I can not ping from internet to red interface

[Guest]

[razametal]

Hi,

I've EndianFW 2.4.1 and can not ping from internet to the RED interface.

I'm allowing the ICMP protocol with ports number 8 and 30 on Firewall, system access, I'm attaching an screenshot of the rules that i've applied.

Do I need to setup more rules ? What can be wrong?

[DFen]

razametal

What are you using as your Internet connection?

Can you confirm your IP is pingable when endian is not connected - i.e. connect a PC via same router to the Internet.

Have you checked that your router allows ping?

[razametal]

Yes, the IP can reply icmp packets from internet when I connect another device.

[mrkroket]

Just a note. System access firewall are meant to access the system (i.e. Endian Firewall), not incoming traffic. I'm seeing a lot of rules related to incoming traffic there.
Did it work this way?

_____________________________________________________________________________________________________________________________
Yo tengo varias reglas de acceso externas pero asignadas a IP's fijas. No tengo necesidad de ofrecer ping ni nada, sólo es acceso administrativo.
Si algo no te funciona activa el logging y empieza a ver los informes de tráfico entrante, a ver si te tira paquetes.
Prueba a poner reglas más permisivas. Por ejemplo <ANY> <RED> <Any Service> con log activado, y ver si así hace ping.
Si hace ping, miras los logs a ver qué está llegando.

[razametal]

I need these rules applied to make the port redirection works. I'll be testing disbling it.

[DFen]

I do not have any problems.

In System Access I have:

6     <ANY>     RED     ICMP/8 ICMP/30   ALLOW    icmp ping

So far as I can see the only difference is that I specify RED  instead of uplink main.

Looking at the iptables, it appears to enter the rules in INPUTFW something like this:

 2521  158K ACCEPT     icmp --  eth3   *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
    0     0 ACCEPT     icmp --  eth3   *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30

This will limit the number of pings to 3/sec with an initial burst up to 5.

I tried the following frm an external Linux server:
ping -i 0.01 -c 100 xx.xx.xx.226

--- xx.xx.xx.226 ping statistics ---
100 packets transmitted, 8 received, 92% packet loss, time 1243ms
rtt min/avg/max/mdev = 18.322/18.368/18.409/0.181 ms, pipe 2

However
ping  -c 100 xx.xx.xx.226

--- xx.xx.xx.226 ping statistics ---
100 packets transmitted, 100 received, 0% packet loss, time 99397ms
rtt min/avg/max/mdev = 18.318/27.785/231.654/38.228 ms

This may not help at all - however if you run
iptables -L INPUTFW -nv | grep icmp you will see if the packet/byte counts are zero (first two items on each line)

[DFen]

I need these rules applied to make the port redirection works. I'll be testing disbling it.

You should not need additional rules where you have set up port forwarding.
PForward is done in the nat table and before routing. It changes the destination address to your defined destination IP, so the traffic is routed from RED to GREEN/ORANGE. Endian will automatically enter rules to allow this!

[razametal]

Ahh.. great to know it. Then I'll be disbling these system access rules.

Thank you for the information.