Mysterious 192.0.2.1 IP address (Resolved)
-
Good evening,
I had a fun issue today when trying to setup routing from a Pfsense box to a VPN device that connected to an AWS cloud provider. After being on a support call for the VPN device for over an hour and a half trying to track down why we were unable to connect to at 100.64.x.x IP address, we decided to review the setup in the morning. I though for sure the issue was with the VPN device blocking and redirecting traffic back to our router. Low and behold after rebooting their router, our router, I decided to check if the IP address range was being blocked anywhere. Low and behold that yes it was, the IP range was in the bogon network list and the main router was still setup to block bogon ranges. Apparently bogon list are out of date and anyone using them may run into this issue when dealing with cloud infrastructure. The kicker of it is that there was little to no reference points to this. Apparently if you have block bogon networks checked on the wan interface it blocks it on all interfaces and instead of just blocking it in the traceroutes it does something funny. The traceroutes show the internal default gateway then bounces to either a 192.0.2.1 IP address or list the default gateway then back to the default gateway before killing the traceroute. I was able to get the routing fixed to allow access to the AWS system but thought I should put out there this mysterious 192.0.2.1 IP address information. So long story short if you do a traceroute and come across a strange IP address like 192.0.2.1 you may want to see if the router is blocking bogon networks and disable it if you are.
-
@phantom99b blocking bogon on wan does not block it everywhere - that rule is source IP into wan.. Look at the actual rules
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html
[24.11-RELEASE][admin@sg4860.home.arpa]/root: pfctl -sr | grep bogon block drop in log quick on igb1 from <bogons> to any label "block bogon IPv4 networks from WAN" ridentifier 11001 block drop in log quick on igb1 from <bogonsv6> to any label "block bogon IPv6 networks from WAN" ridentifier 11002 [24.11-RELEASE][admin@sg4860.home.arpa]/root:igb1 is my wan interface.
And sorry to tell you this - and not sure why aws would be using 192.0.2.1 - that is a reserved network for documentation. I would be included in bogon.. Look at your bogon list in pfsense
192.0.2.0/24
https://www.rfc-editor.org/rfc/rfc5737.htmlwhy we were unable to connect to at 100.64.x.x IP address
Why would you think you could connect to such a network? That is a cgnat space - the only place you would be able to connect to such a network is if your ISP was using it.
-
I am well aware of how it is supposed to work and it may be working correctly on other systems. I am running the 2.7.2 CE version and ran into this. I am not saying everyone will run into this, but just putting a way to resolve the issue if someone runs into the same situation that I did.
AWS was not using the the 192.0.2.1 network, the IP range I was trying to connect to was in the 100.64.x.x range and this situation occurred. Yes that is in the CGNAT space but that is what the vender I was working with was given to work with. I have attached a screen shot to show that it can happen.
-
@phantom99b And what is the 2nd hop from your 192.168.6.1 if that is your pfsense box at 6.1 that is your isp - get with them.. who is 192.168.8.11 ? is that you you're saying? as you see you got an answer from it - so its not "blocked" That bogon block is inbound only when that is the source traffic and unsolicited into your wan.
Those could be loopback in your isp network, or where your pfsense box sits. But pfsense does not use that IP out of the box that is for sure. And just because its meant for documentation doesn't mean it stops someone from using it in their network.
pfsense will try and get there - it will send that traffic out your default gateway.. Here
That 2nd hop is in my isp network. I use to get rfc1918 back address from my isp. on the 2nd hop.. Your isp can use those IP ranges in their network.. doesn't mean they will route past your isp network, etc. Then my isp was bought by another and they changed up their network, and no longer get those. Might have only been during the transition after the purchase.
rfc1918, bogon and special networks can be used in your own local network, so yeah your isp could use them as transit networks or loopback addresses on their equipment. But you creating traffic to them would be allowed to be answered by the state pfsense creates to try and get there.. That bogon rule only blocks unsolicited inbound traffic to where you enable it.. Out of the box that is only on the wan interface of pfsense.
Use to do a lot of work with a SDwan company - their devices would use 192.0.2 as their tunnel address space.. So they were sure it shouldn't step on any address space customer was using.
look in your arp table on pfsense right after you see that - what is the mac address of that 192.0.2.1 address - that would be the mac of the device connected to your pfsense out your interface you sent the traffic.. You mention vpn, that could be IP address used in the tunnel, etc.
