[USG Flex 100H] - PPPoE over VLAN - External ICMP request not blocked
Ally Member
Hello everyone,
I configure my USG Flex 100H for using a PPPoE over VLAN Interface.
I always used an router, for routing to the internet.
I have a 2.5Gbit fiber and my router have the internal fiber optic connection, so I use this configuration:
LAN —> Firewall —> Router (internal fiber connection — do the PPPoE internally) —> Internet
And in this configuration, I never ping my address from the WAN interface (I don't know if because is blocked by the router or not).
The WAN interface on the firewall was set as LAN port with fixed IP, and the IP is related to the subnet of my router (192.168.1.x)
From this evening, I change my configuration and use an external ONT to connect my LAN to the internet using the PPPoE over VLAN interface:
LAN —> Firewall (PPPoE) —> ONT —> Internet
In this new configuration, I see that the device reply correctly, from internet, to the ICMP requests. If I ping my external IP, the ping reply.
The only policy rule from WAN to Zywall is the default rule (allow to any only the default_allow_wan_to_zywall object —> AH (protocol 51), ESP (protocol 50), IKE (UDP 500) and NATT (UDP 4500)).
Also if I disable all of my rules (so all to the default rule —> Any|Any deny Any … obviously the only one active is from my LAN to Zywall), the ICMP request continue to reply correctly.
How I can deny the ICMP request from WAN? I wrong somethings? I need to create a dedicated Policy deny rule?
Best Answers
-
Hi @PeterUK I've resolved.
Just create a Policy Control rule that blocking from ANY to Zywall (src ANY dest WAN Interface) the PING service.
In this way, I cannot anymore ping my external IP
0 -
Hi @PeterUK ,
I've disabled the rule and I've tried with an external wireless connection using phone tethering…
The PING is denied, and when I allow the "default" rule, the PING packet passed and starting to ping. If I deny again the "default" rule, the PING goes in timeout.So definitely… from internal network I can ping always my external WAN IP, but from a real external network I cannot ping my WAN interface because hint the "default" rule that is denied by default.
0
All Replies
-
Your ISP may be doing the ping reply.
If you packet capture the WAN as you ping Externally to see if this is the case.
0 -
OK can be this problem.
But I can deny the ping reply to the external WAN IP? Why the ISP router can block this and the firewall can't? Or there is a setting that disable the ping reply?
0 -
It can be down to a number of things like if you don't have the WAN IP to the USG and your ISP routers has the WAN IP most ISP routers doing NAT don't forward ICMP inbound requests and so its at that edge to which they are limited on the control of this most of the time only allow all or block all inbound ICMP requests that are inbound to your WAN IP.
0 -
OK it's clear.
But, repeat, I cannot block the inbound ICMP request throught the firewall? I cannot block the reply to the ping throught the firewall?0 -
If the inbound ICMP request never gets to the USG you can't block it.
0 -
Hi @PeterUK I've resolved.
Just create a Policy Control rule that blocking from ANY to Zywall (src ANY dest WAN Interface) the PING service.
In this way, I cannot anymore ping my external IP
0 -
Yes that is how you block it so you do have the WAN IP
But the question now is how was it allowed by default which given the default rules should not happen.
0 -
I don't have a ISP with PPPoE but was able to setup a local server for a PPPoE connection just tied to ping the IP it has and did not get a reply even tried enabling the default rules still nothing add a rule to allow ping and it works so I still don't know why you need a rule to block ping that your seeing…
can you move your block ping rule at the bottom of the rules and see if its still blocked?
0 -
Hi @PeterUK
Yes, I've tried to move this rule on the bottom, before the default rule and in this case the ping packet wasn't blocked.
If, then, I move this rule on top, the ping packet was blocked again.0 -
In which case you have a rule allow ping from WAN to Zywall
You can either relook at your rules or slowly move the block ping rule up is the list till the change happens.
0
Guru Member
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 202 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.3K Security
- 515 USG FLEX H Series
- 328 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.9K Consumer Product
- 288 Service & License
- 458 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 85 About Community
- 97 Security Highlight
