Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabled NAT IP's still pingable

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dbennett
      last edited by

      Greetings,

      I have a bit of a head scratcher.  I have disabled a number of IPs in my NAT but I can still ping them from outside the network.

      Thoughts?

      Dino

      1 Reply Last reply Reply Quote 0
      • H Offline
        hda
        last edited by

        You mean in [Firewall: Rules (WAN)], right ?

        1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator
          last edited by

          Disabled in your NAT??  Huh??  what does that have to do with pinging your wan IP?  You don't forward ping to inside rfc1918 behind a nat - you sure can not do it more than once..

          What exactly are you pinging from outside your network, and lets see your wan rules as start yes.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 25.07

          1 Reply Last reply Reply Quote 0
          • D Offline
            dbennett
            last edited by

            Sorry.  Tried to keep it short.  Guess it was TOO short.

            In the firewall: NAT: 1:1
            We have all of our External IP's listed in the NAT. Depending on what an external IP will be used for the Internal IP will change.  When one is not being used it's assigned an internal IP that has a firewall rule that blocks ALL.  Now, yesterday I decided that I would simply disable the NATS there were not being used.  In testing it was realized that those NAT External IP's that were disabled were pingable.

            If an External IP that is in the NAT 1:1 is disabled, why is it pingable?

            I hope that is a little more clear.

            Thanks for your knowledge.

            Dino

            1 Reply Last reply Reply Quote 0
            • johnpozJ Online
              johnpoz LAYER 8 Global Moderator
              last edited by

              what does the external IP care if there is no nat.

              You need to block ping to that IP that on your wan, on the wan interface.  Post up your wan rules.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              • KOMK Offline
                KOM
                last edited by

                If an External IP that is in the NAT 1:1 is disabled, why is it pingable?

                I assume you have IP aliases for these public IP addresses you're using?  I also assume you have a WAN rule that allows ICMP with a Destination of *?  I don't believe that removing the NAT affects whether you can ping the public address or not.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.