Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker source for mining IPv4 usng ASN does not contain all IPv4 entries when compared to https://ipinfo.io

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • XentrkX
      Xentrk
      last edited by Xentrk

      I am on 2.4.4. development branch at the moment.

      I am having issues with my Selective Routing rules on pfSense. I use the IP list feature of pfBlockerNG to mine AS numbers for streaming media companies. I then create LAN firewall rules to route the traffic to the appropriate interface. I have to supplement the list with domain names I have harvested. On my Asus router, I wrote a program to obtain the IPv4 addresses from https://ipinfo.io. I do not have to supplement the IPv4 list with domain names I harvested. I only have to use the IPv4 lists downloaded from ipinfo.io.

      It appears that pfBlockerNG is not obtaining the same list of IPv4 addresses when I compare it to https://ipinfo.io. It is often a smaller list.

      One example is the IPv4 list for Move Networks (SlingTV) on https://ipinfo.io/AS35873

      0_1531125576903_40c9ed14-ffb2-4489-b72a-e167292e1d2d-image.png

      Here is the list generated by pfBlockerNG
      8.4.11.0/24
      8.5.246.0/24
      8.18.40.0/24
      8.18.90.0/24
      8.18.164.0/22
      67.21.48.0/20

      The list created by pfBlockerNG is missing many IPv4 entries. This is also the case for several other ASNs.

      Here is a snip of the config screen in pfBlockerNG

      0_1531115041226_86a0f264-50ff-455c-a9fb-c64cbea4f428-image.png

      Can the source for obtaining the IPv4 addresses from AS Numbers be configured?

      Thank you

      pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
      Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

      XentrkX 1 Reply Last reply Reply Quote 0
      • XentrkX
        Xentrk @Xentrk
        last edited by Xentrk

        I manually populated my IPv4 lists using ipinfo.io as the source. Here is the example of the code used to gather AS13996:

        
curl https://ipinfo.io/AS13996 2>/dev/null | grep -E "a href.*13996\/" | grep -v ":" | sed 's/^.*<a href="\/AS13996\///; s/" >//'

        I am happy to report that my selective routing is working using the AS Numbers from ipinfo.io. I plan to do a comparison of the list I generated from ipinfo and compare it with what pfBlockerNG obtains using the built in AS Number mining IPv4 feature. I noticed the pfBlocker Update process consolidates the IPv4 lists. So that could explain why I saw some differences.

        pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
        Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          pfBlockerNG uses the whois.radb.net for the AS info... Unfortunately its not always the best... I'd like to spend some more time to find some better alternatives.

          This is the command that is used to collect the ASN's currently:

          mwhois -h whois.radb.net \!"gAS35873" | tail -n +2 | tr -d '\nC' | tr ' ' '\n'

          Alternatively, you could add this URL in the Source Field (IPv4 tab) and it will pull all IPs on the page automatically:

          https://ipinfo.io/AS13996

204.76.129.0/24
205.172.145.0/24
66.170.240.0/24
66.170.241.0/24
66.170.243.0/24
66.170.249.0/24
66.170.251.0/24
66.170.252.0/24
66.170.255.0/24
67.21.140.0/24
67.214.50.0/24
67.214.51.0/24

          Unfortunately it also pulled these IPs that were part of the "Related Networks" table in that ipinfo page. It might not cause any issues for you tho...

          66.170.250.12
66.170.250.15
66.170.250.200
66.170.250.201
66.170.250.4

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          XentrkX 1 Reply Last reply Reply Quote 1
          • XentrkX
            Xentrk @BBcan177
            last edited by Xentrk

            @bbcan177 Thank you for the reply. When I first got into Selective Routing last year on my Asus router, I also used the entware package whob to mine IPv4 addresses. I also discovered that it did not return the number of IPv4 addresses compared to ipinfo.io. Here is a snip of example code use to obtain IPv4 for a website.

            #Pull all IPs listed for whatismyipaddress.com on radb.net
whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"'

            So, I went with ipinfo.io. I have since found two other similar sites. I too have been on the lookout for an alternative source. I will let you know if I find any.

            pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
            Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.