Bogons
-
I swapped my DSL Modem for a 4G modem (with ethernet port),then updated the DYNDNS.
I found that I could not connect via OpenVPN, and it appears to be due to blocking of bogons on the WAN port.
The OpenVPN client is also on 4G, but not with a publicly accessible IP Address.
Does that sound usual? -
Most likely your WAN IPv4 address on 4G will be carrier grade NAT, meaning you have no means to accept inbound connections from the Internet, so you can't run an OpenVPN server on that connection.
You might be able to use IPv6 for that, or maybe pay the ISP more for a true public IPv4 address.
-
@jimp
The 4G modem that hosts the OpenVPN (pfSense) Server is provisioned with a true public IP address, which functions correctly. (and is essential for DynDNS to work).What I noticed is: I could not connect via an Android OpenVPN connection which is also on 4G but on a carrier grade NAT. - Unless I turn off the Bogon Block on the WAN Interface.
To further test it; I changed the APN on my Android client to get a public IP address - and the Android OpenVPN connected - with Bogon Block enabled on the WAN.
It appears that Bogon Block can hamper OpenVPN connections from clients that are connected on Carrier Grade NATs.
This is the first time I have noticed it and it appears to happen when the Server ISP is also on the same 4G network, even though it has a publicly accessible IPv4 address. -
What IP were you coming from? Yes if it was in the bogon list it would be blocked. But IPs in bogon should not be in there if they are not bogon. Your carrier could not be using bogon if they wanted to talk to other things on the interent since bogon are not suppose to route.
So what was the IP you were coming from when being blocked with bogon, and we can look to see if your bogon list is just no updated or if your carrier is doing something borked trying to use bogon networks, etc.
-
The IP's seem a little strange.
1.144.106.254 is the IP prior to connecting according to 'myip'
IPs that appear when Bogon blocks are turned off include:
100.102.114.115, and
100.100.97.92
(These are the reported IP's on the OpenVPN status) -
The IP's seem a little strange.
1.144.106.254 is the IP prior to connecting according to 'myip'That's an actual public address, but your DynDNS would probably say that even if your WAN was in CGN since it usually would poll the address from an outside source if it sees a private address on the interface.
IPs that appear when Bogon blocks are turned off include:
100.102.114.115, and
100.100.97.92
(These are the reported IP's on the OpenVPN status)Those are both in the carrier grade NAT block,
100.64.0.0/10
. If you are both on the same ISP, it's possible they route connections internally between hosts before passing them through CGN. -
As jim stated those are in the CGN space
"Comment: Shared Address Space can only be used in Service Provider networks or on routing equipment that is able to do address translation across router interfaces when addresses are identical on two different interfaces. "
So yeah if your coming from that address space and your wan actually has an IP in that range.. Then you would need to remove it from bogon for your use, or just turn off bogon all together for that to work.
-
So yeah if your coming from that address space and your wan actually has an IP in that range… Then you would need to remove it from bogon for your use, or just turn off bogon all together for that to work.
I have simply turn off Bogon Blocking, but are you saying there is a way to remove these addresses from my own individual Bogon list? How do I edit it?
I also agree with jimp in the assessment of the carrier doing internal routes from internal 4G to 4G; This issue disappears when I replace the server WAN with a different ISP. (The carrier is Telstra in Australia FYI).
-
You could edit the source code that updates the bogon table - it already removes rfc1918
https://github.com/pfsense/pfsense/blob/b8f91b7c6bd16602d49f50c47f4ea28649404c97/src/etc/rc.update_bogons.sh
egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons
So sure you could edit that to pull out other networks, just keep in mind that on an update to pfsense your changes would get overwrote unless you created a patch that gets applied.
Not something I recommend, but sure can be done. I don't know of a gui way - but then again have not looked into doing that before.