What's new

Enabling ping from inside to outside

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J.L. Hill

New Around Here
This should be simple, but after five hours I am still stuck trying to enable pinging from local machines out to WAN (IPv4 and IPv6). If I disable the Network Services Filter firewall, I can ping out from my local machine (Debian 9) to the Internet. There is no ICMP option in the GUI firewall screens that I can find to enable outbound ping (There is "Respond ICMP echo" which is enabled, but I assume is for WAN to router ping.).

So, checking the router's iptables, I found:
DROP icmp -- any any anywhere anywhere icmp echo-request
RETURN icmp -- any any anywhere anywhere icmp echo-request limit: avg 1/sec burst 5​

So I deleted the DROP rule and added:
ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
ACCEPT icmp -- any any anywhere anywhere icmp echo-request​

Rebooted the router, but the DROP rule returns; I am of course still blocked on the local machine:
# ping -v 8.8.8.8
ping: socket: Permission denied, attempting raw socket...​

I have a RT-AC66U using firmware 380.69_2. Any suggestions appreciated. (I have searched this forum diligently and have not found any solutions.) I uploaded the output of iptables -L -v

Thanks,
Jeff
 

Attachments

  • iptables-list.txt
    9 KB · Views: 441
There is no ICMP option in the GUI firewall screens that I can find to enable outbound ping (There is "Respond ICMP echo" which is enabled, but I assume is for WAN to router ping.).

Do you have this option in the GUI?


upload_2018-3-13_18-42-15.png
 
Try issuing this command:

iptables -I NSFW -p icmp -i br0 -o eth0 -j RETURN

If that works, to make it permanent you'll need to create a firewall-start script.

That worked, thank you. I will add a firewall-start script if I can't get the "Filtered ICMP packet types" option to work on a permanent basis. Still looking at how that option is supposed to work.
 
If it works for IPv4 and IPv6, your solution would obviously be the best I have seen.
Network Services Firewall does not support IPv6
Yes, I have that option. I admit, I did not understand that it would work to override the firewall, and I'm still searching for more details on how.
It is indeed an advanced GUI option, and whilst being extremely flexible for ALL ICMP filtering, it does attempt to show how to allow the commonly used PING to be included together with your explicit whitelisting of TCP/UDP ports.
i.e. As per the GUI help, simply enter
Code:
8 0
which is interpreted as

ICMP packets

Type 8 = Ping echo
Type 0 = Ping reply

see An ICMP Reference
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top