Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT / Forward ICMP Ping to Internal Server

    NAT
    4
    6
    7189
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyboc last edited by

      I'm using pfSense 2 BETA 4.

      From reading a few posts on this forum, it seems that you can only NAT / forward incoming ICMP ping requests on the WAN from the router to an internal server if you use 1:1 NAT. Indeed, if you try to do it on the Port Forward page, you can't even select ICMP as the protocol.

      Question: Is this a limitation of pfSense or a limitation of pf / BSD?

      The reason I ask is because a Linux "fanboy" here at my office is reluctant to switch from his Linux iptables router/firewall to pfSense if it can't do forwarding of ping without using 1:1 NAT. He says "I can do it in Linux, why can't I do it in pfSense?"

      1 Reply Last reply Reply Quote 0
      • Cry Havok
        Cry Havok last edited by

        I would ask why he'd want to. What does "ping" give him that actually connecting to a service to see if it's up wouldn't give him?

        1 Reply Last reply Reply Quote 0
        • C
          cyboc last edited by

          He says it's because the client software for this particular service is not readily available on all machines whereas ping is. Telnet could be used for troubleshooting this particular service but he says it's much easier to explain to a user how to use ping than telnet.

          1 Reply Last reply Reply Quote 0
          • Cry Havok
            Cry Havok last edited by

            IMO he's an idiot ;) Ping does not test the service in any way, at best it confirms that something is replying to the ICMP packet.  Even if something doesn't reply to a ping it doesn't mean the service isn't available.

            Can't help with the ICMP forwarding though I'm afraid.

            1 Reply Last reply Reply Quote 0
            • E
              Efonnes last edited by

              It is capable of forwarding ICMP, but the option just isn't in the web gui for some reason unknown to me.  Currently discussing with the other devs on whether to add it and maybe the other protocols listed for other types of rules.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                I thought it was there at one point, or perhaps I had just hacked it into the local install on a box one time. There's no reason it can't be done, though the reasons for doing it are still questionable (testing an actual service is much more reliable than ping.)

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post