Hi All,
I'm using a variety of Draytek routers (Various 2600 and 2800 series) to connect remote sites to our main network, all with "Disable ping from the internet" enabled.

This has worked well for a long time, however, due to new monitoring software we're implementing, I'm looking to allow one static internet IP address to be able to ping the routers, but still block all other ICMP traffic/access to the router.

Is this possible in the firewall rules?

Cheerie,
Monty

yes. you need to make a block if no further match rule first specifying ICMP and destination & source address as any.
you then follow that up with an allow rule exactly the same but this time specify destination = your lan or pc's that can be pinged & source = your monitoring server ip.

Thanks for the information Louis. I tried what you described, but with the "Disable ping from the internet" option enabled, I still get no response. Disabling this option, even with the firewall rules in place, I can still ping from various internet addresses. Can you check that the following is correct please?

"Disable ping from the internet" disabled.

Firewall rules set to factory default.

Rule Set #1 (Default Call Filter)

Rule #2: Block if no further match, Direction IN, ICMP, Any, Any

Rule #3: Block if no further match, Direction IN, ICMP, Source: 124.X.X.X (NAT'ed source IP), 92.X.X.X (Internet IP of router)

I have also tried clearing out the default rules, setting the default call and data ruleset, in general setup, to Rule Set #1, and putting the only two rules in the above order as rules #1 and #2.

I've even tried disabling the call ruleset, leaving only the data ruleset enabled, and vice versa, but this doesn't do anything either. I can still ping from various addresses.

I'm now completely confused. :?

Oh yeah, just to confirm. I need to be able to talk to the internet IP of the router itself (Apart from ping, I'm also doing some SNMP checks). I take it that I could talk directly, or should I port forward the packets from the external IP to the router's internal IP address on it's LAN? Or should I have been doing this anyway?



Cheerie,
Monty

forget the call filter. it doesn't apply here.

under data filter:

rule # 3 is wrong. that needs to be a pass rule. source will be your public ip of your monitoring server (not lan ip) and destination will be your router ip OR server OR lan of the clients you want monitored (private ip's)

you are telling your router in order to:
1. block all incoming pings unless specified in the following rule
2. allow ping to router/server/lan from monitoring server

Thanks for the quick reply. I've tried what you suggested, changing:


Rule #3: Block if no further match, Direction IN, ICMP, Source: 124.X.X.X (NAT'ed source IP), 92.X.X.X (Internet IP of router)

to

Rule #3: Pass immediately, Direction IN, ICMP, Source: 124.X.X.X (NAT'ed source IP), 92.X.X.X (Internet IP of router)

and it made no difference. I can still ping the router from different internet IP addresses. It's bizarre. The router in question I'm currently playing with to try and sort this out is a 2600V, with the latest firmware installed (2.5.8.3_UK), so the firewall should be working correctly.....

So the current ruleset is:

Ruleset #2: (Default data filter)

Rule #1: xNetBios -> DNS (Default rule)

Rule #2: Block if no further match, Direction IN, ICMP, Any, Any

Rule #3: Pass immediately, Direction IN, ICMP, Source: 124.X.X.X (NAT'ed source IP), 92.X.X.X (Internet IP of router)

Am I just completely missing how to use this firewall correctly?

Cheerie,
Monty

try turning on the disable ping from internet. i'm not sure if you can achieve stealth trying this as the router will have to be listening for a ping to know whever or not to reply.