Enable ICMP (ECHO) PING on WAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Enable ICMP (ECHO) PING on WAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Enable ICMP (ECHO) PING on WAN
Enable ICMP (ECHO) PING on WAN
2020-06-11 22:08:27 - last edited 2021-11-16 02:11:35
Model: Deco M5  
Hardware Version: V2
Firmware Version: 1.4.4 Build 20200221 Rel. 65392

There seems to have been discussion of a need to hide the device by blocking ping (remove ICMP echo-reply response) in various threads over the last year, and in a recent version of the firmware the device appears to default deny on all inbound ICMP responses.

 

I am speaking as a credentialed Certified Information Systems Security Professional (CISSP) and I am not aware of security research or best practices which indicates blocking WAN Ping on routers.

 

While I understand denying ICMP means network scanners have to work a little bit harder to find "active" devices, blackholing ICMP is a practice typically recommended for network hosts (not routers).

 

Denying ICMP actually results in breaking security functionality in some important ways:

 

Security Availability Vulnerability (fundamental security concept):

- In the case of port forwarding, denying ICMP breaks PMTU scans from clients outside the local network damaging window scaling and ultimately breaking network connectivity when an MTU of 1500 is not compatible with the local loop.

 

Network Access Control Vulnerability (security control category):

- In the case of an enterprise network administrator, the fact the device does not respond to pings makes it more difficult for a cyber asset inventory scan to determine whether there may be a rogue device on the network.

 

Security Availability Vulnerability (fundamental security concept):

- Blocking ping makes it difficult for a WAN-side DHCP host to perform IP deconflict checks.

 

What is the value of this feature?

 

ICMP processing stacks (whether commercial or open source) have been stable and basically unbreakable (from a security standpoint) for decades. Malformed packets sometimes root routers, but as Cisco will tell you, a firewall rule never protected the L3 stack from breakage.

 

The only possible justification I can think of is a user has placed a totally insecure protocol on a random port (of which there are only 30-60k available -- so not very random) -- and is hoping the fact their device doesn't respond to ICMP will somehow make up for the fact RDP is regularly rooted, free VNC software is the security equivelant of a speed bump, and the webserver on their multi-function NAS is riddled known vulnerabilities.

 

My case? I'd simply like to place a network monitor (outside) on the internet on my Deco so I can monitor availability (a security concept). It appears my only option is to forward a port inside breaking the security perimeter so I can do a TCP PING?

 

Someone please tell me there's a hidden configuration option to enable ping?

 

ps .. Apparently port 22 is running an ssh server and the firmware has a hardcoded root password (yes! root login enabled!) that can provide access to the ash shell. Default remote login passwords would be a "Critical" CVSS score I believe.

  2      
  2      
#1
Options
1 Accepted Solution
Re:Enable ICMP (ECHO) PING on WAN-Solution
2021-11-16 02:11:26 - last edited 2021-11-16 02:11:35

@ITguy356 

Hi, please refer to the attached picture to turn off “ignore Ping from WAN”

Recommended Solution
  6  
  6  
#10
Options
11 Reply
Re:Enable ICMP (ECHO) PING on WAN
2020-06-12 15:57:38

@mfisch 

 

The Deco system is mainly aimed at being a system that is simple to use. On the other end of the spectrum, you do not have those features that a typical router has that one would expect. For example, you can only manage the system on a smartphone. 

 

I can certainly forward that feature request to respond to ICMP ping.

 

With respect to the SSH port that is for the Deco devices and Deco app to communicate only. Should you be aware of or find any vulnerability please reach out to our security team here: https://www.tp-link.com/us/press/security-advisory/

  0  
  0  
#2
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-06-12 20:15:26 - last edited 2020-06-12 20:16:46

Thanks Tony do put in that request.

 

User requests enabling WAN ping advising there are several good security and usability reasons (see community topic https://community.tp-link.com/us/home/forum/topic/211916 ).

 

WAN ping can be enabled via config global settings:

 

/etc/config/basic_security

  Line 1: config global 'settings'

  Line 3: option wan_ping 'off'

 

The Luci web interface and Deco app do not give the user a toggle for this useful setting that already exists in the firmware.

  1  
  1  
#3
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-10-20 15:12:08

@mfisch hi, how do you access those settings to enable wan ping?

  0  
  0  
#4
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-11-19 07:39:20

I would also need this feature, for monitoring the system from the outside. It's a common feature in all other routers (low to high end), I'm surprised that I couldn't find it on the Deco.

  0  
  0  
#5
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-12-09 03:11:42

This needs to be resolved as well on the M9Plus.

 

I see they removed WAN pinging with a firmware update but didn't think that such a basic feature should be togglable. Not impressed with TP LINK.

  0  
  0  
#6
Options
Re:Enable ICMP (ECHO) PING on WAN
2021-01-06 16:58:22

+1 vote from me too for WAN ping allow. I monitor my home broadband connection remotely and unable to do so since switched to DecoS4. 

  0  
  0  
#7
Options
Re:Enable ICMP (ECHO) PING on WAN
2021-01-29 05:18:49

@mfisch I also request that WAN ping be enabled for monitoring

  0  
  0  
#8
Options
Re:Enable ICMP (ECHO) PING on WAN
2021-11-15 15:23:46

@mfisch Also put in a tp-link deco mesh and found the WAN ping response required to remote monitoring uptime is missing (can't turn the feature on via smartphone app)

This is a major limitation for small managed networks using the tp-link gear. 

  0  
  0  
#9
Options
Re:Enable ICMP (ECHO) PING on WAN-Solution
2021-11-16 02:11:26 - last edited 2021-11-16 02:11:35

@ITguy356 

Hi, please refer to the attached picture to turn off “ignore Ping from WAN”

Recommended Solution
  6  
  6  
#10
Options
Re:Enable ICMP (ECHO) PING on WAN
2021-11-16 08:26:47

@TP-Link that option is not present on a updated M4R using the updated app and a PPPoE connection (that is the new FTTP connections in the UK which are being rolled out)

The option to "Ignore Ping from WAN" does not appear just above "Internet Connection Type": PPPoE

  5  
  5  
#11
Options