Allow inbound ICMP when VPN client is enabled

On the Flint 2 4.6.2 release 1 I have an issue where inbound ICMP is not allowed until VPN Client is disabled.

I have "Allow Ping from WAN" toggled on.

My TP-link router which I used to use with OpenVPN client had no issue with inbound ICMP when the VPN client was enabled.

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config redirect 'dns_vpn'
	option name 'dns for vpn'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect 'dns_vpn_guest'
	option name 'dns for vpn guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '1653'
	option mark '!0x8000/0xc000'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
	option name 'process_mark_dns'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 453'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
	option name 'process_explict_vpn'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 20000'
	option target 'MARK'
	option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '1'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option src 'lan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
	option enabled '1'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
	option enabled '1'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option name 'guest'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config rule 'ping_wan'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option target 'ACCEPT'

config zone 'wgclient'
	option name 'wgclient'
	option forward 'DROP'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wgclient'
	option input 'DROP'
	option masq '1'
	option masq6 '1'
	option enabled '1'

config forwarding 'wgclient2wan'
	option src 'wgclient'
	option dest 'wan'
	option enabled '1'

config forwarding 'lan2wgclient'
	option src 'lan'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'guest2wgclient'
	option src 'guest'
	option dest 'wgclient'
	option enabled '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

Which vpn are you using?
Do you have any vpn policy configured?

I tested 4.6.2 and expresssvpn (opvn) and don't have any problem ping the wan IP.

1 Like

Yes I am using Wireguard VPN client with domain / IP routing

I tested several combinations and works OK.

What wireguard service are you using?
Do you have public IP on Flint2? I only tested private IP.

Yes I am using Wireguard VPN client with protonvpn and the domain / IP routing policy.

I can't ping my internet wan, nothing related to the actual public IP of the protonvpn.

Yes it's a public IP I'm pinging, when I tested I can ping the wan IP if it is a local IP address but not a public address.

i added some open firewall rules but they didn't help,

I think the vpn policy script does something with inbound traffic.

I wonder whether this rule has something to do with it

@hansome can you gave a look at this one?

The *conn_mark rule supports only tcp and udp by default, if you want to add icmp, use command to specify the proto to use:

uci add_list firewall.wan_in_conn_mark.proto='tcp'
uci add_list firewall.wan_in_conn_mark.proto='udp'
uci add_list firewall.wan_in_conn_mark.proto='icmp'

uci add_list firewall.out_conn_mark_restore.proto='tcp'
uci add_list firewall.out_conn_mark_restore.proto='udp'
uci add_list firewall.out_conn_mark_restore.proto='icmp'

uci add_list firewall.lan_in_conn_mark_restore.proto='tcp'
uci add_list firewall.lan_in_conn_mark_restore.proto='udp'
uci add_list firewall.lan_in_conn_mark_restore.proto='icmp'
uci commit firewall
/etc/init.d/firewall reload

thanks this worked, if i wanted to apply restrictions to icmp such as the Match ICMP Type and Limit Matching what rules should I set these restrictions on? I want to apply similar restrictions that the IPv6 rules use.

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'secondwan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config redirect 'dns_vpn'
        option name 'dns for vpn'
        option src 'lan'
        option src_dport '53'
        option dest 'lan'
        option dest_port '1653'
        option mark '!0x8000/0xc000'
        list proto 'tcp'
        list proto 'udp'
        option enabled '0'

config redirect 'dns_vpn_guest'
        option name 'dns for vpn guest'
        option src 'guest'
        option src_dport '53'
        option dest 'guest'
        option dest_port '1653'
        option mark '!0x8000/0xc000'
        list proto 'tcp'
        list proto 'udp'
        option enabled '0'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
        option name 'process_mark_dns'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 453'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
        option name 'process_explict_vpn'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 20000'
        option target 'MARK'
        option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
        list proto 'tcp'
        list proto 'udp'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'
        option enabled '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config zone
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config zone 'wgclient'
        option name 'wgclient'
        option forward 'DROP'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'wgclient'
        option input 'DROP'
        option masq '1'
        option masq6 '1'
        option enabled '1'

config forwarding 'wgclient2wan'
        option src 'wgclient'
        option dest 'wan'
        option enabled '1'

config forwarding 'lan2wgclient'
        option src 'lan'
        option dest 'wgclient'
        option enabled '1'

config forwarding 'guest2wgclient'
        option src 'guest'
        option dest 'wgclient'
        option enabled '1'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config rule 'glnas_ser'
        option src 'wan'
        option dest_port '6000-6002'
        option dest_proto 'tcp'
        option target 'DROP'

config rule 'webdav_wan'
        option src 'wan'
        option dest_port '6008'
        option dest_proto 'tcp'
        option target 'DROP'

config rule 'ping_wan'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option target 'ACCEPT'

This rule is to allow wan ping. add limit on it:

uci set firewall.ping_wan.limit='1000/sec'
uci commit firewall
/etc/init.d/firewall reload
1 Like