move ICMP content

ranbel · ranbel · commit 4ce53f46b14b · 2025-01-14T16:27:08.000-05:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors.mdx
@@ -5,6 +5,8 @@ sidebar:
   order: 2
 ---
 
+import { Tabs, TabItem } from "~/components";
+
 This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [Tunnel logs](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/), or [contact Cloudflare Support](/support/contacting-cloudflare-support/).
 
 ## I see `cloudflared service is already installed`.
@@ -131,3 +133,43 @@ sudo sysctl -a | grep net.core.rmem_max
 ```sh output
 net.core.rmem_max = 2500000
 ```
+
+## `ping` and `traceroute` commands do not work.
+
+To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`:
+
+<Tabs> <TabItem label="Linux" icon="linux">
+
+1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`.
+
+   1. To get the Group ID of the user, run `id -g`.
+   2. To verify the Group IDs that are allowed to use ICMP:
+
+   ```sh
+   sudo sysctl net.ipv4.ping_group_range
+   ```
+
+   ```sh output
+   net.ipv4.ping_group_range= 0 10000
+   ```
+
+   3. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`:
+
+   ```sh
+   echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range
+   ```
+
+2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface:
+
+   ```sh
+   cloudflared tunnel run --icmpv4-src <IP of primary interface>
+   ```
+
+</TabItem> <TabItem label="Docker" icon="seti:docker">
+
+In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`.
+
+By default the [`cloudflared` Docker container](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532.
+
+</TabItem> </Tabs>
+
diff --git a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx
@@ -8,41 +8,6 @@ import { Tabs, TabItem } from "~/components";
 2. In **Firewall**, turn on **Proxy**.
 3. Select **TCP**.
 4. (Recommended) To proxy traffic to internal DNS resolvers, select **UDP**.
-5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to update your system to allow ICMP traffic through `cloudflared`:
-
-<Tabs> <TabItem label="Linux" icon="linux">
-
-1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`.
-
-   1. To get the Group ID of the user, run `id -g`.
-   2. To verify the Group IDs that are allowed to use ICMP:
-
-   ```sh
-   sudo sysctl net.ipv4.ping_group_range
-   ```
-
-   ```sh output
-   net.ipv4.ping_group_range= 0 10000
-   ```
-
-   3. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`:
-
-   ```sh
-   echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range
-   ```
-
-2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface:
-
-   ```sh
-   cloudflared tunnel run --icmpv4-src <IP of primary interface>
-   ```
-
-</TabItem> <TabItem label="Docker" icon="seti:docker">
-
-In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`.
-
-By default the [`cloudflared` Docker container](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532.
-
-</TabItem> </Tabs>
+5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors/#ping-and-traceroute-commands-do-not-work) to allow ICMP traffic through `cloudflared`.
 
 Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/policies/gateway/proxy/).
