RFC 1918 Traffic leaving the WAN interface



  • Is it an issue that I see RFC 1918 traffic leaving the WAN interface. I have my local network setup using 10.23.X.X/16 as my local networks. However, I noticed that some Apple devices are trying to connect to various 192.168.1.X addresses on port 7000.

    I did a packet capture on the WAN interface and I can see that they are indeed going out the WAN interface. Isn't this an issue? I worry that maybe a device outside my network, could be using 192.168.1.X.

    I was wondering if I should have a static route to RFC1918 going to null?

    I assumed that pfSense by default would prevent this type of traffic leaving the router.


  • LAYER 8 Global Moderator

    Did you mess with outbound nat? Post up your outbound rules

    Is your pfsense wan 192.168.1.x?



  • @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I have my local network setup using 10.23.X.X/16 as my local networks

    192.168.1.x would be outside of your subnet so logically the router will try to send it to the gateway address.

    My question is why are those devices trying to use an address that has nothing to do with your network??

    If RFC1918 addresses are supposed to go to null Im not aware. (someone else can correct me.. Your ISP would not route them any further than their premises.



  • 10:34:06.116571 00:90:7f:88:b4:2e > 00:17:10:90:a7:a3, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 279, offset 0, flags [none], proto ICMP (1), length 60)
    24.xxx.1xx.1xx > 192.168.50.5: ICMP echo request, id 14063, seq 36, length 40
    10:34:10.909794 00:90:7f:88:b4:2e > 00:17:10:90:a7:a3, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 286, offset 0, flags [none], proto ICMP (1), length 60)
    24.xxx.1xx.1xx > 192.168.50.5: ICMP echo request, id 14063, seq 37, length 40

    192.168.50.5 is not an address we use anywhere in our network. So this ping fails but is still sent to my ISP via the WAN.

    In fact I got a return from one of the headend routers that 192.168.50.5 was unreachable.



  • @chpalmer said in RFC 1918 Traffic leaving the WAN interface:

    In fact I got a return from one of the headend routers that 192.168.50.5 was unreachable.

    I get an Administratively prohibited message back.


  • LAYER 8 Global Moderator

    @chpalmer said in RFC 1918 Traffic leaving the WAN interface:

    192.168.1.x would be outside of your subnet so logically the router will try to send it to the gateway address.

    Exactly - I read that too quickly I guess, I was thinking you were seeing that as the source of the traffic, ie you using the 192.168.1/x internally and it wasn't being natted to your public IP.

    But yes @chpalmer is correct - if you try to go to some IP that is not local - pfsense would send it on to the gateway.. Be it not valid or not... Pfsense just knows its not local - so it would send it to its default gateway - but it would be natted to your public IP...

    You can see from chpalmers example where its 24.x.x.x trying to ping 192.168.50.5 - that IP is his public IP.

    If you do not want rfc1918 to leave your wan.. Couple different ways you can stop it.. Simple firewall rule blocking access to rfc1918 that your not using locally on some other vlan, etc.

    Or you could get fancy and do a floating rule that blocks outbound traffic out your wan going to rfc1918 space.



  • What I was thinking of doing was to create an alias with 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 networks.

    Then I create a static route using the Null4 - 127.0.0.1 as the gateway. I think that this should prevent that traffic from leaving the local network.

    I was wondering though if this would cause a problem somehow, as I am surprised that this isn't already there by default?



  • @chpalmer said in RFC 1918 Traffic leaving the WAN interface:

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I have my local network setup using 10.23.X.X/16 as my local networks

    192.168.1.x would be outside of your subnet so logically the router will try to send it to the gateway address.

    My question is why are those devices trying to use an address that has nothing to do with your network??

    If RFC1918 addresses are supposed to go to null Im not aware. (someone else can correct me.. Your ISP would not route them any further than their premises.

    I don't know why the apple products do it. I see it from both iphones, ipads, and apple tvs. I tried resetting the network interface on an iPhone, thinking maybe it had leftover ip information but they still send out traffic to a subset of 192.168.1.X addresses.

    It is puzzling to me too. I am wondering if it might be an app on the device.


  • LAYER 8 Global Moderator

    I wouldn't do it that way... Just create a simple firewall rule, you can use your alias of rfc1918 space sure..

    Put it on your wan via floating outbound rule, or put it on your local interfaces - and have it log... This way you can see when its being hit.

    edit: My iphones and or tablets not doing such a thing... I have rules that block access to rfc1918 space on my psk and roku vlans for example.. That my iphones and tablet on now and then... And it doesn't really get any hits on them..

    Normally the hits on see on those rules are out of state traffic to my plex..

    outofstate.jpg

    They normally then retry and works since that traffic is allowed by rule above when it sends a syn
    allowed.jpg



  • @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    What I was thinking of doing was to create an alias with 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 networks.

    I was wondering though if this would cause a problem somehow, as I am surprised that this isn't already there by default?

    If you have a cable modem you will no longer be able to access its GUI.

    Its really nothing to worry about.


  • LAYER 8 Global Moderator

    ^ yup very true - unless creates a rule to allow that access above... Again null route sort of solution not a good one.

    example
    example.jpg

    Something like the above would stop what your seeing, and if you set the rule to LOG - then you would see if anything is trying to go to some rfc1918 space.. And you would see what specific client is doing it, and exactly when.. Since it would be in your logs... And simple view of the rules would tell you if any hits on it to go look in the logs via 0/X number increasing..

    edit:
    example 2
    here.jpg

    See the rule blocking access to rfc1918, and being logged - this is how I could show you stuff being blocking going to my plex IP on the plex port (out of state)..



  • @johnpoz said in RFC 1918 Traffic leaving the WAN interface:

    I read that too quickly I guess

    I refuse to comment on the grounds it may tend to incriminate me.. 😀



  • @johnpoz

    Ok, so I deleted my route, and created a RFC 1918 reject rule on the subnet with the Apple devices. It seems to log every few minutes. Weird thing is it is not even in the same /24. Googling tells me port 7000 is related to Airplay.

    the .230 and .231 are both Apple Tv's but I have also seen it on the iphones.

    Annotation 2020-01-12 121806.png



  • The problem with blocking the RFC 1918 traffic is that now all local traffic is getting blocked also, which is fine on an IOT network.

    Probably this would require a floating rule on the WAN network.

    What is the problem with adding the null route I had before? This seems to me more of a routing problem vs a firewall problem.





  • @Pippin said in RFC 1918 Traffic leaving the WAN interface:

    Do your neighbours have Apple products?
    https://www.reddit.com/r/HomeKit/comments/bk1ee9/home_app_tries_to_communicate_with_random_ip_on/

    I don't know for sure but they probably do. That was my concern is that there might be an actual device outside my network.


  • LAYER 8 Global Moderator

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    The problem with blocking the RFC 1918 traffic is that now all local traffic is getting blocked also

    What the F you think could happen with your nonsense routing stuff to null?

    If you want vlan on 192.168.X to talk to another vlan 192.168.Y for example - then allow that traffic above your block rule.. As shown in my example I allow to talk to my plex server on a different rfc1918 vlan.. I allow devices to talk to my ntp that is on another rfc1918 vlan. Just allow what rfc1918 traffic you want to allow before you block..

    If you want lan to talk to your dmz net for example, then put that rule above where you block rfc1918.

    Rules are evaluated, top down, first rule to trigger wins..

    If all you have is 1 network, there is no other vlans to talk to using rfc1918.. Devices on your network don't talk to pfsense to talk to something on their own network.



  • @johnpoz said in RFC 1918 Traffic leaving the WAN interface:

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    The problem with blocking the RFC 1918 traffic is that now all local traffic is getting blocked also

    What the F you think could happen with your nonsense routing stuff to null?

    If you want vlan on 192.168.X to talk to another vlan 192.168.Y for example - then allow that traffic above your block rule.. As shown in my example I allow to talk to my plex server on a different rfc1918 vlan.. I allow devices to talk to my ntp that is on another rfc1918 vlan. Just allow what rfc1918 traffic you want to allow before you block..

    If you want lan to talk to your dmz net for example, then put that rule above where you block rfc1918.

    Rules are evaluated, top down, first rule to trigger wins..

    If all you have is 1 network, there is no other vlans to talk to using rfc1918.. Devices on your network don't talk to pfsense to talk to something on their own network.

    I think it is just as much nonsense to route it out the WAN interface when the RFC explicitly says not to do that.

    I have much more than 1 subnet.

    When you route to null, the router just drops the packet.

    So if I create a static route for 10.0.0.0/8 to Null4 - 127.0.0.1 and pfSense has already auto created routes for each defined interface ie. 10.23.30.1/24 etc.

    The router knows to always pick the most explicit route.

    But I am willing to hear why that might be an issue that I don't understand?



  • @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I think it is just as much nonsense to route it out the WAN interface when the RFC explicitly says not to do that.

    Those addresses are just as routeable as any other. What if the WAN side was also in RFC 1918 address space? They should be blocked from the Internet though, which can be done with appropriate filters.



  • @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    RFC explicitly says not to do that.

    Yes. And your ISP handles that for you. 🛂

    You will not find a single SOHO router that blocks out of subnet traffic from going out the gateway.

    What is borked is a device that is trying to reach an RFC 1918 that is not in your network somewhere. Id be wanting to fix that and not be trying to band-aid the problem.



  • @JKnott said in RFC 1918 Traffic leaving the WAN interface:

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I think it is just as much nonsense to route it out the WAN interface when the RFC explicitly says not to do that.

    Those addresses are just as routeable as any other. What if the WAN side was also in RFC 1918 address space? They should be blocked from the Internet though, which can be done with appropriate filters.

    If my ISP was using RFC 1918 address space, then when PfSense received the DHCP address wouldn't it would create a default route to the gateway address provided by the ISP even if it was RFC1918?



  • @chpalmer said in RFC 1918 Traffic leaving the WAN interface:

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    RFC explicitly says not to do that.

    Yes. And your ISP handles that for you. 🛂

    You will not find a single SOHO router that blocks out of subnet traffic from going out the gateway.

    What is borked is a device that is trying to reach an RFC 1918 that is not in your network somewhere. Id be wanting to fix that and not be trying to band-aid the problem.

    I am not suggesting that pfSense should do that by default. It just seems to me that in my case, just having a default route to drop all undefined RFC 1918 traffic can be done in one place with one static route.

    I can't think of any downside?


  • LAYER 8 Global Moderator

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I can't think of any downside?

    Not being able to see what is doing it... because if something is doing it, then there is something wrong..

    Do what you want.. I would never do it that way when it takes all of 2 seconds to create a firewall rule to do exactly what you want... And now you have control and visibility of exactly what is happening..

    Another downside of routing to nowhere, with a firewall rule I can send a reject telling the client hey you can not freaking get there!!! Now it doesn't have to wait for timeout, now it would be sending retrans, etc..



  • @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I can't think of any downside?

    ^^ what Johnpoz said ^^ +1

    Good luck!



  • @johnpoz said in RFC 1918 Traffic leaving the WAN interface:

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I can't think of any downside?

    Not being able to see what is doing it... because if something is doing it, then there is something wrong..

    Do what you want.. I would never do it that way when it takes all of 2 seconds to create a firewall rule to do exactly what you want... And now you have control and visibility of exactly what is happening..

    Another downside of routing to nowhere, with a firewall rule I can send a reject telling the client hey you can not freaking get there!!! Now it doesn't have to wait for timeout, now it would be sending retrans, etc..

    I am still logging it with a firewall rule. I log all local traffic.



  • @johnpoz said in RFC 1918 Traffic leaving the WAN interface:

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I can't think of any downside?

    Not being able to see what is doing it... because if something is doing it, then there is something wrong..

    Do what you want.. I would never do it that way when it takes all of 2 seconds to create a firewall rule to do exactly what you want... And now you have control and visibility of exactly what is happening..

    Another downside of routing to nowhere, with a firewall rule I can send a reject telling the client hey you can not freaking get there!!! Now it doesn't have to wait for timeout, now it would be sending retrans, etc..

    I guess I can send a bug report to Apple and see what their response is. I think it is something to do with HomeKit or Airplay since I am seeing that other people have seen the same thing I am seeing.

    I am already rejecting the traffic and it still keeps trying.



  • @chpalmer said in RFC 1918 Traffic leaving the WAN interface:

    What is borked is a device that is trying to reach an RFC 1918 that is not in your network somewhere.

    How would a device know an address wasn't used by you somewhere? The only thing it can do is tell the address is not on it's local LAN and has to be sent to the router.



  • @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    If my ISP was using RFC 1918 address space, then when PfSense received the DHCP address wouldn't it would create a default route to the gateway address provided by the ISP even if it was RFC1918?

    Yep. That's another example of why you can't just keep those addresses from being routed.


  • LAYER 8 Global Moderator

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    I guess I can send a bug report to Apple and see what their response is

    You know for a fact its your iphone device? I see some talk of airplay looking for shit on 7000.

    You already sniffed it, did you open it in wireshark to see what it might be looking for if its airplay traffic.

    Maybe something like

    GET /info RTSP/1.0
    X-Apple-ProtocolVersion: 1
    Content-Length: 70
    Content-Type: application/x-apple-binary-plist
    CSeq: 0
    DACP-ID: 70658D74F8C202C9
    Active-Remote: 882070098
    User-Agent: AirPlay/383.4.3 
    


  • @johnpoz Yeah, I have verified that every iOS (I don't have any macs) device I have does it periodically.

    The Apple TVs (I have 2) are most by volume.

    I have also have 3 iPhones and 2 iPads that I have also logged instances of it happening but I haven't been able to figure out a series of actions that trigger it.



  • What I have done in the mean time, is disabled my static route to null, since I am being advised against that.

    I have created an alias "Private_Networks" with values of "192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, fc00::/7 " (I added ipv6 ULAs too).

    I then created a Floating Rule to reject the Private Networks Out of the WAN

    Annotation 2020-01-12 195941.png

    This is working, but for logging it is not so great as the source address is always my WAN ipv4 address..



  • @JKnott said in RFC 1918 Traffic leaving the WAN interface:

    How would a device know an address wasn't used by you somewhere? The only thing it can do is tell the address is not on it's local LAN and has to be sent to the router.

    Right. to a point. The only thing it can do is tell the address is not on it's local LAN and has to be sent to the router.

    Anything else should be outside of RFC 1918! Period. No reason to do otherwise unless directed by you. Nothing in RFC 1918 should be hard coded.

    Change my mind.


  • LAYER 8 Global Moderator

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    This is working, but for logging

    Thats why you do it on the lan side interface.. Also not sure what good rejecting on the outbound direction does?

    Nothing in RFC 1918 should be hard coded.

    Nothing in public space should be hard coded either.. You need to get to something you should look it up via its fqdn



  • @johnpoz said in RFC 1918 Traffic leaving the WAN interface:

    Thats why you do it on the lan side interface.. Also not sure what good rejecting on the outbound direction does?

    If I put it on the LAN interface then it also blocks access to the other subnets since I am using RFC1918 addresses as my local IPv4 addresses.



  • @johnpoz I did put a reject rule on the subnet with the iphones, etc. So the WAN rule is there in case another subnet acts up.


  • LAYER 8 Global Moderator

    @IsaacFL said in RFC 1918 Traffic leaving the WAN interface:

    If I put it on the LAN interface then it also blocks access to the other subnets since I am using RFC1918 addresses as my local IPv4 addresses.

    How many times do we have to go over the same thing? What exactly do you not understand about how rules are processed? Top down, first rule to trigger wins, no other rules are evaluated..

    Allow what traffic you want to your other vlans, then block to all rfc1918, allow to internet.. You have even been given examples..

    edit: Here is yet another example... So I created an alias with my Local networks in it... I have an alias that has all of rfc1918 space int it... I allow to my local nets, then block to any rfc1918, then allow internet

    anotherexample.jpg

    Now anything going to my local networks from lan is allowed, anything going somewhere some odd ball rfc1918 is blocked and logged.



  • @johnpoz Ok, I think I got it now. My only issue was I want to log the local traffic, but not external traffic.

    So for my LAN which is allowed local traffic:
    Annotation 2020-01-13 135342.png

    The LAN net to LAN net was so that I don't log the broadcast, etc.

    On my IOT interface which is restricted to external:
    Annotation 2020-01-13 222222.png

    This seems to be working and is logging what I want.



  • What have you done to get multicast to work? Or is it?



  • @chpalmer said in RFC 1918 Traffic leaving the WAN interface:

    What have you done to get multicast to work? Or is it?

    The multicast rule is because I have enabled Avahi for mDNS. mDNS uses multicast and this rule allows ipv6 multicast into the router so Avahi works.

    There isn't a default rule to allow traffic from ipv6 link local to multicast and without this rule only ipv4 mDNS works.

    I wrote a general rule that works for both ipv4 and ipv6 in case I want to log it. My Multicast Alias is ff00::/8, 224.0.0.0/4

    But generally multicast between subnets does not work, as pfSense does not have a module to route it to the other subnets. At least that I know of.




Log in to reply