• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

RFC1918 and Block BOGON networks issue

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
7 Posts 5 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fatboy95
    last edited by Mar 8, 2017, 3:33 PM

    Previously had an older version of pFsense 2.something with no issues. Decided to do clean install of 2.3.3, now if I enable (on the WAN) Block RFC1918 and Block BOGON networks I cannot get a IP address from my ISP (comcast). Soon as I disable them everything works as it should.  I can't seem to find what I am missing that would cause this issue.

    Thanks…

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Mar 8, 2017, 3:58 PM

      The dhcp rules (which are hidden) should allow even if the dhcp server s is rfc1918

      Is your wan rfc1918 or public.

      Do you see anything blocked by those rules in the firewall log (are you logging those rules?)..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • F
        fatboy95
        last edited by Mar 8, 2017, 5:03 PM

        This is initial setup, I haven't even had a chance to configure the server past this.

        I know my IP is dhcp from comcast but not sure how to tell if it is rfc1918 or public. My previous install I always had Block RFC1918 checked without issue.

        1 Reply Last reply Reply Quote 0
        • J
          JorgeOliveira
          last edited by Mar 9, 2017, 2:52 PM

          RFC1918 is:
          10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
          172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
          192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

          You should also try checking RFC1918 without enabling BOGONS and see it the issue persists, and try the other way around. This should allow to debug which list is the reason for trouble.

          My views have absolutely no warranty express or implied. Always do your own research.

          1 Reply Last reply Reply Quote 0
          • V
            vbentley
            last edited by Mar 10, 2017, 2:41 PM

            I am fairly certain that if an ISP provides an IPv6 address you will have to allow bogons on that interface.

            Trademark Attribution and Credit
            pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

            1 Reply Last reply Reply Quote 0
            • J
              jahonix
              last edited by Mar 10, 2017, 11:51 PM

              Your ISP might use CGN for IPv4, which is 100.64.0.0/10 (RFC6598).
              That one is on the Bogon's list so you have to uncheck those.

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Mar 11, 2017, 11:35 AM

                While yes blocking rfc1918 and bogon on your wan is a common normal security practice.. To be honest its not really one of your bigger bang for the buck items..  And can cause more issues then it worth if you ask me..

                All unsolicited traffic inbound to your wan is going to be block right out of the box.  So the only thing that would allowed in is stuff you have forwarded on purpose.  Or something that was in answer to a connection you made.

                So since rfc1918 and bogon do not route on the internet.  The only possible places where those address could actually talk to your wan would be if they came from your ISP..

                So what if there is a misconfigured idiot on your same isp that is talking from bogon or rfc1918.. And he hits your open port - that you have open to the public internet anyway!

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received