Mailing List ecs-isp@2rosenthals.com Archived Message #419

From: "Massimo S." <ecs-isp@2rosenthals.com> Full Headers
Undecoded message
Subject: Re: [eCS-ISP] IJ FW 4.2.2 ICMP not working
Date: Wed, 14 Sep 2022 20:29:14 +0200
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>



Il 14/09/2022 18:42, Massimo S. ha scritto:


Il 14/09/2022 18:22, Massimo S. ha scritto:


Il 03/09/2022 00:17, Steven Levine ha scritto:
In <list-4826152@2rosenthals.com>, on 09/02/22
    at 11:09 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:

Hi Massimo,

so i should try it without the gateway.exe process running

That's what's been recommended.

are we sure that it will not give issues?

Odd question.  How can anyone answer this question but you?  You have
provided almost zero information as to how the involved systems are
configured.

To recap, what we know is

  - you have a firewall system running ijfw with some set of rules
    running at level 4
  - you have a client system the connects to the firewall system
  - the client system cannot ping systems on the WAN
  - the firwall system is 60KB away
  - the client system is somewhere undocumented

Steven

my ISP have analyzed the issue and we tried from a Lan's PC
(under Injoy FW used as gateway) this:

ping 1.1.1.1 -t

they say:

*only* the ICMP protocol that pass trough the FTTC router do not come from the firewall WAN/internet static public IP, but it comes from 10.2.x.y that it's the internal lan IP

the ICMP protocol is not being natted by the firewall

so this is an issue on my setup of injoy firewall, but i don't find how it can happens

massimo


C-Enable-Ping
         Comment = "Enable ping",
         Protocol = ICMP,
         Rule-Action = Allow

this rules have issue i've commented it on Injoy fw
and now the ISP sees ICMP coming from the right IP WAN/public/static
so the ICMP now is being correctly natted

but, it still not work:

C:\>ping 1.1.1.1 -t

Esecuzione di Ping 1.1.1.1 con 32 byte di dati:
Richiesta scaduta.


massimo

i've re-enabled the allow icmp rule and activated also the logs:

[2022/09/14][18:41:01][00:Info][MSG:][allow-icmp][SRC:010.002.000.014][icmp][DST:001.001.001.001][Outgoing][IP][Unknown][SRC:mypc][DST:one.one.one.one]

[2022/09/14][18:41:01][00:Info][MSG:][allow-icmp][SRC:001.001.001.001][icmp][DST:1.2.3.4][Incoming][IP][Unknown][SRC:one.one.one.one][DST:isp-internet.it]

this is the rule details:

Protocol = ICMP,
Rule-Action = NAT,
Log-Control = Enabled,
Log-Mask = "date time severity message rule source prot dest direction packet_feature action_rule resolved_source resolved_dest",
Log-File = "firewall/logs/icmp.log",
Direction = Bidirectional

(no change if i put Allow or NAT in the Rule-Action)

massimo

Subscribe: Feed, Digest, Index.
Unsubscribe
Mail to ListMaster