When it comes to troubleshooting networking problems nothing is more trusted then ping.  It is probably the first networking utility that everybody masters.  When you want know if communication works between point A and B ping is your friend.  Often times when working with PNRP I have used ping to make sure that I could ping the seed server.  I use ping to ping the Teredo server, the router.  I use ping to ping the IPv6 address of other hosts on the network.

However in Vista the windows firewall blocks ICMP traffic by default.  A friend of mine called me last week and said that he couldn't ping from one machine to another.  He disabled the Windows Firewall service so he knows that is not the problem.  In fact that was causing the problem.  When you disable that service the operating system thinks something might be wrong and goes into a shields up mode, not letting any traffic through.  Also turning off the firewall (either by stopping the service or just turning it off) causes the Teredo client to turn off.

So how do you enable ICMP traffic through the firewall?  In XP it was easy.  In the firewall user interface there was a checkbox that turns it on and off.  In Vista, it is a bit more complicated.  There are two ways.  The easiest is from the command line using NETSH.  From an elevated prompt run:

For ICMPv4:

netsh advfirewall firewall add rule name="ICMPv4 Inbound" dir=in action=allow enable=yes profile=any localip=any remoteip=any protocol=icmpv4:8,any interfacetype=any edge=yes

For ICMPv6:

netsh advfirewall firewall add rule name="ICMPv6 Inbound" dir=in action=allow enable=yes profile=any localip=any remoteip=any protocol=icmpv6:128,any interfacetype=any edge=yes

From the user interface:

  • Open the Windows Firewall with Advanced Security user interface. (This can be done by searching for "advanced" on the start menu search.)

  • Except the elevated permission.

  • Select Inbound Rules on the left side panel

  • Select New Rule on the right hand actions panel

  • Select a custom rule. Hit next

  • Select All programs. Hit next

  • Select Protocol Type ICMPv4 (or ICMPv6).

  • Select Customize

  • Select Specific ICMP Type

  • Select Echo Request. Select OK. Select Next

  • Select Next to allow all addresses

  • Select next to allow this connection.

  • Select next to allow all profiles

  • Give it a name such as "ICMPv4 Inbound"

  • Select Finish

  • Right click on the exception that was created and select properties.

  • Select the advanced tab

  • Click Allow edge traversal (this allows ICMP traffic to go through NATs)

At this point you the firewall should allow ICMP traffic for ping.


Comments (2)

  1. MarkusV says:

    Thanks for your posts – keep them coming. I am having some issues with ping and PNRP (both on Vista and XP) which make me wonder if ping is still applicable with regards to PNRP.

    I have a successful P2P application working fine in the local network. However, I cannot ping the global seed server.

    Here some tests:

    1) "ping6" does not work (bad IPv6 address

    2) "ping6" (a known IPv6 site) works fine

    nslookup cannot find a IPv4 nor an IPv6 address for But it can do that for e.g. and the above

    I have ping problems with at the office on both Vista and XP, and at home. However, since I live in Japan, I tried the nslookup in addition from a clean machine in the Seattle area (within a customer’s network via remote desktop) and I get the same nslookup results.

    Am I just having technical issues on my various machines or is ping not the right tool to trouble-shoot seed server issues?

  2. A little while ago I showed how to manage the basic firewall in Windows Server 2008. Recently I found

Skip to main content