First off, allow me express my gratitude to the hard working developers of this fine product. VyOS has saved our organization untold amounts of money due to its flexibility and feature set. We recently purchased a secondary internet connection for failover and we’ve been able to utilize the WAN load balancing functionality inherent in VyOS and it works flawlessly.
Now - to my actual question! During the implementation of the WAN load balancing, we used the ping health checks for each interface. When we first tested, we realized that our VyOS box could not ping to the WAN/Internet. Looking at our firewall rule for the “local” side of our WAN interface, we had the following:
name ExternalInterface-Local {
default-action drop
description "Rules for connection to router itself from outside"
rule 1000 {
action drop
protocol all
}
}
In order to allow VyOS to ping outside, I modified the rule to the following:
name ExternalInterface-Local {
default-action drop
description "Rules for connection to router itself from outside"
rule 10 {
action accept
icmp {
}
protocol icmp
}
rule 1000 {
action drop
protocol all
}
}
This allowed VyOS to ping outside. That being said, is this the correct/safe method of doing so? I know you can set certain ICMP options, but didn’t know which specific ones to set to allow pinging so I just allowed all ICMP.
Thanks!