20,221 questions
Lan NIC is only assigned to the Domain and Private profiles
It can only use one or the other, not both.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Unable to get ICMPv4 to work on both a Windows 2019 and 2022 server.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 7.000000000000001%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Johan Pingree
21
Reputation points
I have turned on (enabled) every ICMPv4 setting in and in some cases modified them to work in all profiles. Both servers have a WAN and Lan NIC with a public IP on the WAN and private IP on the Lan. I want to be able to ping these servers from the internet to their public interface from anywhere in the world. I have even thrown in a new rule to allow ICMPv4.
I can only get a ping through if I turn off the firewall, then the servers will respond. I find this to be extremely frustrating because since Windows NT 4.0 I have not had this type of difficulty getting a simple protocol to work on a server. These two servers are a MAJOR PITA to get something so benign and simple to work. I have a firewall/router in front of my server where I control the ICMPv4 traffic to all of our public facing servers. I do not need it locked down on the server itself. I have been just besides my self trying to get Windows firewall to let ICMPv4 to work.
I have painstakingly gone through all the rules I thought could be causing this issue and have to date not found anything I can point my finger at. I NEED ICMPv4 working!
Other than leaving the firewall OFF permanently can anyone shed light on what the issue might be. NOTE: I have rebuilt, from scratch, both servers and yes they are Hyper-V instances. Yes, I have them updated with all the latest updates.
I have several Windows 2019 servers that where upgraded from Windows 2016 servers. They have NO issues with ICMPv4, I can ping them all day long, even with all the latest updates installed on it. So, I exported the policy thinking I could use it on the freshly built Windows 2019 server, but it was a no-go. I imported the policy, reboot for good measure and STILL that new server REFUSES to allow ICMPv4 responses.
Now some smart person is going to ask me if I am sure it is not my router that is at issue here, yes, I have confirmed it is not my router. As I stated, I can turn off the firewalls on both of those servers and they will allow ICMPv4 responses. Turn the firewall back on, and they go mute! It is obviously a firewall rule that is causing the issue but I am apparently too senile to find it.
Has anyone got a clue as to what rule I can look that could be the issue with this firewall? Or is this take two on the update front and we are just finding out about another service that is broken because of an update? HELP!
Windows for business | Windows Server | User experience | Other
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-01-27T19:06:18.32+00:00
3 additional answers
Sort by: Most helpful
-
Anonymous
2022-01-25T01:18:11.823+00:00 Since multi-homing; make sure to check or uncheck the correct connections the profile should apply to so there's no profiles overlap.
--please don't forget to
upvoteandAccept as answerif the reply is helpful--
-
Anonymous
2022-01-25T13:43:00.12+00:00 Just checking if there's any progress or updates?
--please don't forget to
upvoteandAccept as answerif the reply is helpful-- -
Johan Pingree 21 Reputation points
2022-01-25T14:54:44.803+00:00 Thank you DSPatrick for taking the time to answer my question. I did as you suggested with the Windows 2022 server. Set the public profile to the WAN only and removed the WAN from the other two profiles (domain and private). I then rebooted the server for good measure, once back in I pinged that server from an off-site location and well it worked! Simply because I have never had to change the profile like this in the past, do you see any issues with the way I set those profiles, or do you have a pointer to someplace I can get some specific information about best practices with setting those profiles the way I did?
-
Anonymous
2022-01-25T14:59:31.653+00:00 Glad to hear, you're welcome. By default the profiles overlap and in most case (a single network interface) this isn't a problem but with two or more interfaces this is necessary to isolate the profile to the correct interface.
-
Johan Pingree 21 Reputation points
2022-01-25T17:46:54.44+00:00 Even though I accepted your response as the answer I still have another nagging question, why would specifying the profiles in the advance tab on a firewall rule not work, regardless of the interfaces in the profiles... It seems to me that if I create a rule and it allows a protocol and that rule is applied to all profiles, then regardless of the interface in that profile it should be allowed..
Something about this does not pass the smell test.... My conclusion is that this confusion is what will lead to mistakes and potentially cause someone more harm than good. Too boot if you add the interface types option for a rule into the equation it can really add to the bewilderment. Regardless of that thought, the lesson at the end of the day is that the properties of the firewall take precedence over rules regardless of how the rule is applied?
I am curious to read your thoughts on this...
-
Anonymous
2022-01-25T18:22:28.003+00:00 Two separate things really. When you create a firewall rule you can assign it to one or more profiles but its important that the profiles do not overlap when there are multiple interfaces involved.
Sign in to comment -
-
Johan Pingree 21 Reputation points
2022-01-27T19:00:51.933+00:00 Well, I am back to the same issue I had previously. I have done some additional testing, let me explain the current setup: The Wan NIC is only assigned to the Public Profile. The Lan NIC is only assigned to the Domain and Private profiles. I have removed the custom rules I created for the ICMPv4 inbound and outbound rules.
I have turn on the appropriate Outbound rule and inbound rule for ICMPv4, the default File and Printer Sharing rule. I have mapped a new log file to each profile.
I checked the public profile log and it clearly shows in the log -> ALLOW ICMP (from IP) (To IP) ..... RECEIVE
I assume this means that the server did receive the Ping request.I checked the private profile log and there is nothing in it.
I checked the Domain Profile and BINGO I have found the issue the log clearly shows -> DROP ICMP (from IP) (To IP) ..... RECEIVE
So the question is, WHY if the domain profile is not connected to the WAN and the allow rule on Advance tab specifies that the Domain profile should Allow it, does the domain profile DROP the connection?
Any takers on how to fix this issue?
-
Johan Pingree 21 Reputation points
2022-01-27T19:27:22.453+00:00 But the darn thing is pinging now and I do not know what happened overnight to change that.