RFC1918 and Block BOGON networks issue

fatboy95 · Mar 8, 2017, 3:33 PM

Previously had an older version of pFsense 2.something with no issues. Decided to do clean install of 2.3.3, now if I enable (on the WAN) Block RFC1918 and Block BOGON networks I cannot get a IP address from my ISP (comcast). Soon as I disable them everything works as it should. I can't seem to find what I am missing that would cause this issue.

Thanks…

johnpoz · Mar 8, 2017, 3:58 PM

The dhcp rules (which are hidden) should allow even if the dhcp server s is rfc1918

Is your wan rfc1918 or public.

Do you see anything blocked by those rules in the firewall log (are you logging those rules?)..

fatboy95 · Mar 8, 2017, 5:03 PM

This is initial setup, I haven't even had a chance to configure the server past this.

I know my IP is dhcp from comcast but not sure how to tell if it is rfc1918 or public. My previous install I always had Block RFC1918 checked without issue.

JorgeOliveira · Mar 9, 2017, 2:52 PM

RFC1918 is:
10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

You should also try checking RFC1918 without enabling BOGONS and see it the issue persists, and try the other way around. This should allow to debug which list is the reason for trouble.

vbentley · Mar 10, 2017, 2:41 PM

I am fairly certain that if an ISP provides an IPv6 address you will have to allow bogons on that interface.

jahonix · Mar 10, 2017, 11:51 PM

Your ISP might use CGN for IPv4, which is 100.64.0.0/10 (RFC6598).
That one is on the Bogon's list so you have to uncheck those.

johnpoz · Mar 11, 2017, 11:35 AM

While yes blocking rfc1918 and bogon on your wan is a common normal security practice.. To be honest its not really one of your bigger bang for the buck items.. And can cause more issues then it worth if you ask me..

All unsolicited traffic inbound to your wan is going to be block right out of the box. So the only thing that would allowed in is stuff you have forwarded on purpose. Or something that was in answer to a connection you made.

So since rfc1918 and bogon do not route on the internet. The only possible places where those address could actually talk to your wan would be if they came from your ISP..

So what if there is a misconfigured idiot on your same isp that is talking from bogon or rfc1918.. And he hits your open port - that you have open to the public internet anyway!