Bogons if ISP has private IP addresses
-
Hello everybody,
Sorry if I posted in the wrong area, but I didn't know where exactly to put the question.
My ISP is using some private IP addresses in its network and I'm wondering if blocking bogons on PFSense's WAN interface can cause issue.
To have an idea, here is a traceroute:Tracing route to www.pfsense.org [208.123.73.69]
over a maximum of 30 hops:1 <1 ms <1 ms <1 ms 172.17.77.100 –> PFSense Box
ISP Traffic below:
2 1 ms <1 ms 1 ms 10.0.0.1
3 2 ms 1 ms 2 ms 10.30.0.145
4 39 ms 39 ms 43 ms 10.220.134.206
5 40 ms 40 ms 45 ms ge-2-1-0.mpr1.lhr2.uk.above.net [195.66.224.76]
6 41 ms 40 ms 40 ms ae11.mpr2.lhr2.uk.zip.zayo.com [64.125.30.52]
7 139 ms 139 ms 139 ms ae27.cs1.lhr11.uk.eth.zayo.com [64.125.30.236]
8 139 ms 139 ms 191 ms ae5.cs1.lga5.us.eth.zayo.com [64.125.29.126]
9 140 ms 169 ms 140 ms ae4.cs1.dca2.us.eth.zayo.com [64.125.29.203]
10 139 ms 149 ms 139 ms ae3.cs1.iah1.us.eth.zayo.com [64.125.29.49]
11 140 ms 140 ms 141 ms ae0.cs2.iah1.us.eth.zayo.com [64.125.28.95]
12 135 ms 135 ms 135 ms ae27.cr2.iah1.us.zip.zayo.com [64.125.30.241]
13 140 ms 153 ms 141 ms ae2.mpr2.aus1.us.zip.zayo.com [64.125.31.250]
14 138 ms 139 ms 138 ms ae0.mpr1.aus1.us.zip.zayo.com [64.125.27.193]
15 140 ms 139 ms 140 ms te-6-1.aus-core-10.zip.zayo.com [64.125.32.198]
16 142 ms 143 ms 142 ms net64-20-229-158.static-customer.corenap.com [64.20.229.158]
17 141 ms 141 ms 141 ms gw2.netgate.com [66.219.34.174]
18 142 ms 142 ms 142 ms fw2.pfmechanics.com [208.123.73.4]
19 143 ms 143 ms 143 ms www.pfsense.org [208.123.73.69]Trace complete.
Thanks,
Andy -
Blocking bogons blocks connections INTO you WAN from those addresses.
If one of your ISP devices tried to make a connection to your WAN from one of those addresses, it would be blocked by those rules.
This does not apply to connections you establish in the outbound direction.
-
Thanks a lot !!!
Andy
-
Also doesn't pfsense pull rfc1918 out of the bogon?
if you look in the pfsense table bogon, the rf1918 networks are not there..
https://github.com/pfsense/pfsense/blob/master/src/etc/rc.update_bogons.sh
if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons
RESULT=/sbin/pfctl -t bogons -T replace -f /etc/bogons 2>&1