Allow ICMP Pings through the UDM-Pro's Firewall

Cartoony photo of some UniFi Dream Machine console hardware.

Set an Internet Local firewall rule on your UDM-Pro (or similar UniFi device) to be able to ping your IP from outside of your network.

I recently signed up with a new broadband provider (Cuckoo Broadband - review on the way) with one of the benefits being support for multiple static IPs–see my last post on configuring these on the UniFi Dream Machine Pro:

Set Static IPs on the UDM-Pro
This guide will show you how to add one or multiple static IPs to your Ubiquiti UDM-Pro (or other compatible UniFi product).

Once I had these setup, I wanted to be able to ping these over the internet, firstly to test they were all working, and secondly so I could continually ping what I was going to use as the 'main' internet IP with a Broadband Quality Monitor (@ thinkbroadband.com).

ℹ️
This method is equally applicable if you have a dynamic IP and are using some kind of Dynamic DNS service to keep a hostname updated with your IP. The only difference is that you'd set the Destination to be Any, instead of being a specific IP.

The layout of the firewall pages and panes has changed a bit over the years, with there now being greater control over the source and destination (or in the case of pings, using Internet Local to designate that the destination is the UDM-Pro itself).

Internet Contains IPv4 firewall rules that apply to the Internet network.
...
Local Applies to traffic that is destined for the UDM/USG itself.

-- UniFi Gateways - Introduction to Firewall Rules

From the main page of your UDM-Pro (or other compatible UniFi device/cloud-key) go to Settings -> Firewall & Security ->Create New Rule:

Screenshot of the UniFi UDM-Pro settings pane. Annotated to indicate how to get to Settings -> Firewall & Security -> Create New Rule.

Set the Type to Internet Local and enter a descriptive name for the rule (no really, you'll thank yourself in future). Leave the default of Before Predefined Rules unless you have a specific reason to change it. You obviously want the action to be Accept.

Set the IPv4 Protocol to ICMP, and the IPv4 ICMP Type Name to Echo Request.

ℹ️
Some guides based on previous software versions said to create an Echo Request rule as well as Echo Reply, but that's not required under Internet Local.

You can leave the source as Any unless you know the specific address you want to be testing from. If you have a cloud server setup to monitor devices, you could set the Source Type to IP Address and specify the address, therefore allowing only you to monitor, but ICMP is deemed to be a fairly low risk protocol to leave open, and if the monitoring service has multiple/unknown sources, you don't have much choice here.

Screenshot showing the form to create a new firewall rule. An example rule named 'Allow Ping 12.34.56.78' is being created. IPv4 Protocol is set to ICMP, and IPv4 ICMP Type Name is set to Echo Request. The Source is left as default.

For the destination, you want to set whatever your external IP is. You could leave this as Any (and you might have to if you don't have a static IP, but a dynamic/changing IP) but in general, a more specific rule is better. In my example, where there are multiple IPs, I ultimately only want one IP to respond to Ping requests, so I've specified that destination IP. During testing, I left this as Any so I could ping all 4 addresses.

Screenshot showing the form to create a new firewall rule, continued from above. The Destination Type is set to IP Address, and the IPv4 address is set to the dummy example of 12.34.56.78.

Once you're happy with the rule, click Apply Changes and it will take effect.

To test it, you can ping from something like a cloud server, or you can download a Ping-type app. I used 'Ping' by Michael Frohlich. Remember to disable Wi-Fi if you're on the same network at the static IP (although I had to be on 4G to successfully ping–3G didn't work for me), enter your IP in the app, hit the play button and confirm that you get the green replies.

That's it! You can ping your IP from the internet. What next? You could set up an internet quality monitor or use your own cloud server to monitor it.

If this has helped you, please leave a comment. I'd be especially interested in what you're using to monitor your network health below, at @techbits@sudo.cat or @techbitsio.



Great! Next, complete checkout for full access to techbits.io
Welcome back! You've successfully signed in
You've successfully subscribed to techbits.io
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated