If from within my LAN, I ping my WAN ip, how is the ping packet routed to the destination?
Does it go out of the router, to the ISP, then back to the router (ping target)?
Or is the router smart enough to know it is the ping target, so it respond to the ping directly without forwarding it to the ISP? If it does this, should it also observe the security rules on the WAN side? E.g. if I the WAN is setup to ignore pings, then it should ignore this ping.
There are two ocassions when this is an issue:
(1) when you just set up a web site on the LAN with proper port forwarding and you want to verify it is accessible from the outside. If the router does not forward the request on to the ISP, then it is not a true test. You may be able to view your web site from within the LAN but not from outside.
(2) The opposite of (1) -- you just set up a router and you want to make sure the router's login page is not accessible from the WAN. I actually did this: put the WAN ip in my browser and my router's login page pop up. At first I thought I have a security hole, then I realize my router is intercepting the request. When I use an http proxy server to test the same ip, there is no response, as expected.
Strangely, I encounted two different behavior from two different routers (both the same brand, though different model). My router would short-circuit the request and not forward it to the ISP. My friend's router would drop the request entirely -- so that if he has a web server at, say 123.4.56.789:300, then typing this IP into the web browser from within the LAN produces an error saying no such address. But using another ISP to test reveal that there is indeed a web server at that address.
One way I can truely simulate a ping (or http request) from the outside is to use an http proxy. The other way is of course to use a different ISP to send the request.