I cannot Ping My public IP outside network

rogerIT

Hi, 

I need your assistance on this.

After I set up my Zyxel firewall in to nebula cloud, I suddenly unable to ping both of my WAN IP (Public IP)

* Reachable when I am inside the network
* RTO when outside the Network 

Thanks Guys and God bless!

mMontana

Is ICMP allowed by rules?

Is your device allowed to answer ICMP?

Zyxel_Kevin

Hi @rogerIT.
Greeting Forum, Device has the following hidden default firewall rules:
"LAN to WAN is allowed, WAN to LAN is blocked".
Please kindly create the rule allow WAN ICMP.
Thanks
Kevin 

rogerIT

Hi @Zyxel_Kevin and @mMontana


Good Day!

Can you send me a Screenshot of the settings?
this is my current setting https://prnt.sc/rHXEYPzNiimI

thank you

Zyxel_Kevin

Hi @rogerIT,
Kindly share the Nebula Org/Site in Private messages. I will take it care.
Kevin

mMontana

I'd change the destination from "any" to "Zywall", if possible.

rogerIT

Hi @mMontana and @Zyxel_Kevin

It works now!!
I saw this on internet, this may also help some user
https://prnt.sc/@Zyxel_Kevin

Thanks Guys 

mMontana

@rogerIT

I do not use Nebula, so maybe my suggestion was incorrect.

https://imgur.com/a/UQP7D9e

Into 4.x firmwares, destination "Zywall" is one of the options, brecause "Any" will automatically exclude the Zyxel devices.

IDK if in Nebula there's something similar.

Moreover...

https://imgur.com/a/tugX2oS

In the default configuration for the USG devices (4.x and 5.x firmware) there's a specific rule for defining what's allowed from wan to firewall and what's not.

ICMP/PING is not part of this rule. You can find something similar into your nebula config, then add the PING object to services group for allowing connection to firewall.

Remember: more rules, more refined control.

Less rules, faster operations

Be smart and sometimes optimize (rethink) the rules is a good idea.

rogerIT

@Zyxel_Kevin

no offense pls, but I am a bit worry about that. 
Can you explain what are the best thing to do instead