Setting the right firewall rules for allowing Ping



  • Hi Guys.
    Just trying setup my new XG-7100-1U - but having some issues regarding ping.
    MySetup
    ADMIN LAN - 172.16.10.1/24
    Private DMZ - 172.16.20.1/24
    Public DMZ - 192.168.19.1/24
    LAN - 172.16.250.1/24

    I have internet access on all my LANS - can browse the internet - but I'm not able to ping anything.
    I've added a floating rule -
    Action : PASS
    Interface WAN <-- should this be all Interfaces ?
    IPv4
    ICMP
    ANY
    Source ANY
    Destination ANY

    But wen I trying to ping a public host from my Internal networks - I'm getting the message Destination not available and no answers. but all local machines are answering ping - so it looks like the firewall rules that should be the issue.
    RULES
    So right now - I can access the internet - but cannot ping any hosts in public Area - and I cannot see why I can't do this ? I have look in this topic and seing others with the same problems - but not with the same setup as I have - but I haven't found any solution for this



  • @Udbytossen said in Setting the right firewall rules for allowing Ping:

    WAN <--

    Hi @Udbytossen,
    your firewall rule allows public hosts to ping hosts on the internal network. I think you want the other way around. For this to work, you need a firewall rule on an internal device. For example, on the LAN device to send pings from the LAN network to the public network.



  • The default firewall rule on LAN will handle ICMP just fine, as it is setup to 'include all protocols.
    For other LAN type interface : add the same pass all rule, or be more specific and chose one or more ICMP sub types.

    Stay away from WAN or Floating rules.



  • Hi Gyúys - Thanks for the answer.
    I've have now deleted all rules regarding ICMP on Floating and WAN

    On my ADMIN interface I've created this rule:
    https://ibb.co/QbF09RQ
    But when trying to ping from a host in the ADMIN Zone - I'm still getting this error :
    https://ibb.co/M2QqMnq destination host unreachable

    I'm only starting with getting the ADMIN interface to ping ublic host and from there I can add the rules for the other Interfaces.
    But as I see it here my total rules set for the ADMIN interface - so I do not get it why I can't ping but do anything else
    https://ibb.co/P9x56H0

    So hopefully we can make this work - and you are able to see my error somewhere


  • Galactic Empire

    Try killing the firewall states.

    Looking at the current rules, even if you didn't have the ICMP rule it should hit the very last rule.

    Also don't use ADMIN net use ADMIN address or This Firewall when you're refering to the firewall itself.



  • I changed the Admin Net to Admin Address ( Couldn't choose this firewall )
    Then I do not get a reply at all https://ibb.co/ZWfR0Pb

    My Guess should be that the final rule would allow this ICMP - but I do not get an reply from anywhere other than internal.

    My Zones are now looking like this ( Still only trying to be able to ping public osts from ADMIN zone)
    Floating Rules: https://ibb.co/7NRwbH6
    Wan https://ibb.co/dB56BCZ
    admin: https://ibb.co/8XR7Rnn

    I'm using the DNS resolver - don't know if this have any impact - I just do not get why I can ping anything outside the firewall


  • Galactic Empire

    Do a packet capture on the ADMIN interface, filter on ICMP.

    Is it hitting the firewall?



  • Well the packet capture looks like this when pinging google and other hosts:

    11:23:51.443171 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1100, length 64
    11:23:51.945692 IP 172.16.10.11 > 172.217.168.195: ICMP echo request, id 10010, seq 7, length 64
    11:23:52.505265 IP 172.16.10.11 > 172.217.168.227: ICMP echo request, id 20248, seq 834, length 64
    11:23:52.505406 IP 172.16.10.11 > 172.217.17.35: ICMP echo request, id 32535, seq 1101, length 64
    11:23:52.505489 IP 172.16.10.11 > 5.103.139.219: ICMP echo request, id 535, seq 1273, length 64
    

    Where the 172.16.10.11 is my freenas that I'm trying to ping from


  • Galactic Empire

    You're not getting any echo reply packets.

    10:27:39.161782 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 0, length 64
    10:27:39.169946 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 0, length 64
    10:27:40.166007 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 1, length 64
    10:27:40.174158 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 1, length 64
    10:27:41.165764 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 2, length 64
    10:27:41.173831 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 2, length 64
    10:27:42.166986 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 3, length 64
    10:27:42.174966 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 3, length 64
    10:27:43.167346 IP 172.16.2.20 > 8.8.8.8: ICMP echo request, id 9732, seq 4, length 64
    10:27:43.175442 IP 8.8.8.8 > 172.16.2.20: ICMP echo reply, id 9732, seq 4, length 64

    Also try a packet capture on the WAN interface.



  • Please check if your outbound Nat is set to automatic. You can find the settings under "Firewall" --> "NAT" --> "Outbound".
    This should be on automatic, if not, you have to create a rule for your networks.



  • OK
    What to do to get these replies Ind.
    I cannot see where my mistake is - so that's the reason why ?
    If I don't get any reply - is this a configuration error of the Zone Rules og DNS ?
    Is this a rule I need to add to WAN interface - that it should allow ICMP response ?

    Notrmally my understanding is that it will allow response trafic

    My Outbiund NAT looks like this :
    https://ibb.co/p3Cpp7B

    From my ISP I have a /29 subnet woith public IP's - so hopefully I set this up correctly


Log in to reply