Block private networks - What does that do, what is it used for ?

Michel-angelo

Hello. I just purchased and received a SG-1000 router, after a preliminary question, related to traffic shaping, on this forum:

https://forum.pfsense.org/index.php?topic=134207.0
Can I hope too improve on my 2 Mb/s download with pfSense traffic shaping ?

In my home network, a Zyxel modem-router delivers LAN1 on the 192.168.0.1/24 address field. Then the WAN port of an Airport Extreme access point is connected to it and, with its router activated (double NAT), delivers LAN2 on the 192.168.1.1/24 address field. This is my home LAN. The airport Extreme also provides a guest network by VLAN tagging.

I unplugged my airport Extreme, plugged in its stead the SG-1000 out of the box, and it immediately worked, delivering (only this step), the main network (not yet the guest).

In view of the double NAT, the WAN is a private network, so I believed that I would need to untick the Block private networks from entering via WAN. In view of the fact the box was ticked by default ("block") and yet it worked, I left it that way and I havec nevertheless internet access on my LAN2.

What is the option "Block private networks" supposed to do ?

If it blocks access to the WebGUI to private addresses situated on the WAN side, is access to the webGUI denied to public addresses but nevertheless authorized to public addresses ?

How do I block access to the WebGUI from anything located on the WAN side ? TIA

heper

draw a schematic. trying to explain a network layout using words is impossible.

johnpoz

Not impossible ;)  Just way more difficult especially by users that are not networking people.

Block private networks does exactly what it says it does.. It blocks rfc1918 address space.. 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12

If pfsense is behind a nat, and it has a private IP on its wan.. Then yes you would have to remove that rule or devices that sit on this nat network trying to access devices behind pfsense will not work since the nat device in front of pfsense would have be from rfc1918 address.  But the block rfc1918 rule would block it before it got to your allow rule.

jahonix

@johnpoz:

… or your forwards will not work since the nat device in front ... forward to pfsense rfc1918 address.

Technically you are correct, but it only applies to forwarded traffic to the pfSense.
If OP only wants to route/filter what's going out of his pfSense Lan into the big-I then it will still work even with this block rule in place. Egress traffic will traverse and open up the port for ingress replies (stateful, but I know that you know that).
OP was asking about this scenario specifically, that's why I chimed in.

johnpoz

yeah has nothing to do with outbound - I was just explaining what it does and when you would have to not do it, etc.

Derelict

Let's put this one to bed once and for all.

These are the rules generated on my WAN interface for the block RFC1918 checkbox:

block anything from private networks on interfaces with the option set

block in log quick on $WAN from 10.0.0.0/8 to any tracker 12000 label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any tracker 12000 label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any tracker 12000 label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any tracker 12000 label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any tracker 12000 label "Block ULA networks from WAN block fc00::/7"

They block connections coming INTO WAN sourced from addresses in the RFC1918 list of addresses (and localhost and IPv6 ULA).

They will not block port-forwarded or 1:1 traffic from an upstream router unless that device also NATs the source address to something that matches these rules.

The will block connections sourced from the upstream router itself.

They will not block outbound connections.

Same interface, same thing, but for the bogons checkbox:

block bogon networks (IPv4)

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

block in log quick on $WAN from <bogons>to any tracker 11000 label "block bogon IPv4 networks from WAN"

block bogon networks (IPv6)

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

block in log quick on $WAN from <bogonsv6>to any tracker 11000 label "block bogon IPv6 networks from WAN"

The diagram in my sig contains (part of) my VM lab. I connect to it all the time sourcing from other parts of my network that are all in the RFC1918 space. I have to uncheck the block RFC1918 checkbox on those VMs or I could not connect.

There is never any legitimate reason my public WAN port on my edge firewall would ever need to accept a connection from an RFC1918 address so I keep it checked there.

You want to untick the checkbox when your WAN needs to accept connections with a source address in the RFC1918 space.</bogonsv6></bogons>

johnpoz

Great clarification Derelict.. Should be a sticky or in the wiki..

Normally you are right the nat device in front does not source nat it.. But quite often in a double nat setup the user has devices on this transit network between the first router and pfsense.  So those devices will not work unless you undo the rfc1918 block.

I have edited my post to be clear on this as well..  This is the point I was trying to make, but when I rered my post I had worded as forwarded to vs from..

Michel-angelo

Thank you all. Sorry I did not show a diagram. Since I have no other IP in the upstream LAN1 than the pfSense device, I now understand that I can keep this "Block private networks" ticked and therefore must keep it ticked. Thanks.