June 6, 2026

Your Ping Is Broken.

During my recent networking workshop, my team and I ran into a classic problem. We had seven laptops connected to a switch, all configured…

Leonewambi

3 min read

Your Ping Is Broken. Is Your Firewall the Problem or the Solution? Stop Killing Your Firewall for Ping

During my recent networking workshop, my team and I ran into a classic problem. We had seven laptops connected to a switch, all configured with static IP addresses on the same subnet. When we tried to ping between machines, we got nothing. Just the frustrating echo of "Destination Host Unreachable."

Our quick fix? We turned off Windows Defender Firewall on every single laptop.

It worked. Pings flew across the network instantly. But our instructor caught it immediately: "Would you do this in a real company?"

The answer, of course, was no. But why exactly? And what should we have done instead?

What Actually Is ICMP?

Before we talk about the solution, let's understand the protocol in question.

ICMP stands for Internet Control Message Protocol. Unlike TCP or UDP which carry your actual data (web pages, emails, video streams), ICMP is a helper protocol. Its job is to send diagnostic messages and error reports between network devices.

The ping command every network troubleshooter's best friend works by sending an ICMP message called an Echo Request (Type 8) to a target device. That device, if everything is working correctly, responds with an ICMP Echo Reply (Type 0).

Think of it as knocking on a door and someone saying "Come in!" You now know someone is home and the door works.

Why Firewalls Block Ping by Default

If ICMP is so useful, why does Windows ship with it disabled?

The answer is security or more specifically, what security teams call the attack surface. Every open door is a potential entry point.

Here is what attackers can do with ICMP:

Network Mapping — Before attacking a network, an adversary wants to know which devices are alive. A "ping sweep" (sending Echo Requests to every possible IP address) is like rattling every door handle in a building to see which ones are unlocked.

ICMP Tunneling — Because many network administrators overlook ICMP, attackers have learned to hide their traffic inside it. Sensitive data or command instructions can be smuggled past firewalls inside what looks like harmless ping packets.

Denial of Service — A flood of ICMP requests can overwhelm a target. The famous "Ping of Death" attack sent malformed ping packets that crashed vulnerable systems. Modern patches have fixed that specific exploit, but the principle remains.

Given these risks, most firewalls — including the one built into Windows — ship with incoming ICMP Echo Requests blocked by default. The designers made a choice: break ping for legitimate users, but protect inexperienced users from threats they do not understand.

The Wrong Fix (What We Did)

Our solution was quick and effective for the lab:

  • Control Panel → Windows Defender Firewall → Turn off Windows Defender Firewall

Suddenly, everything worked. Pings succeeded. File sharing worked. All was well.

In reality instead of letting just the ping through we let everything through and instead of removing a single obstacle we removed all of them.

With the firewall completely disabled, any device on the network could reach any open port or service on any laptop. A malicious USB drive plugged into one machine could spread to all seven. An attacker on the same Wi-Fi could scan for open file shares or remote desktop ports.

In a controlled lab environment with trusted devices, this is acceptable. In a production environment an office, a hospital, a bank this is a disaster waiting to happen.

The Right Fix: Targeted Firewall Rules

The professional approach is not to demolish the wall. It is to cut a single, precisely measured door.

Instead of disabling the firewall entirely, you create an inbound rule that does only one thing: allows ICMP Echo Requests. All other traffic continues to be blocked.

Here is how to do it in three ways.

Method 1: Windows Firewall with Advanced Security (Graphical)

This is the most beginner-friendly approach:

  1. Press Windows + R, type wf.msc, and press Enter
  2. In the left pane, select Inbound Rules
  3. Click Action → New Rule
  4. Select Custom and click Next
  5. Select All programs and click Next
  6. Under Protocol type, select ICMPv4
  7. Click Customize → Select Specific ICMP types → Check Echo Request → Click OK
  8. Click Next through the Scope and Action pages, selecting Allow the connection
  9. Name the rule (e.g., "Allow ICMP Echo Request") and click Finish
  10. Alternatively, Windows already includes a predefined rule called "File and Printer Sharing (Echo Request — ICMPv4-In)". You can simply locate this rule, right-click it, and select Enable Rule.

Method 2: Command Line (Netsh)

For IT professionals managing multiple machines, the command line is faster and scriptable. Run Command Prompt or PowerShell as Administrator:

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

To verify the rule was created:

netsh advfirewall firewall show rule name="ICMP Allow incoming V4 echo request"

When the testing is complete, change action=allow to action=block, or delete the rule entirely.

Method 3: PowerShell

For even more granular control, PowerShell offers the New-NetFirewallRule cmdlet:

New-NetFirewallRule -DisplayName "Allow ICMP Echo Request" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow

You can also restrict which devices are allowed to ping this computer by adding the -RemoteAddress parameter:

New-NetFirewallRule -DisplayName "Allow ICMP from Local Subnet Only" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress LocalSubnet -Action Allow

What I Learned

Turning off the firewall was a valid troubleshooting step. It confirmed that the problem was the firewall blocking ICMP. But stopping there would have been a mistake.

The professional mindset is not just about solving the immediate problem. It is about understanding the implications of each solution, knowing the alternatives, and choosing the one that balances functionality with security.

Next time I need to allow ping through a firewall, I will create a rule not tear down the wall.