Trouble with ICMP on firewall



  • Hi all,

    I'm struggling to get the Firewall to respond to ICMP from the internet.

    So I have a WAN address on PPPoE
    then my ISP give me 5 static IPs.

    I've created IP alias for these IPs and they work with all other port forwarding for my servers etc.

    But ICMP isn't playing nice. :(

    I just tried to allow through ICMP with the destination of a static IP of mine and it just gets blocked by the default deny all rule?

    Even if I try to NAT it through to a server of mine it still gets dropped on the default deny all rule…any thoughts?



  • Are you 1:1 NATing? What is the firewall rule you have created to allow ICMP?



  • @Matthias:

    Are you 1:1 NATing? What is the firewall rule you have created to allow ICMP?

    I am but not on this IP.

    so I created a firewall rule - allow from any source to the wan address - icmp only



  • And you can't even ping your WAN address?



  • @Matthias:

    And you can't even ping your WAN address?

    so the WAN address does respond - but the ip alias (static IP) doesn't with the following rules




  • eh…. I have no clue what is happening with my firewall at the moment..

    So I setup a rule to allow ICMP traffic to the WAN interface (random IP given to me by the ISP)
    this is pingable.

    Then I setup to allow ICMP traffic to .131 (a static IP alias of mine) so I can monitor the firewall response remotely...

    NOTHING gets through.

    however due to a typo of mine on the thinkbroadband site I put in .132 there and it's getting a response!?
    Yet if I try to ping .132 from another remote location I don't get through!?
    I really have no idea why it's getting a response.



  • When you say IP alias do you mean you've set up a list of IPs in an Alias? From your screenshot it looks as though you've only set the rule for a single IP. What is that IP attached to internally? Do you have a 1:1 NAT with a server inside your network?


  • LAYER 8 Global Moderator

    If you have a 1:1 NAT - wouldn't the box that your nattting too for the outside address have to answer the ICMP?



  • @Matthias:

    When you say IP alias do you mean you've set up a list of IPs in an Alias? From your screenshot it looks as though you've only set the rule for a single IP. What is that IP attached to internally? Do you have a 1:1 NAT with a server inside your network?

    Yes so I have setup a few interfaces as ip alias and then I map services / ports to those and allow them through.

    I do have 1:1 NAT but not on the IP that I am testing with .131




  • @johnpoz:

    If you have a 1:1 NAT - wouldn't the box that your nattting too for the outside address have to answer the ICMP?

    Yes - but I have .132 NATted - .131 is not and so the Firewall should just respond if ICMP is "allowed" correct?



  • I'm not familiar with the virtual IP function but unless you have that IP tied to an interface there will be no reply. The firewall doesn't reply only an interface with that IP can reply.



  • @Matthias:

    I'm not familiar with the virtual IP function but unless you have that IP tied to an interface there will be no reply. The firewall doesn't reply only an interface with that IP can reply.

    I don't understand what you mean by "tied to an interface".

    The VIP is it's own virtual interface no?

    according to this:
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

    Will respond to ICMP ping if allowed by firewall rules.


Log in to reply