Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Private subnets routing to somewhere unknown?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    13 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @mmiller7
      last edited by

      @mmiller7 The odds of ending up with the lan for vpn as that of a location you happen to be i would imagine is small but i can happen.
      One solution would be to advertise /32 routes over your VPN tunnel so for example if your NAS sits at 10.1.1.2/32 then push a route for that over the tunnel using 'push route' commands.

      Secondly, regarding the 10.206.16.1, is that showing up in the pfsense route table? If you go to Diagnostics / Routes do you see that anywhere? Are you scanning your WAN side? I can see that being a cable modem or ONT

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      M 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @mmiller7
        last edited by

        @mmiller7 which is why its good to use a non common network.. Pick some random in 172.16/12 range..

        Say 172.29.42.0/24

        10.0.0 would be a bad choice.. Anything at the very beginning of the range would be bad. I use 192.168.9.0/24 for my lan network. And other networks use 192.168.2 or above. 192.168.0 and 192.168.1 are very common you would find at say starbucks or at like a hotel or someone elses house..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • M
          mmiller7 @michmoor
          last edited by mmiller7

          @michmoor

          I do not see it in routes, but it appears to be on/adjacent to any traceroute I attempt.

          $ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max
  1   192.168.1.1  4.128ms  3.878ms  2.550ms 
  2   10.206.216.1  18.748ms  8.820ms  10.186ms 
  3   209.196.183.8  10.554ms  10.391ms  10.309ms 
  4   209.196.183.162  12.501ms  14.367ms  15.613ms 
  5   *  *  * 
  6   154.54.87.150  23.756ms  19.356ms  31.230ms 
  7   154.54.87.77  29.314ms  28.743ms  25.706ms 
  8   *  38.88.214.142  21.408ms  * 
  9   172.71.192.2  20.928ms  26.685ms  22.279ms 
 10   1.1.1.1  20.815ms  20.014ms  20.764ms 


$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max
  1   192.168.1.1  3.650ms  1.495ms  7.855ms 
  2   10.206.216.1  11.657ms  9.318ms  10.166ms 
  3   209.196.183.8  9.026ms  23.410ms  10.192ms 
  4   209.196.183.162  15.485ms  13.734ms  14.575ms 
  5   207.255.30.226  16.969ms  15.245ms  48.423ms 
  6   *  *  * 
  7   8.8.8.8  16.701ms  49.788ms  15.748ms 



$ traceroute www.google.com
traceroute to www.google.com (172.253.63.147), 64 hops max
  1   192.168.1.1  2.542ms  2.179ms  5.819ms 
  2   10.206.216.1  12.116ms  39.254ms  19.365ms 
  3   209.196.183.8  10.338ms  18.628ms  9.476ms 
  4   209.196.183.162  13.732ms  21.477ms  14.505ms 
  5   142.250.164.44  19.627ms  44.666ms  13.681ms 
  6   *  *  * 
  7   142.251.69.210  15.111ms  19.232ms  16.432ms 
  8   108.170.246.34  48.781ms  47.047ms  17.055ms 
  9   142.251.49.192  17.432ms  28.204ms  44.883ms 
 10   142.251.49.209  29.652ms  16.208ms  15.439ms 
 11   142.251.244.115  16.185ms  28.751ms  33.208ms 
 12   142.250.209.57  16.309ms  50.969ms  16.077ms 
 13   172.253.72.35  30.902ms  34.410ms  14.696ms 
 14   *  *  * 
 15   *  *  * 
 16   *  *  * 
 17   *  *  * 
 18   *  *  * 
 19   *  *  * 
 20   *  *  * 
 21   *  *  * 
 22   172.253.63.147  16.336ms  17.679ms  15.419ms

          I would have thought my public IP address being 24.x.x.x and my WAN primary default gateway being 24.x.x.1 that I would see the next hop after my router be said default gateway?

          igb0 - primary WAN (cable internet)
          igb1 - failover WAN on packet loss (starlink)

          4a0fe072-d0c1-45b0-ab06-8e8913329d24-image.png

          If I start trying to go to stuff in the 10.206.216.x (that was a typo 16 is wrong) it "looks" like some network stuff but I of course can't log in to try and make heads or tails of how/where/what/why.

          M johnpozJ 2 Replies Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @mmiller7
            last edited by

            @mmiller7 Yeah i figured. Thats your ONT.

            If you see my traceroute its a similar thing. I am on ATT Fiber.

            tracert -d google.com

Tracing route to google.com [172.217.215.113]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  192.168.50.254
  2    <1 ms    <1 ms    <1 ms  192.168.1.254
  3     2 ms     1 ms     1 ms  104.13.92.1
  4     2 ms     2 ms     2 ms  107.212.169.40
  5  ^C

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            M 1 Reply Last reply Reply Quote 0
            • M
              mmiller7 @michmoor
              last edited by mmiller7

              @michmoor

              For a cable modem (what I have) it would be 192.168.100.1 or 192.168.0.1, no? That 192.168.100.1 is my cable modem config page. I'm perplexed where the other 10.x comes in?

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @mmiller7
                last edited by

                @mmiller7 Just looking at the ping times i suspect its your cable services CMTS.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @mmiller7
                  last edited by johnpoz

                  @mmiller7 said in Private subnets routing to somewhere unknown?:

                  2 10.206.216.1 18.748ms 8.820ms 10.186ms

                  From this I would say its upstream in your isp network. Those rtt would indicate its not actually local to you.. But somewhere upstream in the isp network.

                  There is nothing saying isp can not use rfc1918 in their network as transit.. It is not uncommon to see rfc1918 upstream in your trace. Not that long ago I was seeing a 10.x address at hop 3.. This could be the actual transit IP they are routing to in their network, or it could just be a loop-back address the router answers with, etc. But my isp changed something and I no longer see that..

                  Seeing rfc1918 in a trace is not uncommon.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mmiller7 @johnpoz
                    last edited by mmiller7

                    @johnpoz

                    So do I need to worry about my home subnets conflicting with unknown-size-and-location upstream subnets too now?

                    This is a first seeing/noticing something other than the 100 CGNAT or public-addresses "upstream" of my router...and if I hop to a machine at my parents' house (FiOS) their next-upstream-hop appears to be public address space after their home-router

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @mmiller7
                      last edited by

                      @mmiller7 said in Private subnets routing to somewhere unknown?:

                      So do I need to worry about my home subnets conflicting

                      No they are just transit.. Unless you wanted to say like ssh to that isp device from your home network and they conflicted - then you would have a problem ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      NogBadTheBadN 1 Reply Last reply Reply Quote 1
                      • NogBadTheBadN
                        NogBadTheBad @johnpoz
                        last edited by NogBadTheBad

                        Nevermind, just read the bit about connecting to home via OpenVPN.

                        You mention using OpenVPN, if so have you selected "don't pull routes" if you don't it's likely your default route is via your OpenVPN connection rather than your WAN link.

                        Screenshot 2023-10-09 at 18.41.50.png

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.