What's new

How to allow ICMP ping on EdgeRouter Lite?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

aznphatb0i

Occasional Visitor
Hey guys! I have an EdgeRouter Lite serving our small office, we use Cogent as our ISP.

To proactively monitor our circuit, I need to allow ICMP ping of our network.

I configured the EdgeRouter using the first config from here: http://www.smallnetbuilder.com/lanw...ow-to-configure-your-ubiquiti-edgerouter-lite

( http://www.smallnetbuilder.com/mydownloads/ubnt_erl/ubnt_erl_2lan_w_dhcp.tar.gz )

I need to either;

  • Block all ICMP traffic except from the Cogent monitoring IP blocks of 66.28.3.0/24, 66.250.250.0/23, 130.117.228.0/24 and 130.117.254.0/24 for IPv4 or 2001:550:1:300::/56 and 2001:978:1:300::/56 for IPv6.

  • or even just allow all ICMP traffic though this is less secure
Can anyone help? This is my first foray into Ubiquiti devices!

Thank You!
 
Before anything else, take a backup if you have been messing around with changes you down want to lose!

From the Ubiquiti basic config by mrjester
Edited slightly and taken from my personal config
You can change the port eth0 to whatever your WAN interface is.
The rule number also needs to be unique.
After popping it into the command line it should appear in the GUI.

Code:
set 'firewall' 'name' 'eth0_local' 'rule' '5' 'action' 'accept'
set 'firewall' 'name' 'eth0_local' 'rule' '5' 'description' 'ICMP 90/m'
set 'firewall' 'name' 'eth0_local' 'rule' '5' 'limit' 'burst' '1'
set 'firewall' 'name' 'eth0_local' 'rule' '5' 'limit' 'rate' '90/minute'
set 'firewall' 'name' 'eth0_local' 'rule' '5' 'log' 'enable'
set 'firewall' 'name' 'eth0_local' 'rule' '5' 'protocol' 'icmp'

If this is still giving you trouble I recommend asking in the community.ubnt.com forums.
 
Actually I just realized. . . did you update the firmware yet?
If not, before anything else, download and install version 1.6 and take a look at the 'Wizards' tab.
 
I just plugged my ERL into Cogent service and these are my settings. I have not verified these work, but I think I've got them right.

Network group section:

firewall {
group {
network-group Cogent_Mgmt {
description "Cogent Mgmt"
network 66.28.3.0/24
network 66.250.250.0/23
network 130.117.228.0/24
network 130.117.254.0/24
}
}


Corresponding WAN_LOCAL section:



name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "Cogent Ping"
log disable
protocol icmp
source {
group {
network-group Cogent_Mgmt
}
}
}
}
 
Maybe I should have said I believe they're correct, but of course, only Cogent could tell me if they actually work since I can't originate packets from those networks.
 
Similar threads
Thread starter Title Forum Replies Date
R Post reboot - unable to ping devices Routers 9

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top