Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

ICMP Echo Request. . .

So I' m running a dedicated Crysis server hosting the Mechwarrior Living Legends full conversion modification out of my house behind my comparatively ancient Fortigate 60 firewall. I know enough about the FortiOS 3 MR 7 to be dangerous and I' m beating my head against an issue that I' m hoping one of you lovely people can help me address. I' m running into an issue where in the in game lobby, my server is visible and people can get connected, but the ping report back to Gamespys servers as N/A rather than the ping of the server. Which if you game, you probably know no one wants to join a server that they can' t tell what the ping is. I' ve been advised to configure the Fortigate to allow ICMP Echo requests from the WAN -> Internal network, and I' ve created a policy to allow this to happen but it doesn' t seem to have resolved the issue. This is what the Policy I have looks like. . .
 Status  ID 	  Source  Destination           Schedule  Service Profile  Action 	
            12 	  all         Crysis Game Port  always 	*            PING   ACCEPT
 
Any help or guidance would be greatly appreciated.
4 REPLIES 4
emnoc
Esteemed Contributor III

Can' t you do this with just allowing icmp on the wan interface and get the same goal accomplish? I think your policy that you have show of a tidbit of, does not have any nat going on and that' s why it' s failing btw. i.e what I would try config sys int edit wan-interface set allowaccess icmp end That should allow them to ping you ip_address , which if I had to guess, is NAT' ing your internal network that sits behind the firewall. Right ?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

Hi, and welcome to the forums! It depends on how you have connected your server. If you have a VIP for the server, with port forwarding whatever ports you need for the game then the VIP will only forward these ports. For example, you forward 345/udp and 567/tcp, then all other traffic to the external IP (VIP " external IP" ) will not answered. That applies to ICMP (the ping protocol) as well. There are 2 solutions IMHO: 1. instead of the server, let the FGT answer to ping requests. For that, go to System>Network>Interface, edit WAN, ' allow admin access' , check PING. or 2. do not use port forwarding in the VIP - just uncheck that option. drawbacks: in 1. your FGT will happily respond to ping queries even if the server is down. in 2. you expose your server to all attacks from the net; you could plug it into the WAN side just the same. No protection at all. HTH.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Currently I can ping the fortigate from the wan, that' s not an issue nor unfortunately, the solution. Whats going on is that the gamespy server is having trouble contacting the server behind the firewall to establish its ping, it won' t accept the ping response generated by the wan side of the firewall as the millisecond ping of the server. The appropriate ports are opened in the firewall to allow communication (utp/64100). Others who have had and resolved the issue, configured their firewall to pass the icmp echo request to the server
ede_pfau
SuperUser
SuperUser

As I said, if you use port forwarding you can only forward protocols that use ports, namely TCP and UDP. ICMP is not included. You can only resort to proposal 2, not using port forwarding but forward all protocols to the server. You can and should additionally restrict access to the server in the policy in which you use the VIP.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors