NAT / Forward ICMP Ping to Internal Server

  • I'm using pfSense 2 BETA 4.

    From reading a few posts on this forum, it seems that you can only NAT / forward incoming ICMP ping requests on the WAN from the router to an internal server if you use 1:1 NAT. Indeed, if you try to do it on the Port Forward page, you can't even select ICMP as the protocol.

    Question: Is this a limitation of pfSense or a limitation of pf / BSD?

    The reason I ask is because a Linux "fanboy" here at my office is reluctant to switch from his Linux iptables router/firewall to pfSense if it can't do forwarding of ping without using 1:1 NAT. He says "I can do it in Linux, why can't I do it in pfSense?"

  • I would ask why he'd want to. What does "ping" give him that actually connecting to a service to see if it's up wouldn't give him?

  • He says it's because the client software for this particular service is not readily available on all machines whereas ping is. Telnet could be used for troubleshooting this particular service but he says it's much easier to explain to a user how to use ping than telnet.

  • IMO he's an idiot ;) Ping does not test the service in any way, at best it confirms that something is replying to the ICMP packet.  Even if something doesn't reply to a ping it doesn't mean the service isn't available.

    Can't help with the ICMP forwarding though I'm afraid.

  • It is capable of forwarding ICMP, but the option just isn't in the web gui for some reason unknown to me.  Currently discussing with the other devs on whether to add it and maybe the other protocols listed for other types of rules.

  • Rebel Alliance Developer Netgate

    I thought it was there at one point, or perhaps I had just hacked it into the local install on a box one time. There's no reason it can't be done, though the reasons for doing it are still questionable (testing an actual service is much more reliable than ping.)

Log in to reply