Bogon Rules

johnpoz

The thing with bogon is your isp sholdn't route them in the first place..  So the odds that anything from bogon could hit your forwards should be impossible in the first place.

sazv

Having bogon rules on on my wan interface blocked dhcp6 responses from my isp.  That I can't explain.

johnpoz

Well what did the dhcpv6 response come from?  Have to assume something listed in the bogon ;)

doktornotor

@johnpoz:

Well what did the dhcpv6 response come from?  Have to assume something listed in the bogon ;)

It came from a 8000::/1 subnet blocked by bogons. Keeps getting broken every couple of months. https://redmine.pfsense.org/issues/3395

johnpoz

I am not sure that is a sane setup.  That includes all link local, does it not?

If me I would just remove bogon, or use the list in your own alias so you can edit as you see fit.

doktornotor

@johnpoz:

I am not sure that is a sane setup.  That includes all link local, does it not?

Yes. It includes all link-local and I keep being told by the devs how perfectly fine that it. (There's another thread about CGN, broadcast and other crap in bogons elsewhere, see https://forum.pfsense.org/index.php?topic=88215.0)

@johnpoz:

If me I would just remove bogon, or use the list in your own alias so you can edit as you see fit.

So far, I was unable to find a clean bogons source file. Even the one from iBlocklist comes with 172.16/12 for whatever reason, even though the remaining RFC1918 ranges are not there. It also comes with the IPv4 broadcast ranges - 240/4. Noone wants to maintain/update that manually.  (As for IPv6, cannot find any useful alternative source.)

What's really needed is the "Fullogons" list minus the (Un)aggregated one - http://www.team-cymru.org/Services/Bogons/http.html.  ::) >:(

herrjon

Short answer for me….

I'm using v2.2 release.  Our company's WAN connection drops about once every 24 hours due to some bogon related failure.  I turn off "block bogon networks" for the WAN interface and everything works.  Didn't have this problem with the previous release.

Short question for me…

When will this be fixed?

I'm experiencing the exact same problem at home… same version of pfsense.  Different ISP.  Home = Cableone, Work = Comcast business.

doktornotor

@herrjon:

I'm using v2.2 release.  Our company's WAN connection drops about once every 24 hours due to some bogon related failure.  I turn off "block bogon networks" for the WAN interface and everything works.  Didn't have this problem with the previous release.

Again, https://redmine.pfsense.org/issues/3395 - this blocks DHCPv6.

@herrjon:

Short question for me…
When will this be fixed?

Unless you mean the specific issue with DHCPv6 above, probably never. I gave up on this. If you want DHCPv6 fixed, make noise on the linked bug.

johnpoz

pfsense is not the source of the bogon list are they, they pull it from elsewhere I thought.  So not sure how pfsense would fix it other than doing their own manipulation of the bogon.  If pfsense is doing their own list they maintain than it should be easy fix..

I personally don't agree with 8000::/1 since that includes all the link local..

So they do maintain it?
https://doc.pfsense.org/index.php/Show_Bogons
"pfSense maintains an internal list of "bogon" networks"

Does that mean there is copy on pfsense, or that is downloaded from source x??  Or that pfsense creates this list that all the installs download from pfsense.org?  And maintain it on the install?

From that bug report looks like pulled from here "8000::/1 is included in Cymru's v6 bogons list."

Guess could complain to them that 8000::/1 causes problems since it includes stuff that should be allowed.

doktornotor

@johnpoz:

pfsense is not the source of the bogon list are they, they pull it from elsewhere I thought.  So not sure how pfsense would fix it other than doing their own manipulation of the bogon.

Well, that's already being done in /etc/rc.update_bogons.sh - unfortunately the job is vastly incomplete.

egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons
egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6

johnpoz

Agreed if they are going to manipulate it, they should take it to the next level and pull the stuff out of 8000::/1 that should be allowed.

BBcan177

You could manually clear an entry in the Bogon table after each Bogon Update. Or add a Cron job to run immediately after the Bogon updates.

To list whats in the Bogons file
  pfctl -t bogons -T show

To clear an entry
  pfctl -t bogons -T delete

With pfBlockerNG, you could disable the pfSense Bogon feature. Then Download the Bogon list from Team Cymru.org directly.  pfBlockerNG will allow you to suppress any entries automatically on download. Then you can create an "Autorule" or a custom "Alias" to use in the firewall as required.

As doktornotor pointed out the  rc.update_bogons.sh    script is only removing the following entries.

v4 -  "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8"
v6 -  "^fc00::/7"

doktornotor

@doktornotor:

https://redmine.pfsense.org/issues/3395 - this blocks DHCPv6.

DHCPv6 re-re-fixed now…