Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    disappearing pings

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DmD6tx
      last edited by

      Hello,

      I have icmp echo requests arriving at my external interface which i believe should be making it through my firewall but are not. It seems that some remote ip addresses simultaneously get responses while others do not. My first firewall rule on this interface is allow icmp from anywhere but I can see the ignored packets with a promiscuous capture.

      I upgraded to 2.5.0 on Tuesday and first experience this issue wednesday and then again today. The specific affected addresses on wednesday eventually resolved and now get responses. I am not seeing any errors on the interface. I tried reloading the filter table and the issue persists after that. I would be grateful for any advice or assistance.

      S 1 Reply Last reply Reply Quote 0
      • S
        Stewart @DmD6tx
        last edited by

        @dmd6tx If you can see the blocks in the firewall log, does it say what rule is blocking them if you click on the red X?

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Stewart
          last edited by

          Guess would be floating rule - say a geoip/list rule via something like pfblocker.

          Or could be bogon rule on the wan? Or are you running IPS?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • D
            DmD6tx
            last edited by

            I'm Not running IPS or pfblocker.

            No floating rules are in place.

            I do have the bogon rule in place but at one point I disabled it, reloaded rules and was still having unanswered pings

            Are the firewall rules evaluated in order, and do they not short circuit further evaluation (outside of the match action on floating rules) ?

            In this case my first rule on the WAN interface is accept any ICMP from any source to WAN address, is it possible for subsequent rules to have an effect in this case?

            Thanks!

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @DmD6tx
              last edited by johnpoz

              @dmd6tx said in disappearing pings:

              is it possible for subsequent rules to have an effect in this case?

              No... So your saying pings are not being answered - but the blocks are not being logged either?

              Please post up the sniff of this traffic your saying is not being answered, but not logged.

              Could you post up this rule please... For example here is mine..

              wan.png

              Notice I icmp allowed there on the top.. have never seen anything that couldn't ping my wan..

              And I have a couple different external monitoring sites pinging me - that ping from different source IPs all the time. .from all over status cake and uptime robot. That I get alerted on if don't answer

              pingtest.png

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              D 1 Reply Last reply Reply Quote 0
              • D
                DmD6tx @johnpoz
                last edited by

                @johnpoz

                This has been intermittent for me, I have 4 specific remote IP addresses over a couple of days where i was able to verify that they could not ping and that the pings were getting to me but in each case the issue resolved after a couple of hours. I dd not think to check the firewall logs at the time. I'm going to enable logging for pass as well just to clarify what is going on if this crops up again. I also use uptime robot and it did not go down through this time last week, it was only a few discrete addresses that seemed to be impacted.

                I'll come back with those screen shots in a bit.

                Thanks!

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @DmD6tx
                  last edited by

                  Was the ips from some known tool like status cake or uptime robot?

                  You sure it was a echo req, maybe it was some sort of other icmp packet? But if the packet didn't meet your rule parameters for some reason. Then it should of been logged by the default block rule.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    DmD6tx @johnpoz
                    last edited by DmD6tx

                    @johnpoz

                    this was from manual invocation of ping utility on windows or debian terminal.

                    Sadly I'm not retaining logs long enough to look back to last week, but I'm going to go up the log size / log rotation settings.

                    Here is the top of my current WAN rules:

                    48d98f3a-8d19-4b29-ac82-857fb544453e-image.png

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @DmD6tx
                      last edited by

                      Well can you duplicate with your remote host pinging, while you do a sniff? And then look at the logs right away?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        DmD6tx @johnpoz
                        last edited by

                        @johnpoz

                        I can't always duplicate this issue on demand but it did crop up this morning again so I was able to dig in a little bit.

                        Yes the packets are getting logged as blocked, here is a line from the filter log:

                        Mar 16 13:19:15 <name> filterlog[13681]: 22,,,1000000400,em0,match,block,in,4,0x48,,53,53753,0,none,1,icmp,84,<remote ip> ,<my ip> ,request,27751,26164

                        Is 1000000400 the default deny rule?

                        Here is a packet capture from the same approximate time:

                        600f1b36-78e0-4ada-97fa-81cb0728ab20-image.png

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          Stewart @DmD6tx
                          last edited by

                          @dmd6tx Default Deny for me shows:

                          The rule that triggered this action is:
                          
                          @5(1000000103) block drop in log inet all label "Default deny rule IPv4"
                          
                          D 1 Reply Last reply Reply Quote 0
                          • D
                            DmD6tx @Stewart
                            last edited by

                            @stewart

                            Oh I see how to get that description from the gui by hovering

                            here is the explanation for my drop:

                            344be51a-e893-4b04-b25b-71447355db03-image.png

                            A quick google search seems to indicate that this is associated with rate limits and I do have rate limits enforced on a different port for all of the effected IP addresses...

                            S 1 Reply Last reply Reply Quote 0
                            • S
                              Stewart @DmD6tx
                              last edited by

                              @dmd6tx said in disappearing pings:

                              @stewart

                              Oh I see how to get that description from the gui by hovering

                              here is the explanation for my drop:

                              344be51a-e893-4b04-b25b-71447355db03-image.png

                              A quick google search seems to indicate that this is associated with rate limits and I do have rate limits enforced on a different port for all of the effected IP addresses...

                              I think that'll give you the direction you're looking for. Rate limits or maybe AV set up in Squidguard. I think that's the only place that has virusprotection included since your logs show "virusprot". Unless that's what you call your rate limit. I'm not sure since I've never used rate limiters.

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                DmD6tx @Stewart
                                last edited by

                                @stewart

                                I'm not using squidguard right now but I am using max-src-conn-rate and max-src-conn-rates in a differernt rule for each of the addresses I've had this problem with. It did not occur to me that the rate limiting would apply to all communication from the source. even if this is the case though it seems like maybe the block is lasting longer than I have configured in max-src-conn-rates. I will have to look closer in that. And maybe I can use this to trigger the issue now anyway. Thanks!

                                1 Reply Last reply Reply Quote 0
                                • D
                                  DmD6tx
                                  last edited by DmD6tx

                                  Ok so I set up a test, verified that I can ping my WAN ip from outside then triggered a max-src-conn block from the same ip on another port. After that I cannot ping.

                                  The disturbing part is that the block is not expiring on schedule. max-src-conn-rates is 30 seconds but Traffic to the original port and icmp is still blocked over half an hour later. I went away and had lunch in the meanwhile in case prodding it extends the block. Does anyone have ideas on where to go troubleshooting this?

                                  Thanks!

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    DmD6tx
                                    last edited by

                                    This post is deleted!
                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      DmD6tx
                                      last edited by

                                      OK after reading around some more, I see that I didn't realize the full implications of the options I am using here.

                                      I see that I can manually delete this affected IP from diagnostics => tables => virusprot and that the rules there are supposed to persist for an hour.

                                      I see there is an open feature request from 2011 for more control around this functionality but I take it that that is not going to happen.

                                      Thanks for helping me work through this.

                                      Is there any supported method to limit the rate of new connections without hour long global blocks for users who exceed the threshold?

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @DmD6tx
                                        last edited by johnpoz

                                        off the top of my head no - I have never had need to play with any of the rate limiting stuff.

                                        If was going to block some IP - it would be a perm block ;)

                                        The only thing I could see it might being something I would look into would be the ntp I provide to the pool.. But have never seen anything really do anything that would require me to rate limit someone, etc. The amount of ntp traffic is low..

                                        ntp.png

                                        compared to my plex

                                        plex.png

                                        But I would take it as a win that you figured out what was going on...

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        D 1 Reply Last reply Reply Quote 0
                                        • D
                                          DmD6tx @johnpoz
                                          last edited by

                                          @johnpoz said in disappearing pings:

                                          I would take it as a win that you figured out what was going on...

                                          Yes, thanks to you and Stewart to pointing me in the right direction. I certainly learned some useful things along the way too.

                                          I do have to say that this virusprot arrangement feels like a violation of the law of least surprise. I see now that it is documented but I guess I thought i understood rate limiting well enough to skip the fine print. Oh well.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.