Allow ICMP echo request on WAN



  • Hi,

    I recently upgraded to pfSense 2.2.1.

    Now I want to allow ping to my WAN interface.

    Therefore i added a rule for this in my WAN section of the firewall rules.

    IPv4 ICMP echo request source any destination WAN address

    I also tried ICMP any source any destination WAN address

    But whatever combination i try I cannot get pfSense to accept ping to my WAN interface.

    Am I doing something wrong or is something broken in this releaes ?

    I have successfully created a incoming rule for a TCP port to the pfSense WAN interface and that works.

    Also tried using the "Easy add firewall rule" from the firewall log where i see the blocks.

    Oh also. When i try checking firewall logs and wanna know the name of the rule that blocks ICMp it turns up empty. feature ? bug ? =)

    Thanks !



  • Are you trying to ping it from private IP space with the Block private networks option checked on WAN?



  • I've tried from 2 external hosts to ping the WAN address.



  • That's not what I asked.  I asked if you were doing your tests from private IP space eg. 10.0.0.x, 172.16.x.x, 192.168.x.x etc.  The WAN interface is set by default to ignore stuff from private IP space.  If you have Block private networks option checked, it will ignore your pings even though the rule permits them.



  • I understood your question =) You just didn't understand my answer.

    I'm not sending ICMP echo packets from a computer that's on a private network.

    I have also tried removing the "block private networks" option and it still didn't work.

    I still see the dropped ICMP packets in the firewall log.



  • You just didn't understand my answer.

    I understood your answer, but it didn't seem to include any information that would answer the specific question I posed.  I hope you get it figured out.



  • just tried it … works for me.

    you sure you don't have a block rule that matches first and thus renders your pass rule useless?


  • LAYER 8 Global Moderator

    why don't you post your wan rules via a pic of them..  And do you have any floating rules?

    And your not behind a NAT??  You have public IP on your pfsense wan, not rfc1918

    And click on your firewall entry - what is blocking it?






  • My pfSense is ny NAT so to speak. It's connected to my ISP and no other firewalling in between.

    I have some floating rules but those were generated by the wizard when setting up QoS. I have tried disabling these aswell (sigh. disabling 50 rows of floating rules..)

    I did once try to click the red (x) like you show in your picture to check what rule is actually blocking ICMP and it shows up empty.

    ![Firewall WAN.png](/public/imported_attachments/1/Firewall WAN.png)
    ![Firewall WAN.png_thumb](/public/imported_attachments/1/Firewall WAN.png_thumb)


  • LAYER 8 Global Moderator

    So did you change the rule to just icmp..  And what is your floating rules?  So you click the red x and you get empty box?  Well clearly that is not right.

    Just because its connected to your "isp" doesn't mean your isp is giving you a public IP.. What does the first 2 octets of your wan interface.. Mine are 24.13 for example..  This is IP from comcast.

    Please post up your floating tab..



  • Ah yes i forgot to answer that aswell.

    It is a public IP that i get on my pfsense machine.

    80.245.xxx.xxx

    I did try to change it to just ICMP and not just specific for the echo request. And same result.












  • Ok so.

    I changed it to ICMP / any. And nothing happened (i've tried it before).

    And i just thought that i should reboot the machine.

    And now ping is working.

    Sigh… (and yes i have clicked apply changes a thousand times)



  • I'd like to thank everyone who tried to help =)

    So here it is.

    Thank you =)


  • LAYER 8 Global Moderator

    so now when you look at the blocked stuff do you get what rule applied, did you ever try reloading the rules?  Seems like your apply was not happening.



  • Yes now when i click them in the firewall log i actually see a name.

    Never did try a proper reload no.

    Thanks =)


  • LAYER 8 Global Moderator

    Whenever you run into an issue with firewall rules not working, if your trying to block something flush the states.  Ir your trying to put in a new rule that doesn't seem to work then do a reload.  Or yeah reboot does it too ;)

    That you were not seeing what rule was blocking the traffic something was clearly not right, so a reload prob would of fixed it - or your reboot does the same thing


Log in to reply