[USG Flex 100H] - PPPoE over VLAN - External ICMP request not blocked

Maverick87

Hello everyone,
I configure my USG Flex 100H for using a PPPoE over VLAN Interface.

I always used an router, for routing to the internet.
I have a 2.5Gbit fiber and my router have the internal fiber optic connection, so I use this configuration:
LAN —> Firewall —> Router (internal fiber connection — do the PPPoE internally) —> Internet
And in this configuration, I never ping my address from the WAN interface (I don't know if because is blocked by the router or not).
The WAN interface on the firewall was set as LAN port with fixed IP, and the IP is related to the subnet of my router (192.168.1.x)

From this evening, I change my configuration and use an external ONT to connect my LAN to the internet using the PPPoE over VLAN interface:
LAN —> Firewall (PPPoE) —> ONT —> Internet

In this new configuration, I see that the device reply correctly, from internet, to the ICMP requests. If I ping my external IP, the ping reply.
The only policy rule from WAN to Zywall is the default rule (allow to any only the default_allow_wan_to_zywall object —> AH (protocol 51), ESP (protocol 50), IKE (UDP 500) and NATT (UDP 4500)).

Also if I disable all of my rules (so all to the default rule —> Any|Any deny Any … obviously the only one active is from my LAN to Zywall), the ICMP request continue to reply correctly.

How I can deny the ICMP request from WAN? I wrong somethings? I need to create a dedicated Policy deny rule?

PeterUK

Your ISP may be doing the ping reply.

If you packet capture the WAN as you ping Externally to see if this is the case.