1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Enabling ping from inside to outside

Discussion in 'Asuswrt-Merlin' started by J.L. Hill, Mar 13, 2018.

  1. J.L. Hill

    J.L. Hill New Around Here

    Joined:
    Aug 14, 2016
    Messages:
    4
    This should be simple, but after five hours I am still stuck trying to enable pinging from local machines out to WAN (IPv4 and IPv6). If I disable the Network Services Filter firewall, I can ping out from my local machine (Debian 9) to the Internet. There is no ICMP option in the GUI firewall screens that I can find to enable outbound ping (There is "Respond ICMP echo" which is enabled, but I assume is for WAN to router ping.).

    So, checking the router's iptables, I found:
    DROP icmp -- any any anywhere anywhere icmp echo-request
    RETURN icmp -- any any anywhere anywhere icmp echo-request limit: avg 1/sec burst 5​

    So I deleted the DROP rule and added:
    ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
    ACCEPT icmp -- any any anywhere anywhere icmp echo-request​

    Rebooted the router, but the DROP rule returns; I am of course still blocked on the local machine:
    # ping -v 8.8.8.8
    ping: socket: Permission denied, attempting raw socket...​

    I have a RT-AC66U using firmware 380.69_2. Any suggestions appreciated. (I have searched this forum diligently and have not found any solutions.) I uploaded the output of iptables -L -v

    Thanks,
    Jeff
     

    Attached Files:

  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,287
    Location:
    UK
    Try issuing this command:

    iptables -I NSFW -p icmp -i br0 -o eth0 -j RETURN

    If that works, to make it permanent you'll need to create a firewall-start script.
     
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,699
    Location:
    UK
    Do you have this option in the GUI?


    upload_2018-3-13_18-42-15.png
     
    ColinTaylor likes this.
  5. J.L. Hill

    J.L. Hill New Around Here

    Joined:
    Aug 14, 2016
    Messages:
    4
    That worked, thank you. I will add a firewall-start script if I can't get the "Filtered ICMP packet types" option to work on a permanent basis. Still looking at how that option is supposed to work.
     
  6. J.L. Hill

    J.L. Hill New Around Here

    Joined:
    Aug 14, 2016
    Messages:
    4
    Yes, I have that option. I admit, I did not understand that it would work to override the firewall, and I'm still searching for more details on how. If it works for IPv4 and IPv6, your solution would obviously be the best I have seen. Thank you.
     
  7. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,699
    Location:
    UK
    Network Services Firewall does not support IPv6
    It is indeed an advanced GUI option, and whilst being extremely flexible for ALL ICMP filtering, it does attempt to show how to allow the commonly used PING to be included together with your explicit whitelisting of TCP/UDP ports.
    i.e. As per the GUI help, simply enter
    Code:
    8 0
    which is interpreted as

    ICMP packets

    Type 8 = Ping echo
    Type 0 = Ping reply

    see An ICMP Reference
     
    Last edited: Mar 13, 2018
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!