Machines not pingable outside network

Simply put: My network's machines are not responding to ping that originate from outside my network. This is very bad... since I am running a private server that, nevertheless, needs to be seen from outside the network to be useful.

Have created rule to allow ICMP in (and out) (using Win7 Firewall on this machine) to no effect. Machine still doesn't respond to ping.

This is seriously hampering efforts to test usability of a handful of things I'm working on.

Offhand I'd say that your router - not the Windows 7 firewall - is blocking the ping. After checking that ICMP isn't being filtered by your router, you should check to see if the ping is at least making the inbound leg of it's journey. Remember, a ping goes to your destination, and then back - and asymmetric routing or firewalling happens all the time. What I would do (after considering the previous poster's advice and checking the router) would be to install something like Wireshark on your internal server. Once that's up and a capture session is running, fire off the ping from the external host and you should see them hitting the target host running Wireshark. If you see them making it that far, then you know you need to focus your efforts on the outbound leg of the ICMP packet's journey.

Bear in mind also that unblocking ICMP at your router might solve your ping problem, but at the same time it'll open you up to DDoS and other ICMP attacks. Check your router's settings for a "choke" setting that limits the number of ICMP packets that it'll allow in a given timeframe. It's also possible that this setting is already enabled and you're currently being probed with ICMP - and your pings are a casualty of the unwanted ICMP probes. You can try to mitigate this by setting up a rule on your router that only allows ICMP from the external host you're pinging from.

Good luck,
/d.

devolutionist said:

Offhand I'd say that your router - not the Windows 7 firewall - is blocking the ping. After checking that ICMP isn't being filtered by your router, you should check to see if the ping is at least making the inbound leg of it's journey. Remember, a ping goes to your destination, and then back - and asymmetric routing or firewalling happens all the time. What I would do (after considering the previous poster's advice and checking the router) would be to install something like Wireshark on your internal server. Once that's up and a capture session is running, fire off the ping from the external host and you should see them hitting the target host running Wireshark. If you see them making it that far, then you know you need to focus your efforts on the outbound leg of the ICMP packet's journey.

Bear in mind also that unblocking ICMP at your router might solve your ping problem, but at the same time it'll open you up to DDoS and other ICMP attacks. Check your router's settings for a "choke" setting that limits the number of ICMP packets that it'll allow in a given timeframe. It's also possible that this setting is already enabled and you're currently being probed with ICMP - and your pings are a casualty of the unwanted ICMP probes. You can try to mitigate this by setting up a rule on your router that only allows ICMP from the external host you're pinging from.

Good luck,
/d.

I am aware of the ICMP security problem. I am not entirely ignorant of networking security (and am going through Network+ yet again; it has changed since the last time I was certified in it.)

I have tried to keep a screen-shot log of what I've tried (step-by-step) and it is attached, but out of date. It rather alarmed me when the router was set to allow ICMP bi-directionally, Win7's Firewall was DISABLED and still nothing. That should not have happened. Even now, with Win7's firewall with an explicit rule permitting ICMP ping bi-directionally, I'm still getting nowhere.

Have installed Wireshark, am studying how to get it to capture, and nothing. So far, it's not capturing anything. Chances are real good I'll be embarrassed at some step I failed to do once this is resolved.

rdanner3 said:

Chances are real good I'll be embarrassed at some step I failed to do once this is resolved.

Hooboy, is my face ever red . It was the router's fault. Or more precisely, I goofed a bit. Forgot to set up a service. It's working for one machine on the network, but not (for now) on the others. Yet more work to be done. :sigh:

I discovered some more very interesting "issues" about this. (Make that read, things that can give you grey hair!)

At the risk of cross-posting (which I know can get me my fingers broken), I am going to insert the text of a comment I made on social Technet.

========= Begin inserted text ===========

Update:


This has more aspects than a cat has hair! I have discovered:

• Most, if not all, of the rules established for the "Private" profile have their remote scope set to "local subnet" instead of "all". This is really easy to miss as this setting is way off-screen to the right. (Unless you have your window set REALLY wide!)
• On the Advanced tab, there is another setting - Interfaces - that needs to be checked. You need to make sure that whatever interface you are using (or "all") is actually selected.
• The "edge traversal" setting appears to have no effect whatsoever if you are behind a hardware router.
• If you have the Windows Firewall window open, showing rules (or whatever), and you restart the Windows Firewall service, the objects within the windows become "invalid" (i.e. "Invalid Handle"), and saved settings don't get saved. And you don't always get a warning either. Note that they LOOK like they have been saved, but the REALLY HAVE NOT been saved at all. If you are wondering, close the Windows Firewall window, and then re-launch it, to see if the settings are "sticky".

I'm rapidly becoming convinced that it really IS a conspiracy!

Jim

================ End inserted text ================

The take-aways here are these:
Check your remote scope, especially if using a "Private" profile.
Check your interfaces, especially if creating a rule by hand.
Verify that your session to the Windows Firewall service has not become invalid by restarting the session.

Jim

you may visit some speed test sites.....