diff --git a/clients/clients.go b/clients/clients.go
index ddece12..05ed3cf 100644
--- a/clients/clients.go
+++ b/clients/clients.go
@@ -726,7 +726,7 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
 
 		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 
-		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
+		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
 	}
 
 	return nil
@@ -1119,7 +1119,7 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
 
 		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 
-		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
+		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
 	}
 }
 
@@ -1236,7 +1236,7 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
 		}
 
 		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
-		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
+		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
 	}
 }
 
diff --git a/netstack2/subnet_lookup.go b/netstack2/subnet_lookup.go
index fcfed63..c6ad0d5 100644
--- a/netstack2/subnet_lookup.go
+++ b/netstack2/subnet_lookup.go
@@ -167,10 +167,13 @@ func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.
 
 			// Step 3: Check each rule for ICMP and port restrictions
 			for _, rule := range rules {
-				// Check if ICMP is disabled for this rule
-				if rule.DisableIcmp && (proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber) {
-					// ICMP is disabled for this subnet
-					return nil
+				// Handle ICMP before port range check — ICMP has no ports
+				if proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber {
+					if rule.DisableIcmp {
+						return nil
+					}
+					// ICMP is allowed; port ranges don't apply to ICMP
+					return rule
 				}
 
 				// Check port restrictions