UniFi - How to Disable ICMP over WAN with USG

Overview

The UniFi Security Gateway (USG) offers administrators many useful features to their UniFi managed network, including the ability to manage firewall rules that help ensure the security of the network. This guide will explain how to configure a firewall rule in the UniFi Controller to either block or permit ICMP traffic over WAN. 


Considerations

The Internet Control Message Protocol (ICMP) offers a number of benefits to networks including the ability to ping devices, troubleshoot and test connectivity, get error codes to aid with diagnosis, etc.
 
In UniFi controller versions prior to 5.5.x, ICMP echo requests are permitted to WAN by default, meaning your WAN IP will reply to ping from the Internet. This can be blocked via firewall rule, or the rule allowing ICMP can be disabled by config.properties setting. In UniFi 5.5.x and newer, this is blocked by default, and a firewall rule must be added to permit this traffic if desired.


Disabling ICMP Traffic in UniFi Controller (Prior to 5.5.x)

Note: In versions prior to 5.5.x ICMP is enabled by default, as such these steps are only necessary in these versions. After 5.5.x follow the same steps to create a rule to permit this ICMP traffic, if desired.

ICMP Traffic can be easily disabled by creating a firewall rule in the UniFi Controller and can be done on any UniFI network with a USG. To create this rule, follow each step as follows:
 

  • Open your UniFi Controller
  • Go to Settings > Routing and Firewall.
  • Select Firewall at the top of the page.
  • Select "WAN LOCAL".
  • Click "Create New Rule".

  • Name the rule "Drop ICMP" or something to identify the purpose of the rule.
  • Select Enabled "On" 
  • Select Rule Applied - "before Predefined Rules"
  • Select Action - "Drop"
  • Select "Choose a protocol by name" and select "ICMP" from dropdown box. 
  • Click "Save" to finalize changes. 

After completing these steps, ICMP will be disabled over the WAN. 

Alternatively, to manually configure the USG to block ICMP traffic via WAN, set`config.firewall.internet.local.icmp=false` in `config.properties`.


Related Articles