Give us a ping. (Cloudflare) One ping only.

Cloudflare introduces a new feature in its Tunnel service that enables users to ping their server or device with an IP address from behind the Cloudflare global network of data centers, while still maintaining privacy and security. This feature is particularly useful for administrators who need to diagnose connectivity issues within private networks. The implementation utilizes a technique known as source NAT, which rewrites the source IP address in outbound packets to that of the local machine, before forwarding them to their intended destination. However, this approach presents challenges when dealing with ICMP echo requests and replies, due to limitations in packet rewriting and port-mapping functionality. To overcome these limitations, Cloudflare designed a unique strategy for each platform it supports (Linux, Darwin/macOS, Windows), using concepts such as "port" allocation on Linux, manual demultiplexing of ICMP packets on Darwin, and leveraging built-in API functions in Windows. By implementing this innovative solution, administrators can now ping their servers or devices from behind Cloudflare's global network while preserving security and privacy. In addition to improving the observability and diagnostics capabilities within private networks, this new feature also highlights Cloudflare's commitment to enhancing its Zero Trust platform by offering additional tools for monitoring network conditions and ensuring optimal performance.