So I have had the same setup for quite a while, nothing has changed other than new firmware… Two routers in OSPF config. When I try and ping from my desktop computer to network switches on the other router it just times out. But on that router if I just disable my drop invalid packets rule, the pings work just fine. Once again nothing has changed so why is it acting like this now?
My switches are on subnet 10.0.169./24 now I can ping servers on that same subnet without having to disable the firewall rule for drop invalid packets. The issue is only with my network switches.
The ICMP rule is there, but it is below the invalid drop rule. Now it has always been below and never been an issue. Just for kicks I moved it to the top of the list and it still didnt matter, ping wont go through unless I disable the drop invalid rule. Super weird…
Like so many other beginning admins you need to learn that ICMP is not the same as PING.
ICMP is used for PING but it is used for many other things as well.
ICMP type 0 code 0 is not PING, it is PING REPLY.
When you suddenly receive a PING REPLY without having sent a PING this is “unrelated” and so it is not accepted by a “related” rule,
and it is “invalid” because it is not a way to start a new “ping session”.
So it is correct that it is dropped.
As this appears to be your local network, either there are some bad guys trying tricks on you, or maybe you have a meshed network
with autorouting (BGP, OSPF) and you have asymmetric routing (i.e. the traffic in one direction may follow a different path than the reply).
On such a network you cannot use a stateful firewall!! (i.e. you must not use established/related but you must accept all traffic in forward
unless it is to be blocked everywhere)
