USG FLEX 100H: ICMP between LAN1_SUBNET and LAN2_SUBNET

hexxit

With standard-configuration I can ping from LAN1_SUBNET to LAN2_SUBNET. Networks are 192.168.10.0/23 an 192.168.178.0/23. Both SUBNETS are in the internal_LAN Group.

ICMP from Clients in the LAN1_SUBNET to the LAN2_SUBNET works.

ICMP from Clients in the LAN2_SUBNET to the LAN1_SUBNET does not.

Is this an undocumented default setting?

If I set a Policy Route from LAN2_SUBNET to LAN1_SUBNET, ICMP work in both directions.

This seams inconsistent.

Zyxel_Tina

Hi @hexxit,

Thanks for reaching out!

To better understand the behavior you reported, I've also done a lab on my site with default configuration — using two interfaces (LAN1 and LAN2) assigned to different subnets within the same zone.

In my testing, ICMP traffic from the LAN1 subnet to the LAN2 subnet — and vice versa — is working as expected, with no need to add an extra policy route.

(Results)

For your reference, I’ve included my security policy settings as shown in the picture.

Since the issue you described could not be reproduced in our environment, we would like to further investigate your configuration. To better assist you, could you kindly provide us with your device configuration file?

You may refer to the following screenshot for downloading configuration.

(From Web GUI)

Go to Maintenance > Firmware/File Manager > Configuration File

This will help us identify any potential differences or factors that might be affecting the behavior.

PeterUK

Odd unless you setup Policy Route from LAN2_SUBNET to LAN1_SUBNET, ICMP with SNAT outgoing interface then that might be why it works is the firewall on end device only allows ICMP within a given subnet or has no gateway