Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense not acting as stateful firewall for ICMP

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 327 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrnb
      last edited by

      Version with problem: 24.03-RELEASE (amd64)

      Prior to upgrading (whatever the last version was), this issue did not exist.

      Our zabbix server is not able to ping only a specific subnet's IP addresses.

      It pings are being sourced from 10.9.0.23, and is allowed by this firewall rule:

      ICMP Allow.png

      However, the firewall logs are showing that the ICMP is sourced at the destination instead and are being blocked:

      icmp blocked.png

      I tried to reboot pfSense and the issue is still happening.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • T2M5T
        T2M5
        last edited by

        Hi mrbn, can you share firewall logs to we can help you. Execute a ping from you zabbix server and go to:

        Status > System Logs

        1b7bf098-a275-42fd-892c-c27fe3e4d72b-image.png

        Firewall > Normal View

        5b0b1236-6add-4631-a7c3-6c0b972ceaae-image.png

        Page Down to the lasts logs and verify if the pfsense rule are blocking your pings. You can fast allowed the rule clicking on "+" and adding a rule that specificaly blocked before, as example:

        a296dd09-0288-44b5-9aba-38b0088f4661-image.png

        06023431-ec0e-4e23-99a6-a307ef8959f1-image.png

        After you can replace the name of rule or change something on Firewall > Rules. I think that it will help you with your problem.

        M 1 Reply Last reply Reply Quote 0
        • M
          mrnb @T2M5
          last edited by

          @T2M5

          Hello, thank you for getting back to me.

          The rule that is suggested is this:

          2fab9da4-a063-4792-aadf-e01b7d7ab380-image.png

          That's all well and good, but the SOURCE is NOT 10.10.1.14. Why would I have to create additional firewall rules to allow ICMP from both directions if the router is supposed to be stateful.

          Once I initiate an ICMP request from the SOURCE, the traffic should be allowed to come back automatically.

          I am confused as to why this is happening just to this specific subnet and no others.

          We have over a dozen VLANS and our Zabbix server initiates ICMP pings to all of them. This is the only one with the issue.

          In any case, I did as you suggested:

          6b4f10d9-77e2-4d30-b6ae-2d4a69653306-image.png

          The issue is still happening.

          0390ad24-9de3-4ba8-b67d-faa3a2e9ab74-image.png

          However, if I change Echo request, to ICMP ANY, the issue is resolved.

          851d4add-0888-4c3c-823c-309a56565926-image.png

          Unfortunately, as I mentioned before, I cannot understand how this is necessary to do.

          Is there anything else you can think of that might be causing this issue?

          T2M5T 1 Reply Last reply Reply Quote 0
          • T2M5T
            T2M5 @mrnb
            last edited by

            @mrnb Well, I already had this problem with ICMP echo reply several times, ever I need set with "ICMP ANY" to can be resolved, sincerely I don't the because, maybe some other forum friend can best reply.

            About the as the rules are applied, the pfSense are stateful firewall, then all rules are applied from the interface origem. A thing that gerally I think before create a rule is where the traffic are created, what interface, with this I create the rules on interface that the traffic first arrive first on firewall.

            With the easy rule that you created generally it resolve a bit of problem. Because she is very specific, then is much problable that you need chaning the address of origim or/and destin to the network istead of the IP address.

            And if the traffic pass from the rule then it will return the back without block.

            I hope I've helped

            1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @mrnb
              last edited by

              @mrnb said in pfSense not acting as stateful firewall for ICMP:

              Prior to upgrading (whatever the last version was), this issue did not exist.

              With this version something was changed, pfsense is more strict now and doesn't allow for asymmetric routing by default. You can change this in the settings back to the old behavior. Or you can fix your asymmetric routing.

              M 1 Reply Last reply Reply Quote 1
              • M
                mrnb @Bob.Dig
                last edited by

                @Bob-Dig

                That's what it was, thank you.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.