Allow inbound ICMP when VPN client is enabled

On the Flint 2 4.6.2 release 1 I have an issue where inbound ICMP is not allowed until VPN Client is disabled.

I have "Allow Ping from WAN" toggled on.

My TP-link router which I used to use with OpenVPN client had no issue with inbound ICMP when the VPN client was enabled.

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config redirect 'dns_vpn'
	option name 'dns for vpn'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect 'dns_vpn_guest'
	option name 'dns for vpn guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
	option name 'process_mark_dns'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 453'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
	option name 'process_explict_vpn'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 20000'
	option target 'MARK'
	option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '1'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option src 'lan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
	option enabled '1'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
	option enabled '1'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option name 'guest'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config rule 'ping_wan'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option target 'ACCEPT'

config zone 'wgclient'
	option name 'wgclient'
	option forward 'DROP'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wgclient'
	option input 'DROP'
	option masq '1'
	option masq6 '1'
	option enabled '1'

config forwarding 'wgclient2wan'
	option src 'wgclient'
	option dest 'wan'
	option enabled '1'

config forwarding 'lan2wgclient'
	option src 'lan'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'guest2wgclient'
	option src 'guest'
	option dest 'wgclient'
	option enabled '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

Which vpn are you using?
Do you have any vpn policy configured?

I tested 4.6.2 and expresssvpn (opvn) and don't have any problem ping the wan IP.

1 Like

Yes I am using Wireguard VPN client with domain / IP routing

I tested several combinations and works OK.

What wireguard service are you using?
Do you have public IP on Flint2? I only tested private IP.

Yes I am using Wireguard VPN client with protonvpn and the domain / IP routing policy.

I can't ping my internet wan, nothing related to the actual public IP of the protonvpn.

Yes it's a public IP I'm pinging, when I tested I can ping the wan IP if it is a local IP address but not a public address.

i added some open firewall rules but they didn't help,

I think the vpn policy script does something with inbound traffic.

I wonder whether this rule has something to do with it

@hansome can you gave a look at this one?