Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Setting the right firewall rules for allowing Ping

    Firewalling
    4
    11
    145
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      Udbytossen last edited by

      Hi Guys.
      Just trying setup my new XG-7100-1U - but having some issues regarding ping.
      MySetup
      ADMIN LAN - 172.16.10.1/24
      Private DMZ - 172.16.20.1/24
      Public DMZ - 192.168.19.1/24
      LAN - 172.16.250.1/24

      I have internet access on all my LANS - can browse the internet - but I'm not able to ping anything.
      I've added a floating rule -
      Action : PASS
      Interface WAN <-- should this be all Interfaces ?
      IPv4
      ICMP
      ANY
      Source ANY
      Destination ANY

      But wen I trying to ping a public host from my Internal networks - I'm getting the message Destination not available and no answers. but all local machines are answering ping - so it looks like the firewall rules that should be the issue.
      RULES
      So right now - I can access the internet - but cannot ping any hosts in public Area - and I cannot see why I can't do this ? I have look in this topic and seing others with the same problems - but not with the same setup as I have - but I haven't found any solution for this

      1 Reply Last reply Reply Quote 0
      • C
        Crysion last edited by

        @Udbytossen said in Setting the right firewall rules for allowing Ping:

        WAN <--

        Hi @Udbytossen,
        your firewall rule allows public hosts to ping hosts on the internal network. I think you want the other way around. For this to work, you need a firewall rule on an internal device. For example, on the LAN device to send pings from the LAN network to the public network.

        1 Reply Last reply Reply Quote 1
        • Gertjan
          Gertjan last edited by

          The default firewall rule on LAN will handle ICMP just fine, as it is setup to 'include all protocols.
          For other LAN type interface : add the same pass all rule, or be more specific and chose one or more ICMP sub types.

          Stay away from WAN or Floating rules.

          No "help me" PM's please. Use the forum.

          1 Reply Last reply Reply Quote 0
          • U
            Udbytossen last edited by

            Hi Gyúys - Thanks for the answer.
            I've have now deleted all rules regarding ICMP on Floating and WAN

            On my ADMIN interface I've created this rule:
            https://ibb.co/QbF09RQ
            But when trying to ping from a host in the ADMIN Zone - I'm still getting this error :
            https://ibb.co/M2QqMnq destination host unreachable

            I'm only starting with getting the ADMIN interface to ping ublic host and from there I can add the rules for the other Interfaces.
            But as I see it here my total rules set for the ADMIN interface - so I do not get it why I can't ping but do anything else
            https://ibb.co/P9x56H0

            So hopefully we can make this work - and you are able to see my error somewhere

            1 Reply Last reply Reply Quote 0
            • NogBadTheBad
              NogBadTheBad last edited by NogBadTheBad

              Try killing the firewall states.

              Looking at the current rules, even if you didn't have the ICMP rule it should hit the very last rule.

              Also don't use ADMIN net use ADMIN address or This Firewall when you're refering to the firewall itself.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • U
                Udbytossen last edited by

                I changed the Admin Net to Admin Address ( Couldn't choose this firewall )
                Then I do not get a reply at all https://ibb.co/ZWfR0Pb

                My Guess should be that the final rule would allow this ICMP - but I do not get an reply from anywhere other than internal.

                My Zones are now looking like this ( Still only trying to be able to ping public osts from ADMIN zone)
                Floating Rules: https://ibb.co/7NRwbH6
                Wan https://ibb.co/dB56BCZ
                admin: https://ibb.co/8XR7Rnn

                I'm using the DNS resolver - don't know if this have any impact - I just do not get why I can ping anything outside the firewall

                1 Reply Last reply Reply Quote 0
                • NogBadTheBad
                  NogBadTheBad last edited by NogBadTheBad

                  Do a packet capture on the ADMIN interface, filter on ICMP.

                  Is it hitting the firewall?

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • U
                    Udbytossen last edited by

                    Well the packet capture looks like this when pinging google and other hosts:

                    11:23:51.443171 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1100, length 64
                    11:23:51.945692 IP 172.16.10.11 > 172.217.168.195: ICMP echo request, id 10010, seq 7, length 64
                    11:23:52.505265 IP 172.16.10.11 > 172.217.168.227: ICMP echo request, id 20248, seq 834, length 64
                    11:23:52.505406 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1101, length 64
                    11:23:52.505489 IP 172.16.10.11 > 5.103.139.219: ICMP echo request, id 535, seq 1273, length 64
                    

                    Where the 172.16.10.11 is my freenas that I'm trying to ping from

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBad
                      NogBadTheBad last edited by NogBadTheBad

                      You're not getting any echo reply packets.

                      10:27:39.161782 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 0, length 64
                      10:27:39.169946 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 0, length 64
                      10:27:40.166007 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 1, length 64
                      10:27:40.174158 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 1, length 64
                      10:27:41.165764 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 2, length 64
                      10:27:41.173831 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 2, length 64
                      10:27:42.166986 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 3, length 64
                      10:27:42.174966 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 3, length 64
                      10:27:43.167346 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 4, length 64
                      10:27:43.175442 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 4, length 64

                      Also try a packet capture on the WAN interface.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • C
                        Crysion last edited by

                        Please check if your outbound Nat is set to automatic. You can find the settings under "Firewall" --> "NAT" --> "Outbound".
                        This should be on automatic, if not, you have to create a rule for your networks.

                        1 Reply Last reply Reply Quote 0
                        • U
                          Udbytossen last edited by

                          OK
                          What to do to get these replies Ind.
                          I cannot see where my mistake is - so that's the reason why ?
                          If I don't get any reply - is this a configuration error of the Zone Rules og DNS ?
                          Is this a rule I need to add to WAN interface - that it should allow ICMP response ?

                          Notrmally my understanding is that it will allow response trafic

                          My Outbiund NAT looks like this :
                          https://ibb.co/p3Cpp7B

                          From my ISP I have a /29 subnet woith public IP's - so hopefully I set this up correctly

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post