I feel like an idiot asking this question but here goes.
Is there any way to forward an incoming ICMP packet to a specific computer on the internal OPNsense network? I even tried a NAT PF ICMP rule to a specific IP, but that didn't work. I assume that an incoming ping is just pinging the OPNsense internal gateway and not any actual computer on the network.
I also have one computer on it's own external static IP via a virtual IP to a specific address and I can ping that IP fine but it isn't the computer itself that answers.
I can ping all day from anywhere, but I cannot find an actual computer that is answering the request. I am using Wireshark and can't see any inbound ICMP activity on any computer.
My reason in doing this is to test ICMP types to specific computers. And eventually I want to select which computers can receive ICMP requests and insure that certain ICMP types are being blocked.
You'd have to NAT it I suspect, so that the external address is mapped to an internal target.
Tried that, didn't work
I assume you mean IPv4 ICMP packets
You remembered that at 18.1 onwards IPv6 ICMP packets are now classed as IPV6-ICMP in the firewall protocol setting
Yes IPv4. I shut down IPv6
Quote from: nivek1612 on February 15, 2018, 11:19:46 PM
You remembered that at 18.1 onwards IPv6 ICMP packets are now classed as IPV6-ICMP in the firewall protocol setting
No, not since 18.1_1: https://github.com/opnsense/core/commit/f26883d4b
Cheers,
Franco
Yay!!!
Didn't see that one sneak through, thanks Franco.
Nor me clearly :-)
question still unanswered.
How do I forward incoming IPv4 ICMP to a particular computer?
Port forwarding did not work when NAT'ed to a LAN computer.
External pings work fine but do not appear on the NAT'ed IP.
Normally I block v4 ICMP by default. But I've just set up a rule and tested it using my mail server as the target. Set up a floating rule, as it's easier, source any, protocol ICMP, TCP/IP version V4. Target internal Lan address of my mail server.
Used MX toolbox ping test to check that, success.
Now my mail server is on a 1:1 NAT to one of wan addreses., but it works as expectd.
Yes just run same test here its working fine for me as well but like Marjohn I have a 1:1 NAT on a WAN address
Blocking is not the issue. I just want to test the ICMP types but have no where to listen with Wireshark.
If you totally block ICMP trace routes or ping will not work. I use pings to test for active services from external servers.
What I did was to allow only echo replies and requests, I need these. But I wanted to test that no other ICMP types were accepted. So I setup an external program that sends ICMP type 2, for example, and wanted to use Wireshark to see the traffic on an internal computer. One of the computers is setup with NAT 1:1, but that computer does not show any ICMP traffic. I think the OPNsense box handles the ICMP traffic in which case I could just use pftop to look for ICMP traffic. But that doesn't show me which ICMP type was received.
I just need someone to verify if I can forward ICMP traffic to a specific computer. Or if ICMP traffic is handled internally by OPNsense. In which case I am stuck with pftop.
We just did forward ICMP to a specific computer.
No go. Maybe the server is blocking it. I did make a firewall rule for ICMP in the server.
Oh well, time to move on.
The firewall logs will tell you all you need to know. For example, all firewall logging on my system is disabled, I turn on specific rule logging when I need it.
So if by default ICMP is not getting through then turn on the default block logging and set a filter to view ICMP only. Then run a ping test from mxtoolbox.com to your target, obviously the wan target and see if that's being allowed, you should see the ICMP packets and whether they are being allowed or not.
That only tells me that OPNsense is replying to the ping. Not that the actual server is.
Pings work fine. I looked at the logs and it shows an ICMP coming in but Wireshark shows no activity on the server.
In the test I did, and Nivek repeated, the responses were from he server, not opnsense.