"ping host" menu command bypasses firewall rules for DMZ/LAN ?



  • Hi all,

    I am using PFsense 2.0 latest snapshot, with a simple setup of WAN/DMZ/LAN interfaces and I have all firewall rules in place and everything seems to be working fine, except…...

    When I use the "ping host" menu command to ping any LAN ip address over de DMZ interface it gets a reply! When i go to a DMZ-machine and ping from there any LAN ip adress there is no reply (as should be, because of the firewall rules).
    By the way, when I use the "ping host" menu command to ping any LAN ip address over de WAN interface there is NO reply.

    Is there somehting wrong in my DMZ/LAN setup or is this the way the ping host command should work - as a diagnostisc tool bypassing the firewall ?

    Thanks.



  • Firewall rules apply to traffic coming in on an interface.
    Since this is traffic originating on the pfSense itself, there are no firewall rules denying this traffic.



  • mmm, i still don't fully understand.. if I change the DMZ interface to WAN interface on de "ping host" menu command, there is NO reply…

    This traffic from (WAN interface instead of DMZ) is also originating from the pfsense box itself, but gets no reply ? But over the DMZ interface it gets a reply ?



  • Selecting an interface, sends this traffic on this interface.
    –> If you select the WAN the pings are sent on the WAN, you won't get a response from a device on the DMZ/LAN.



  • Selecting an interface, sends this traffic on this interface.
    –> If you select the WAN the pings are sent on the WAN, you won't get a response from a device on the DMZ/LAN

    this I understand.

    But then I woudl say:
    --> If you select the DMZ the pings are sent on the DMZ, you won't get a response from a device on the LAN

    ...but I am getting a response from a device from the LAN over the DMZ interface...



  • Everything you describe is the way things should work.


Log in to reply