Home routers have different interfaces, on the one hand, we have the LAN and WLAN interface, where we connect all the equipment on the home local network, either via cable or via Wi-Fi respectively. We also have the WAN interface, which is the Internet port, and which is associated with the public IP address. A good way to remain “hidden” on the Internet is to block any ICMP Request type and not answer it, this way, if someone does the typical “ping” to our IP, they will not answer, and they will need to do a Port scanning to find out if the host (our router) is up.
Normally firewall oriented operating systems, like pfSense or OPNSense, come with all traffic blocked by default, this means that if someone tries to ping from outside our public IP, they will automatically drop the packet. There are home and operator routers that allow us to configure your firewall, and we even have a specific option to block pinging on the Internet WAN.
We must remember that it is not recommended to block all ICMPs, but only those that correspond to the “ping”, that is, the ICMP Echo Request (request) and the ICMP Echo Reply (response). Some types of ICMP are essential for the proper functioning of the network, especially if you work with IPv6 networks.
What happens if we block the ping on the Internet WAN?
Everything will continue working as always, the only difference is that if someone from the outside (from the Internet) “pings” us into our public IP address, the router will not answer. Depending on how we have the router configured, it is possible that even with a port scan it cannot be detected if the host (the router) is up or not. If we do not have any service running on the router facing the WAN, and we do not have any open port on the router, by default all ports will be closed and from the outside they will not be able to communicate with us, in this way, we could pass « unnoticed “, is what is called security by darkness.
Although we have disabled pinging on the Internet WAN, we will be able to ping Internet hosts without any problem, without having to open ports or do absolutely anything, because the only thing we are doing with this is blocking in the firewall from the router any ICMP Echo Request that reaches us. Routers normally use Linux operating system inside to work, and make use of iptables, the rule that they incorporate is the following:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
This rule blocks any ICMP of echo-request type that goes directly to the router itself, the -j DROP indicates that it will directly eliminate said packet without “saying” anything to which it has been sent, that is, we discard the packet.
A very important aspect is that we should always block pinging on the WAN, but not on the LAN, since if we block pinging on the LAN, we will not be able to ping against our computer’s default gateway (which is the router), to detect any possible failure.
Although many models and brands of routers support blocking pinging on the Internet WAN, today in this article we are going to give you two examples of how to block pinging the WAN on ASUS routers and also on any router from the manufacturer AVM FRITZ! Box .
Block ping (ICMP Echo-request) on ASUS routers
On ASUS routers, both in the manufacturer’s firmware and in Asuswrt-Merlin, the process is exactly the same. We must go to the firmware configuration menu, in the ” Firewall / General ” section and configure the firewall as follows:
- Do you want to enable the firewall: Yes
- Do you want to enable DoS protection: Yes
- Registered Package Type: None. If we want to debug all the packets that pass through the firewall, we can do it, but it is not recommended to always have it activated because it will consume router resources.
- Do you want to reply to the ping request from WAN: No.
As you have seen, it is really easy to disable ping from the Internet WAN. As for the IPv6 configuration, the ASUS router has any incoming traffic blocked, so you should explicitly allow it in the configuration menu.
Block ping (ICMP Echo-request) on AVM FRITZ! Box routers
In the routers of the German manufacturer AVM we can also block the typical ping on the Internet WAN, to do this, we must go to the main menu of the router. In the upper right part where the three vertical points appear, click on ” Advanced mode ” to have all the configuration options.
Once this is done, we go to « Internet / Filters / Lists «, and we go down until we find the option « Firewall in stealth mode «. We enable it and click on apply changes.
This option allows you to reject all requests from the Internet as we have explained, and it is within everyone’s power to do so.
Thanks to this ping block on the Internet WAN, in order to locate our host (router) on the Internet, they must perform a port scan to see if we have any service running, either on the router or on some NAS server on our network local.