• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking ICMP doesn't work (in some cases) ?

Scheduled Pinned Locked Moved Firewalling
5 Posts 3 Posters 146 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    houseofdreams
    last edited by Apr 2, 2025, 9:03 PM

    Hi, simple situation:

    I have multiple VLANS, in 1 of them I have 2 servers, I want to block all ICMP traffic between these 2 servers, I added the following firewall rule

    Protocol: IPv4 ICMP(any)
    Source: SERVERS net
    Port: *
    Destination: any
    Port: *¨

    Whe I try pinging google.com for example, the rule works, it doesn't let me ping. But when I try pinging between the 2 servers in the same vlan, it still just pings. This blocking rule is at the top of the rules list.

    What am I missing?

    V 1 Reply Last reply Apr 2, 2025, 9:11 PM Reply Quote 0
    • V
      viragomann @houseofdreams
      last edited by Apr 2, 2025, 9:11 PM

      @houseofdreams said in Blocking ICMP doesn't work (in some cases) ?:

      But when I try pinging between the 2 servers in the same vlan, it still just pings.

      This traffic doesn't pass the firewall as long as both are connected to different interfaces (bridged).

      H 1 Reply Last reply Apr 2, 2025, 9:18 PM Reply Quote 0
      • H
        houseofdreams @viragomann
        last edited by Apr 2, 2025, 9:18 PM

        @viragomann

        Both servers are VM's (esxi), is there no way to get this working (or actually blocking)?

        So if pinging still works, I assume all other internal connections are also not blocked, no matter what firewall rules I have set?

        V J 2 Replies Last reply Apr 2, 2025, 9:30 PM Reply Quote 0
        • V
          viragomann @houseofdreams
          last edited by Apr 2, 2025, 9:30 PM

          @houseofdreams
          If the network is virtualized just add an additional virtual network on ESXi and connect pfSense and one of the VMs to it.

          @houseofdreams
          If the network is virtualized just add an additional virtual network on ESXi and connect pfSense and one of the VMs to it.

          pfSense cannot block any traffic, which doesn't pass it.

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @houseofdreams
            last edited by Apr 2, 2025, 9:37 PM

            @houseofdreams as mentioned pfsense is not involved in communications between devices on the same network. Put them in different vlans, or you would have to do something on your esxi to keep them from talking.. I think vmware NSX can do what you would call a private vlan or micro-segmentation.. And keep them from talking.

            But there is nothing pfsense can do, unless the traffic goes across pfsense interfaces.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received