I just spent two hours troubleshooting my firewall and VPN because windows doesnt accept pings from remote subnets

/rant

Why the fuck would that be a thing? Its a rule in windows firewall that only pings from local subnet is responded to regardless of if you have full connectivity to that subnet or not. Windows box could ping linux box, but not vice versa.

I was at my wits end of trying different firewall rules and messing with the VPN configuration over and over again so I just looked it up and someone suggested disabling windows firewall, so I did that and tada.

Who though that would be a good idea for default behaviour? If I dont want remote subnets to ping, I’ll disable that on my firewall.

/rant --over

It’s by design, most firewalls work on the principle deny access by default from untrusted to trusted network. If you don’t have a rule to allow the traffic from untrusted network it will be blocked. Some of them even wont allow you to communicate wih other networks unless you have rules in place to allow the traffic. This is for the security of the host/network. Firewall is the first line of defense against various attacks.

In your case firewall considers your LAN subnet as a trusted network and anything originating from outside your LAN is considered untrusted, that’s why you need to add a rule or disable the firewall to allow the traffic to go through.

Take it from someone that does it for a job - windows is a hot mess of lazy development and half finished features, generally oriented towards moneygrabbing rather than making sense or being reliable - no way I’m letting it ruin my private computing life

BTW about window’s integrated firewall: i have reached the conclusion that it makes more sense to just completely disable it and let something else do that job, be it (preferably) a separate box altogether or even something like eset if you need very custom rules for that machine only. Tried it for thousands of deployments and always causes some weird s*it that has to be investigated, it’s just not worth it from a technician’s time cost point of view

That’s actually a pretty good, default behavior. Windows Firewall is a lot better than having nothing. If you want to replace it with something else, then by all means do so - there are plenty of other products with centralized management, layer-4 inspection, etc.; But as a lowest-common denominator, Windows Firewall is actually pretty good and performant.

Get used to ‘netsh advfirewall’ commands, script them out,.and you should be golden.

Just change the windows network type to private, so that printer and file sharing is enabled

Ima just say one word, that’s all you need to know to understand the problem… Windows… why does it do half the shit it does the way it does…

Tell me you can’t troubleshoot without telling me you can’t troubleshoot.

Do you have any examples of a private address space that would in any context be considered untrusted by another private address space?

I’d say a DMZ but its not a DMZ if it can ping to other local subnets, you know?

It just seems like a solution looking for a problem. I cant think of any good reason where I can have full routability to something setup but not be able to ping it. Youre not protecting anything that I can think of.

Huh interesting. I use Windows Firewall all over the place with software deployed in hundreds of corporate environments and home and never had a problem with it (once you get to know it). I know it can be frustrating - especially home vs public profiles. But I only deal with TCP connections because that’s all that we can be certain will be allowed in the corporate networks.

Yeah the UI absolutely bites and it’s got some weird options but it’s been pretty solid when I’ve used it and has never been the cause of a software issue for me.

I completely agree.

Yeah, before now I’ve always come to the conclusion that anyone who disables windows firewall by default is just a lazy admin because you should just be able to add a rule to it to to get the desired behaviour and while that was true in this case, I feel like this is the most ascenine behavior a device firewall would be defaulted to do. It makes me wonder what other solutions looking for a problem microsoft has baked into that thing

Yeah, I actually just added a rule to the fw with netsh advfirewall but I’ve got to say that I in no way am going to get used to working with windows on a higher level.

I agree, its better than nothing but when you’ve got something else, I’d recommend not using it, because the uneccessary default bahavious just feels like a solution looking for a problem. That sort of uncertainty is not something I want to work with.

Thats the first thing I did when I got the hint it might be the client machine. Thats not all it takes though, thats how you enable ping at all on local subnet, you need to do that and add/modify a windows firewall rule to accept ping from any network

I fucking know man, serves me right for trying to save a bit of effort in turning on a different PC. I just happened to have a windows PC up so I tried to use that.

Mine are. I keep each private subnet completely isolated from each other. IoT doesn’t need to connect to anything. My work PC doesn’t need to be in my home and vise-versa. But I punched a hole just to the printer because it’s shared by my home and work.

Sure there are, I have Guest network, IoT network and other networks (like lab network, Family network) which I don’t want to interact with my personal LAN network. There is routing between these networks and I can access them from my LAN but not the other way. I have a network firewall but also have windows firewall (on my windows) and nftables (on my debian) on my laptop.

It’s basically a personal preference (from home lab user point). Why would I need to allow an IP camera to communicate with my LAN network? Do you have full control of your IoT devices? Do you know what data these IoT devices (third party vendor/ closed source) collect and share? If these IoT devices can be remotely controlled what all capabilities do they have?

I am not saying that Windows firewall is the best but atleast it provides some layer of security and you have control over it. Hope these makes some sense.

Well that’s a different use case from mine altogether… I provide machines that need to communicate with my api which can run either on a server provided by me or one provided by the customer, either on premise or through vpn. Regardless where the server comes from it has to run windows, and at least a handful of unknown UDP ports have to be listening, the machines basically continuously send and receive 32 bit messages in LAN, there’s no handshake, no rate limiting, no nothing. It’s a pretty primitive form of communication, but that’s what is supported by the machines, and i should be allowed to have my UDP ports open however i want. For what little I’ve gathered, it’s likely that the firewall’s reasoning is that TCP well known ports are inherently safer to let traffic through than UDP dynamic ones. I’m not excluding that there’s some sort of cloud based background checks going on to figure out wether the service that’s running on the port is safe or not, just like the antivirus is cloud based.

It’s not the time spent to double click a PS script that adds all your desired rules as much as it is the time spent trying to figure out why that didn’t produce the result in that particular case.

I mean if i have a guy on premise and I’m trying to make things easier for him while he prepares and installs the rest of the system, the last thing i want is to have to spend time fighting windows defender, because then I’m wasting my time, and his time and the customer’s time on top of that.

Plus it’s not like it gives diagnostic alerts and features like a proper firewall should. I mean a good default behaviour would be to respond to 1 ping and then report an alert that someone has pinged the machine. It’s just there because they didn’t want to ship the os without it, that’s about its function in the world

I am not sure if you need the machine to be pinged from any network, just enable it for the other subnets at home.

Also regular windows versions are not designed as a server so there usually is little need to be able to ping them from outside.

Thats exactly what I’m saying though, everything is already completely separated, you dont even have routability between them, but if you did, one would expect ping to work.

At best its security by obscurity, but security by obscurity is the most shallow form of security, if theres nothing blocking payloads from reaching the client, not having ping isnt going to do anything, its trivial to find clients you have reachability to that ping is disabled on.

Yeah, but none of what you’re talking about is terminated on the local device. If someone want’s to distrust a network, blocking ping to it does literally nothing for added security, “oh no, now hicvision knows the IP address of my laptop,” there’s no risk being averted with that behaviour, especially if you already have reach-ability to probe the device in every other way other than ICMP.

My entire point isn’t that you should trust all LAN traffic, it’s that blocking ping is a bad default behaviour, the entire point of ICMP requests is to determine reach-ability between network nodes, I don’t think any LAN that can be reached with a route should be distrusted by default, I already have to manually enable communication to and/or from the network by adding routing/a firewall rule, why would I need to go into the device to say, hey yeah you can respond to ping requests too. I already said that communication is on the up and up. I just wouldn’t do that if I didn’t trust the network.

Again, I’m not saying a firewall on by default on a device is bad, I’m saying that the default behaviour of blocking pings from external networks is a bad default for windows firewall to have. I’m a proponent of keeping the firewall on, I just don’t feel like I should need to go into the device to say I can ping to them, especially if I already have RDP access to that very same device.