dslreports logo
spacer Home Reviews Speed Test Tools News Forums Info About Join  

All FAQsLine Monitoring FAQ5. Firewalls and NAT

Expand Open navigator

5. Firewalls and NAT

Where are the monitors? IP addresses?

The machines that (currently) do the monitoring are

    tester1.ec2.dslreports.com - Charlottesville, Virginia, USA
    tester5.ec2.dslreports.com - San Francisco, CA, USA

These hosts should be be added to your firewall if ICMP ping is being blocked. The IP addresses do change from time to time, so if you must enter IP address and not DNS name, then please do an NSLOOKUP or PING to make sure of the current IP address.

edited by fourboxers See Profile
last modified: 2015-02-27 11:11:58


How do I setup Zone Alarm?

Zone Alarm has two zones. Local Zone and Internet Zone. It is normal to set Local Zone security to medium or lower. You must then place our monitoring stations into the list of "local hosts". Please check this screenshot to see an example of the properties screen of Local Zone setup correctly to except our monitoring systems. Please note that the IP's in that screenshot are not the current IP's.

The machines that (currently) do the monitoring are

ny-monitor.dslreports.com
sjc-monitor.dslreports.com
dslreports-west2.speakeasy.net (64.81.79.40 AND 64.81.79.41)

These hosts should be be added to your firewall if ICMP ping is being blocked. The IP addresses do change from time to time, so if you must enter IP address and not DNS name, then please do an NSLOOKUP or PING to make sure of the current IP address.

Important: if you PADLOCK your zonealarm, no matter what, you are disconnected from the net. This will break monitoring. If you wish fulltime line monitoring, the PADLOCK function should not be used.


Feedback received on this FAQ entry:
  • As noted in http://www.dslreports.com/faq/329 sjc-monitor.dslreports.com is no longer available

    2014-12-10 09:34:40 (aefstoggaflm See Profile)

How to make SonicWALL pingable

If you have a SonicWALL hardware firewall there are two methods you can use to setup your system to respond to pings:

Method 1: You can pass incoming pings through the SonicWALL to a PC on the LAN and then have the PC respond to the pings.

Method 2: You can have the SonicWALL respond to pings directly.

To use Method 1 (your PC responds to pings) follow these steps:

(1a) Open the SonicWALL web admin by entering the SonicWALL's LAN IP address into a web browser on a PC on the LAN side of the SonicWALL.

(1b) Go to Access, Services and make sure Ping shows up in the list of services. If not, add the Ping service.

(1c) Go to Access, Rules, Add New Rule and add two rules
Rule 1
- Action=allow
- Service=ping
- Source=WAN, 216.200.176.6 <= DSLR WC server sjc-monitor.dslreports.com
- Destination=LAN, 192.x.x.x <= LAN address of PC to respond to pings
Rule 2
- Action=allow
- Service=ping
- Source=WAN, 206.65.191.129 <= DSLR EC server ny-monitor.dslreports.com
- Destination=LAN, 192.x.x.x <= LAN address of PC to respond to pings

(1d) If you have a software firewall on the LAN PC be sure to allow pings there as well.

To use Method 2 (SonicWALL responds to pings) follow these steps:

(2a) Open the SonicWALL web admin by entering the SonicWALL's LAN IP address into a web browser on a PC on the LAN side of the SonicWALL.

(2b) Go to Access, Services and make sure Ping shows up in the list of services. If not, add the Ping service.

(2c) Go to Access, Rules, Add New Rule and add two rules
Rule 1
- Action=allow
- Service=ping
- Source=WAN, 216.200.176.6 <= DSLR WC server sjc-monitor.dslreports.com
- Destination=LAN, 192.x.x.x <= LAN address of SonicWALL
Rule 2
- Action=allow
- Service=ping
- Source=WAN, 206.65.191.129 <= DSLR EC server ny-monitor.dslreports.com
- Destination=LAN, 192.x.x.x <= LAN address of SonicWALL

General notes:

You can have the SonicWALL stealth mode enabled (Access, Services, Stealth Mode) and both methods will still work.

You can use * for the WAN address in the SonicWALL rules to allow pings from anyone, but the nice thing about using explicit rules for each DSLR server is that you don't make yourself visible to the general public. I don't think it's a security risk to leave the server-specific rules in place. Of course, if DSLR changes their server IP addresses you need to change your rules.


Feedback received on this FAQ entry:
  • As noted in http://www.dslreports.com/faq/329 sjc-monitor.dslreports.com is no longer available

    2014-12-10 09:36:26 (aefstoggaflm See Profile)

by wingman8 See Profile edited by KeysCapt See Profile
last modified: 2002-07-23 14:07:27

Can you monitor a firewall?

If your firewall responds to ICMP ping packets, as many do, then we can monitor your connection. Instructions for specific firewalls and network share devices follow.


Feedback received on this FAQ entry:
  • By default OpenWrt-based(DDWRT, Gargoyle, etc.) block pings from WAN, the ymhee_bcex function will open WAN ping for everyone. You can Open only for DSLReports with this two: iptables -I INPUT 2 -s tester1.ec2.dslreports.com -p icmp -j ACCEPT iptables -I INPUT 2 -s tester5.ec2.dslreports.com -p icmp -j ACCEPT

    2016-03-28 19:59:03 (EdnanCosta5 See Profile)

  • Didn't find anything for OpenWRT (Kamikaze 8.09) either here or on OpenWRT forum. By default OpenWRT firewall doesn't allow pings from the WAN. Looks like the only way to enable is to modify /lib/firewall/uci_firewall.sh. Add the following line to addif() function: $IPTABLES -A INPUT -p icmp -j ACCEPT

    2008-12-19 22:37:37 (ymhee_bcex See Profile)

Linksys, DLink, NVG510 and other routers

Recent Linksys, DLink and other routers' firmware allows you to configure the router to be unpingable from outside. "Block WAN Requests" for older devices and "Block Anonymous Internet Requests" for newer 'Cisco' branded devices. DLink uses "Discard PING from WAN side". Enabling these router features will break monitoring.


We recommend if you wish to be monitored, do not select the "Block WAN Requests"/"Block Anonymous Internet Requests"/"Discard PING from WAN side" option on the router configuration screen. Your router can still be password protected, and will be secure.


Also try disabling "SPI" , as this also may block external pings.


To make the Motorola NVG510 pingable, follow the instructions in this thread: »Motorola NVG510 question



Feedback received on this FAQ entry:
  • Now that many of the current router models no longer allow ICMP, is anything being considered to update the monitoring tools, or is this an idea that has run its course? For the newer Dlink models there is no longer a way to make them pingable.

    2017-10-22 17:13:42 (momcat1 See Profile)

edited by mjf See Profile
last modified: 2014-06-14 10:45:30

How should NIS2K be setup?

Configure to allow incoming icmp request and outgoing icmp reply to/from our two monitoring stations. move these rules to be 1st rules just to be sure that they wont' be blocked by any other rules.


Feedback received on this FAQ entry:
  • Needs to be updated to current versions Let me know if you would like my help

    2010-05-15 04:05:13 (amysheehan See Profile)

How to make M0n0wall/pfsense pingable

Create a Firewall Rule:

Action: Pass
Interface: WAN
Protocol: ICMP
ICMP type: Echo
Source type: Any
Destination: WAN Address

by EUS See Profile edited by KeysCapt See Profile
last modified: 2009-09-12 00:12:58