ICMP From VyOS to WAN


#1

First off, allow me express my gratitude to the hard working developers of this fine product. VyOS has saved our organization untold amounts of money due to its flexibility and feature set. We recently purchased a secondary internet connection for failover and we’ve been able to utilize the WAN load balancing functionality inherent in VyOS and it works flawlessly.

Now - to my actual question! During the implementation of the WAN load balancing, we used the ping health checks for each interface. When we first tested, we realized that our VyOS box could not ping to the WAN/Internet. Looking at our firewall rule for the “local” side of our WAN interface, we had the following:

 name ExternalInterface-Local {
        default-action drop
        description "Rules for connection to router itself from outside"
        rule 1000 {
            action drop
            protocol all
        }
    }

In order to allow VyOS to ping outside, I modified the rule to the following:

name ExternalInterface-Local {
    default-action drop
    description "Rules for connection to router itself from outside"
    rule 10 {
        action accept
        icmp {
        }
        protocol icmp
    }
    rule 1000 {
        action drop
        protocol all
    }
}

This allowed VyOS to ping outside. That being said, is this the correct/safe method of doing so? I know you can set certain ICMP options, but didn’t know which specific ones to set to allow pinging so I just allowed all ICMP.

Thanks!


#2

Have you set the firewall to statefull? If not, I would delete your rule 10 and set the firewalls state policy:

set state-policy established action ‘accept’
set state-policy invalid action ‘drop’
set state-policy related action ‘accept’

So ICMP echo responses from WAN are allowed but no ICMP echo requests from WAN.


#3

Yes, our firewall is stateful.


#4

without further information about config and topology it’s difficult. Maybe an asymetrical route?


#5

It’s working as it should now with that change in configuration I noted in the original post (i.e., I’m able to ping over the WAN from VyOS). I’m just wondering if it’s safe to accept all ICMP in that rule or if there’s a way I could trim it back since all I’m wanting is the ability to receive ping responses from internet targets as I ping them from VyOS.


#6

I never had to set such rules, I believe this is the default:
vyos@router01:~$ show firewall


Firewall Global Settings

Firewall state-policy for all IPv4 and Ipv6 traffic

state action log


invalid drop disabled
established accept disabled
related accept disabled


Rulesets Information