by

                                          @jknott said in Should I Unblock ICMP on the WAN?:

                                          @nollipfsense said in Should I Unblock ICMP on the WAN?:

                                          I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.

                                          If you're running IPv6, you have to allow some in.

                                          No, that's the thing ... I need to get over my IPv6 shyness.

                                          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                          JKnottJ 1 Reply Last reply Reply Quote 0
                                          • JKnottJ
                                            JKnott @NollipfSense
                                            last edited by

                                            @nollipfsense

                                            Does your ISP provide it? If not, you can get it via tunnel from he.net.

                                            PfSense running on Qotom mini PC
                                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                            UniFi AC-Lite access point

                                            I haven't lost my mind. It's around here...somewhere...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.