pfBlocker source for mining IPv4 usng ASN does not contain all IPv4 entries when compared to https://ipinfo.io



  • I am on 2.4.4. development branch at the moment.

    I am having issues with my Selective Routing rules on pfSense. I use the IP list feature of pfBlockerNG to mine AS numbers for streaming media companies. I then create LAN firewall rules to route the traffic to the appropriate interface. I have to supplement the list with domain names I have harvested. On my Asus router, I wrote a program to obtain the IPv4 addresses from https://ipinfo.io. I do not have to supplement the IPv4 list with domain names I harvested. I only have to use the IPv4 lists downloaded from ipinfo.io.

    It appears that pfBlockerNG is not obtaining the same list of IPv4 addresses when I compare it to https://ipinfo.io. It is often a smaller list.

    One example is the IPv4 list for Move Networks (SlingTV) on https://ipinfo.io/AS35873

    0_1531125576903_40c9ed14-ffb2-4489-b72a-e167292e1d2d-image.png

    Here is the list generated by pfBlockerNG
    8.4.11.0/24
    8.5.246.0/24
    8.18.40.0/24
    8.18.90.0/24
    8.18.164.0/22
    67.21.48.0/20

    The list created by pfBlockerNG is missing many IPv4 entries. This is also the case for several other ASNs.

    Here is a snip of the config screen in pfBlockerNG

    0_1531115041226_86a0f264-50ff-455c-a9fb-c64cbea4f428-image.png

    Can the source for obtaining the IPv4 addresses from AS Numbers be configured?

    Thank you



  • I manually populated my IPv4 lists using ipinfo.io as the source. Here is the example of the code used to gather AS13996:

    
    curl https://ipinfo.io/AS13996 2>/dev/null | grep -E "a href.*13996\/" | grep -v ":" | sed 's/^.*<a href="\/AS13996\///; s/" >//'
    

    I am happy to report that my selective routing is working using the AS Numbers from ipinfo.io. I plan to do a comparison of the list I generated from ipinfo and compare it with what pfBlockerNG obtains using the built in AS Number mining IPv4 feature. I noticed the pfBlocker Update process consolidates the IPv4 lists. So that could explain why I saw some differences.


  • Moderator

    pfBlockerNG uses the whois.radb.net for the AS info... Unfortunately its not always the best... I'd like to spend some more time to find some better alternatives.

    This is the command that is used to collect the ASN's currently:

    mwhois -h whois.radb.net \!"gAS35873" | tail -n +2 | tr -d '\nC' | tr ' ' '\n'
    

    Alternatively, you could add this URL in the Source Field (IPv4 tab) and it will pull all IPs on the page automatically:

    https://ipinfo.io/AS13996
    
    204.76.129.0/24
    205.172.145.0/24
    66.170.240.0/24
    66.170.241.0/24
    66.170.243.0/24
    66.170.249.0/24
    66.170.251.0/24
    66.170.252.0/24
    66.170.255.0/24
    67.21.140.0/24
    67.214.50.0/24
    67.214.51.0/24
    

    Unfortunately it also pulled these IPs that were part of the "Related Networks" table in that ipinfo page. It might not cause any issues for you tho...

    66.170.250.12
    66.170.250.15
    66.170.250.200
    66.170.250.201
    66.170.250.4
    


  • @bbcan177 Thank you for the reply. When I first got into Selective Routing last year on my Asus router, I also used the entware package whob to mine IPv4 addresses. I also discovered that it did not return the number of IPv4 addresses compared to ipinfo.io. Here is a snip of example code use to obtain IPv4 for a website.

    #Pull all IPs listed for whatismyipaddress.com on radb.net
    whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"'
    

    So, I went with ipinfo.io. I have since found two other similar sites. I too have been on the lookout for an alternative source. I will let you know if I find any.