Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Trouble with ICMP on firewall

    Firewalling
    3
    12
    1926
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deadringers last edited by

      Hi all,

      I'm struggling to get the Firewall to respond to ICMP from the internet.

      So I have a WAN address on PPPoE
      then my ISP give me 5 static IPs.

      I've created IP alias for these IPs and they work with all other port forwarding for my servers etc.

      But ICMP isn't playing nice. :(

      I just tried to allow through ICMP with the destination of a static IP of mine and it just gets blocked by the default deny all rule?

      Even if I try to NAT it through to a server of mine it still gets dropped on the default deny all rule…any thoughts?

      1 Reply Last reply Reply Quote 0
      • M
        Matthias last edited by

        Are you 1:1 NATing? What is the firewall rule you have created to allow ICMP?

        1 Reply Last reply Reply Quote 0
        • D
          Deadringers last edited by

          @Matthias:

          Are you 1:1 NATing? What is the firewall rule you have created to allow ICMP?

          I am but not on this IP.

          so I created a firewall rule - allow from any source to the wan address - icmp only

          1 Reply Last reply Reply Quote 0
          • M
            Matthias last edited by

            And you can't even ping your WAN address?

            1 Reply Last reply Reply Quote 0
            • D
              Deadringers last edited by

              @Matthias:

              And you can't even ping your WAN address?

              so the WAN address does respond - but the ip alias (static IP) doesn't with the following rules


              1 Reply Last reply Reply Quote 0
              • D
                Deadringers last edited by

                eh…. I have no clue what is happening with my firewall at the moment..

                So I setup a rule to allow ICMP traffic to the WAN interface (random IP given to me by the ISP)
                this is pingable.

                Then I setup to allow ICMP traffic to .131 (a static IP alias of mine) so I can monitor the firewall response remotely...

                NOTHING gets through.

                however due to a typo of mine on the thinkbroadband site I put in .132 there and it's getting a response!?
                Yet if I try to ping .132 from another remote location I don't get through!?
                I really have no idea why it's getting a response.

                1 Reply Last reply Reply Quote 0
                • M
                  Matthias last edited by

                  When you say IP alias do you mean you've set up a list of IPs in an Alias? From your screenshot it looks as though you've only set the rule for a single IP. What is that IP attached to internally? Do you have a 1:1 NAT with a server inside your network?

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    If you have a 1:1 NAT - wouldn't the box that your nattting too for the outside address have to answer the ICMP?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • D
                      Deadringers last edited by

                      @Matthias:

                      When you say IP alias do you mean you've set up a list of IPs in an Alias? From your screenshot it looks as though you've only set the rule for a single IP. What is that IP attached to internally? Do you have a 1:1 NAT with a server inside your network?

                      Yes so I have setup a few interfaces as ip alias and then I map services / ports to those and allow them through.

                      I do have 1:1 NAT but not on the IP that I am testing with .131


                      1 Reply Last reply Reply Quote 0
                      • D
                        Deadringers last edited by

                        @johnpoz:

                        If you have a 1:1 NAT - wouldn't the box that your nattting too for the outside address have to answer the ICMP?

                        Yes - but I have .132 NATted - .131 is not and so the Firewall should just respond if ICMP is "allowed" correct?

                        1 Reply Last reply Reply Quote 0
                        • M
                          Matthias last edited by

                          I'm not familiar with the virtual IP function but unless you have that IP tied to an interface there will be no reply. The firewall doesn't reply only an interface with that IP can reply.

                          1 Reply Last reply Reply Quote 0
                          • D
                            Deadringers last edited by

                            @Matthias:

                            I'm not familiar with the virtual IP function but unless you have that IP tied to an interface there will be no reply. The firewall doesn't reply only an interface with that IP can reply.

                            I don't understand what you mean by "tied to an interface".

                            The VIP is it's own virtual interface no?

                            according to this:
                            https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

                            Will respond to ICMP ping if allowed by firewall rules.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post