Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block OPT1 from accessing DSL-Modem behind Firewall?

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann
      last edited by

      TV in the LAN? Do you really trust it?

      A good advice to block access to internal networks is adding an alias in Firewall > Alias and add all RFC1918 networks to it. Then use this alias in a block rule.
      Presupposed you use only RFC1918 networks, this way you only need one block rule to avoid any access to internal devices. This is save as well if you add an additional subnet or change one in the future.

      Consider, if you provide DNS on your pfSense to the OPT1 net you have add an additional pass rule to permit it.

      B 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        When would a source on your own network ever be bogon? That rule is pretty pointless as well with the default deny rule and the use of specific source nets in your allow rule.

        Since your allow rule only allows opt1 net, any and all bogon would be blocked anyway.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          BSA66 @viragomann
          last edited by

          @viragomann You're absolutely right...
          Would it be a "fine way" to create a VLAN for untrusted Devices in the LAN, eg in my case the TV? Or would it be better to create the Alias and block outgoing traffic for the specific Alias? I just don't want to block Netflix, Amazon or maybe even the Appstore. But I'll take your mention and put this Topic to my Research / Read List.

          I took your advice and tried it the supposed to be "easier way" and blocked all RFC1918 in the Interface Section. Result was that I got blocked from accessing via WebGUI and SSH...
          The solution was to get on the Box via Serial and got it open again. Now it's all working fine again. And yes, the Anti Lockout Rule was activated and didn't worked it out. So I would say this was a Learning by Burning... :)

          I really have to state that I didn't got the Point of your Advice... Wouldn't this lock me out again?

          Presupposed you use only RFC1918 networks, this way you only need one block rule to avoid any access to internal devices. This is save as well if you add an additional subnet or change one in the future.

          At the moment I don't get your point. Wouldn't this lock for example even "PC on LAN" from accessing the LAN Interface in the Firewall again?

          Consider, if you provide DNS on your pfSense to the OPT1 net you have add an additional pass rule to permit it.

          DNS is being provided over pfSense via 8.8.8.8 / 8.8.4.4 for both Networks. There is no specific rule for permissioning it. The DNS Resolver is enabled and the two above mentioned Servers set in pfSense. Could it be that this depends on the "Default allow LAN / OPT1 to any rule"?

          @johnpoz You're right. Blocking Bogons on WAN would surely be more effective than block them beneath of WAN on LAN, too. I'll change that shortly.
          To be honest... As my DSL-Modem got a Firewall itself and is NATting (no DMZ / exposed Host at the moment) I guess even on WAN actually this shouldn't be as necessary as with just a pure Modem. Thanks for your point.

          And I guess I got your point with the source net in the allow rules...as there are no other clients instead of the LAN clients themself setting "LAN net" on source might really be unnecessary... And as I can rate it really sounds logic.
          Wouldn't it than be better to let the Bogon Block active?
          Or would it be better to let the source net set and take the Bogon rule off for that?
          Or both off? Wouldn't that exposure a potential hack-in way, eg by a Worm or sth similar?

          .
          .
          .

          At both of you: Thank you for your points and ideas. I'm really just starting with the whole theme so sorry for maybe stupid questions / rules. All your mentions and point are always welcome as they give me the opportunity for re-thinking and learning more about networking.

          V johnpozJ 2 Replies Last reply Reply Quote 0
          • V
            viragomann @BSA66
            last edited by

            @bsa66 said in Block OPT1 from accessing DSL-Modem behind Firewall?:

            At the moment I don't get your point. Wouldn't this lock for example even "PC on LAN" from accessing the LAN Interface in the Firewall again?

            We were talking about the OPT1 rules. Of course, if you add a RFC1918 block rule to the top of the LAN rule set and have the Anti-Lock-out diabled, you'll get locked out.

            @bsa66 said in Block OPT1 from accessing DSL-Modem behind Firewall?:

            Consider, if you provide DNS on your pfSense to the OPT1 net you have add an additional pass rule to permit it.

            DNS is being provided over pfSense via 8.8.8.8 / 8.8.4.4 for both Networks. There is no specific rule for permissioning it. The DNS Resolver is enabled and the two above mentioned Servers set in pfSense. Could it be that this depends on the "Default allow LAN / OPT1 to any rule"?

            The point is which DNS the clients use. If you have set external DNS servers in the general setup, but the DNS resolver and DHCP activated, but no DNS servers specified in the DHCP settings, pfSense provides its own interface address to the clients as DNS server via DHCP. In this case you need a pass rule to allow access to the interface address on TCP/UDP port 53.

            B 1 Reply Last reply Reply Quote 0
            • B
              BSA66 @viragomann
              last edited by BSA66

              @viragomann said in Block OPT1 from accessing DSL-Modem behind Firewall?:

              We were talking about the OPT1 rules. Of course, if you add a RFC1918 block rule to the top of the LAN rule set and have the Anti-Lock-out diabled, you'll get locked out.

              Okay, I guess I got it now. And I apologize. But yeah, I did it and got me locked out. (and it is confusing that the Anti Lockout Rule was definitely not disabled. I checked this out in the afterwards) But I'd say...Anyway "Layer 8 did it" :)

              The point is which DNS the clients use. If you have set external DNS servers in the general setup, but the DNS resolver and DHCP activated, but no DNS servers specified in the DHCP settings, pfSense provides its own interface address to the clients as DNS server via DHCP. In this case you need a pass rule to allow access to the interface address on TCP/UDP port 53.

              The pfSense got two public DNS Servers and the two router behind it (LAN & OPT1) got their pfSense Interface IPs for DNS forwardings. Both router got static IPs on pfSense and are just serving themselves DHCP for their Clients as well. I will shortly make two screenshots and load them up.

              pfSense - General Setup
              0_1539907186935_pfSense_generalSetup_shrinked.jpg

              LAN Router (OpenWRT) - DNSMasq
              ![0_1539907251527_LAN_dnsmasq_shrinked.jpg](/assets/uploads/files/1539907255712-lan_dnsmasq_shrinked-resized.jpg

              1 Reply Last reply Reply Quote 0
              • B
                BSA66
                last edited by BSA66

                It marks my second Screenshot as spam so I upload it here hoping it works.

                LAN Router (OpenWRT) - DNSMasq

                0_1539907597852_LAN_dnsmasq_shrinked.jpg

                At the last Point on this Screenshot (DNS Forwardings) I put in the pfSense IP of LAN Interface

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @BSA66
                  last edited by johnpoz

                  @bsa66 said in Block OPT1 from accessing DSL-Modem behind Firewall?:

                  I guess even on WAN actually this shouldn't be as necessary as with just a pure Modem

                  Even with pure modems to be honest its a kind of pointless.. Bogons do not route - so to be honest they should never be able to hit your wan, ever.. And since EVERYthing is blocked out of the box it would only matter if you had port forwards. So you would be blocking some IP as source that does not route on the internet from hitting your port forwards.. So to be honest - not really useful rule ;)

                  The whole idea of bogons is pretty outdated to be honest..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • B
                    BSA66
                    last edited by BSA66

                    I just found some Sec related stuff out there. I blindly took the very first hits and either yet didn't digged deeper into it.
                    So I really don't know that much about this Sec related stuff yet but maybe you can get more out of it? So just FYI

                    https://exchange.xforce.ibmcloud.com/vulnerabilities/112743

                    https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
                    (p. 51)

                    It seems to me that there are several (known / published) possibilities...

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Thanks dude - but been doing this for like 30 years.. I think I know the "possible"... Did you not get the part where I stated all ports are blocked out of the box..

                      Do you have port forwards? Are you running ntp? Have you not updated it.. Does your ntp server use 127.127.0.0/16 address as its reference ;)

                      Are you not keeping your ntp server up to date? The fix for that was released A month before the exploit was even reported - and it shows as unproven ;)

                      The default to block bogon is on by default on your wan anyway.. I didn't say you should uncheck it, just saying its really a old standard practice that doesn't really provide all that much protection. How many hits have you gotten on your wan bogon rule btw? ;)

                      To the other - are you running BGP? ;) The talk of filtering bogon in BGP is about not allowing routes to bogon in your BGP routing table - not that traffic would come from a bogon source IP which is what the wan rules do..

                      Normally bogon would be blocked at your border router before it even hit your firewall.. But with the case of pfsense it being the border router and firewall. But the block rules of rfc1918 and bogon that are default ONLY ever come into play if your forwarding traffic. It is much better practice to limit your source IPs on your forwards to the IPs and or Netbocks that you actually want to access your forwards in the first place.. If you are thinking of port forwarding, you should prob make sure you understand all the implications... Cuz I can for sure promise you there are way more concerns of traffic hitting your port forwards from actual valid IPs than bogons ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        BSA66 @johnpoz
                        last edited by BSA66

                        Okay, you got me. ;-D You doing this at least as long as I am on our beautiful Earth...

                        I got the part where you said "all ports are blocked by default on WAN" (I knew that even before...but to be honest: that doesnt really calm me. (that I know it I mean))

                        Nope, actually I dont have any port forwards. But my next Project might be a really tiny Website, I got an old Raspi 1 and would like to use it for this purpose...or use it anyway again. And for a little Hobby Project it might be...I hope...still "powerful" enough.

                        Nope (again :D) , I'm even not serving my own Network with NTP, et even pfSense does not, every router has its own NTP-Servers set up as even as the Firewall has their own.

                        Are you not keeping your ntp server up to date? The fix for that was released A month before the exploit was even reported - and it shows as unproven ;)

                        Okay Dude, (or El Duderino for those who dont like too short names :D ) I see you're really in this stuff, my propz! (I mean that truely!)

                        The default to block bogon is on by default on your wan anyway.. I didn't say you should uncheck it, just saying its really a old standard practice that doesn't really provide all that much protection. How many hits have you gotten on your wan bogon rule btw? ;)

                        If you'd now how I advanced the WAN Rules provided by the Balanced IPS Policy in Snort... I guess...head hits table
                        Actually, to be honest, not one.

                        I actually don't even know what BGP is..I'd say a Service but to be honest I'd had to read about it to be able for stating sth about BGP.

                        Normally bogon would be blocked at your border router before it even hit your firewall.. But with the case of pfsense it being the border router and firewall. But the block rules of rfc1918 and bogon that are default ONLY ever come into play if your forwarding traffic. It is much better practice to limit your source IPs on your forwards to the IPs and or Netbocks that you actually want to access your forwards in the first place.. If you are thinking of port forwarding, you should prob make sure you understand all the implications... Cuz I can for sure promise you there are way more concerns of traffic hitting your port forwards from actual valid IPs than bogons ;)

                        Okay, I see. So if I got you right it would be okay to use the Bogon Block on WAN and I can disable it for locals, correct? Why it lets me sleep better running on WAN is that I just configured the only Client on my DSL-HomeUser-ModemRouter, pfSense, as an exposed host this night.
                        And yes, before I did that I enabled Blocking for snort and before I did that I worked out at least one very little wan- and one little lansuppress list over the last 4 days. Just, for sure, still learning. Google Search aint blocked anymore (for its permanent Port Scans...) but multiple CN and RU and "ZZ" (no country) Port Scan and EmergingThreading IPs remained and will remain onwards in the Blocked List.
                        Just wondering how big this one will become... For educational purposes (not for security as they will get blocked even at the first attempt by snort again) I set the "keep em blocked" on one Week at the moment. So I can work several IPs out and have a wider overwatch on how often same IPs coming back or Rules will get triggered.

                        Actually everything's working fine (for me, as I use the network at the moment...anyway). Two Spotify IPs got blocked so I had to unblock them after it was clear to me where these IPs are coming from (at the moment I'm using virustotal & dnsstuff.com for better or more reliable reversed nameserver lookups for blocked IPs by hand)

                        Hm, wrote a lot of stuff I'd bet you ain't interested about.

                        I've unblocked Bogons on my local site but left in enabled on WAN (I know, you said they wont get routed...damn ;-D)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.