cloudflare · ranbel · Jul 3, 2025 · Jul 2, 2025 · Jul 2, 2025 · Jul 3, 2025
@@ -138,42 +138,7 @@ net.core.rmem_max = 2500000
 
 ## `ping` and `traceroute` commands do not work.
 
-To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`:
-
-<Tabs> <TabItem label="Linux" icon="linux">
-
-1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`.
-
-   1. To get the Group ID of the user, run `id -g`.
-   2. To verify the Group IDs that are allowed to use ICMP:
-
-   ```sh
-   sudo sysctl net.ipv4.ping_group_range
-   ```
-
-   ```sh output
-   net.ipv4.ping_group_range= 0 10000
-   ```
-
-   3. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`:
-
-   ```sh
-   echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range
-   ```
-
-2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface:
-
-   ```sh
-   cloudflared tunnel run --icmpv4-src <IP of primary interface>
-   ```
-
-</TabItem> <TabItem label="Docker" icon="seti:docker">
-
-In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`.
-
-By default the [`cloudflared` Docker container](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532.
-
-</TabItem> </Tabs>
+To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/policies/gateway/proxy/#icmp).
 
 ## Cloudflare Tunnel is buffering my streaming response instead of streaming it live.
 

@@ -5,7 +5,7 @@ sidebar:
   order: 12
 ---
 
-import { Badge } from "~/components";
+import { Badge, Tabs, TabItem } from "~/components";
 
 You can forward [HTTP](/cloudflare-one/policies/gateway/initial-setup/http/) and [network](/cloudflare-one/policies/gateway/initial-setup/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server.
 
@@ -66,6 +66,70 @@ The ICMP proxy forwards traffic for diagnostic tools such as `ping` and `tracero
 Gateway cannot log or filter ICMP traffic.
 :::
 
+#### Allow ICMP traffic through `cloudflared`
+
+For the ICMP proxy to work with Cloudflare Tunnel, you may need to configure the `cloudflared` host to allow ICMP traffic through `cloudflared`.
+
+<Tabs> <TabItem label="Linux" icon="linux">
+
+1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`:
+
+   a. Find the user that owns the `cloudflared` process:
+
+		```sh
+		ps -aux | grep cloudflared
+		```
+
+		```sh output
+		johndoe         407  0.8  1.7 1259904 35296 ?       Ssl  21:02   0:00 /usr/bin/cloudflared --no-autoupdate tunnel run --token eyJhI...
+		```
+
+	 b. Get the Group ID of the `cloudflared` user:
+
+		```sh
+		id -g johndoe
+		```
+
+		```sh output
+		10001
+		```
+
+   c. Determine the Group IDs that are allowed to use ICMP:
+
+   ```sh
+   sudo sysctl net.ipv4.ping_group_range
+   ```
+
+   ```sh output
+   net.ipv4.ping_group_range= 0 10000
+   ```
+
+   d. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`:
+
+   ```sh
+   echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range
+	 ```
+
+	 e. To make the change persist on reboot, update your `systcl` parameters:
+
+	 ```sh
+	 echo "net.ipv4.ping_group_range = 0 10001" | sudo tee -a /etc/sysctl.d/99-cloudflared.conf
+   ```
+
+2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface:
+
+   ```sh
+   cloudflared tunnel run --icmpv4-src <IP of primary interface>
+   ```
+
+</TabItem> <TabItem label="Docker" icon="seti:docker">
+
+In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`.
+
+By default the [`cloudflared` Docker container](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532.
+
+</TabItem> </Tabs>
+
 ## Turn on the Gateway proxy
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.

@@ -10,7 +10,7 @@ import { Tabs, TabItem } from "~/components";
 2. In **Firewall**, turn on **Proxy**.
 3. Select **TCP**.
 4. (Recommended) To proxy traffic to internal DNS resolvers, select **UDP**.
-5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors/#ping-and-traceroute-commands-do-not-work) to allow ICMP traffic through `cloudflared`.
+5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/policies/gateway/proxy/#icmp) to allow ICMP traffic through `cloudflared`.
 
 </TabItem>
 <TabItem label="Terraform (v5)">