Help enable IMCP on WAN Public IP

mckeagj7 · May 26, 2026, 11:37am

I have been trying to figure out how to enable IMCP on public IP, I did have it working in the past but this modem from Three Y5-210MU it would work then randomly stop working like all open ports wouldn’t work after had to migrate my vyos install to a virtual machine and moved it back then after setting a static route from dhcp-interface eth1 fixed it. is there any better way to do this also ?

WanWizard · May 26, 2026, 11:42am

icmp from where to where exactly?

roedie · May 26, 2026, 11:49am

            rule 30 {
                action "accept"
                description "Allow ICMP."
                protocol "icmp"
                state "established"
                state "related"
            }

Remove the state and related. You should almost never match the state in specific rules unless you are really really sure you need it. State matching is done at the beginning of the chain or globally like you have configured in you config already.

mckeagj7 · May 26, 2026, 11:56am

the public facing IP attached to my connection.

WanWizard · May 26, 2026, 12:09pm

@roedie has beaten me too it.

mckeagj7 · May 26, 2026, 12:43pm

Sure They can be handled by the global options at the top. I was trying to figure out why NAT port forwarding broke after moved the install to a virtual machine temporarily as I had an issue with a larger size usb but that was due to the odd issues the modem has. So I had a different firewall layout I’ll post that shortly.

mckeagj7 · May 26, 2026, 5:18pm

firewall {
    flowtable FLOW-SW {
        interface "eth0"
    }
    global-options {
        state-policy {
            established {
                action "accept"
            }
            invalid {
                action "drop"
            }
            related {
                action "accept"
            }
        }
    }
    group {
        interface-group LAN {
            interface "eth0"
        }
        interface-group WAN {
            interface "eth1"
        }
        network-group LAN-IPV4 {
            network "10.0.0.0/23"
        }
    }
    ipv4 {
        forward {
            filter {
                rule 10 {
                    action "offload"
                    offload-target "FLOW-SW"
                }
            }
        }
        name LAN_OUT {
            default-action "accept"
            rule 10 {
                action "accept"
            }
        }
        name LOCAL {
            default-action "accept"
            rule 10 {
                action "accept"
            }
        }
        name WAN_IN {
            default-action "drop"
            rule 10 {
                action "accept"
            }
        }
        name WAN_LOCAL {
            default-action "drop"
            rule 10 {
                action "accept"
            }
            rule 20 {
                action "accept"
                destination {
                    port "53"
                }
                protocol "tcp_udp"
            }
        }
    }
}

This was my config the above one was changed just because nat wasn’t working but it required 2 static routes where it worked with just next-hop 192.168.0.1 but after temporarily moving it to a virtual machine and back to a dedicated system. it required a secondary static route for nat to work. though i am trying to enable imcp to enable he tunnel..