Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to prevent users from LAN to know the external local WAN IP ?

    Off-Topic & Non-Support Discussion
    multi wan cloudflare external ip security
    8
    41
    7.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Sergei_ShablovskyS
      Sergei_Shablovsky @johnpoz
      last edited by

      @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

      @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

      This work only attack point on FQDN, but if attack pointed on Your real main gate IPs - nothing to do with this :)

      Huh? Has zero to do with what fqdn might point to an IP.. We advertise what networks are used, the actual route is changed for network 6.15.0.0/16 as an example.

      We have multiple networks routed to our connections in our DCs - multiple customers using different networks, /24s for example.. These routes are advertised via bgp to the internet...

      So no dns record pointing to an IP has zero to do with the mitigation of such volumetric ddos attack.

      I suggest you take a look at how such a service I linked to works.

      But no such services don't work for small ma and pop setups where the ISP gives you IP address X to work with..

      Thank You, I would pay more attention to this.

      You trying to hide your IP is not a security anything - security through obscurity doesn't fix the actual problem.. Its trying to hide your head in the sand hoping the bad guy doesn't find you.

      This is no-end game :)

      —
      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
      Help Ukraine to resist, save civilians people’s lives !
      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

      1 Reply Last reply Reply Quote 0
      • Sergei_ShablovskyS
        Sergei_Shablovsky @johnpoz
        last edited by

        @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

        @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

        This work only attack point on FQDN, but if attack pointed on Your real main gate IPs - nothing to do with this :)

        Huh? Has zero to do with what fqdn might point to an IP.. We advertise what networks are used, the actual route is changed for network 6.15.0.0/16 as an example.

        We have multiple networks routed to our connections in our DCs - multiple customers using different networks, /24s for example.. These routes are advertised via bgp to the internet...

        So no dns record pointing to an IP has zero to do with the mitigation of such volumetric ddos attack.

        But no such services don't work for small ma and pop setups where the ISP gives you IP address X to work with..

        You trying to hide your IP is not a security anything - security through obscurity doesn't fix the actual problem..

        Sorry my English. But I wrote the same: no matter how DDoS pointed on You

        1. You receive all traffic on Your main gate static WAN IPs (or upstream ISP’s router, if attacker know it’s IPs);

        2. Your ISP(s) receive all traffic pointed on You (because DNS records point on them);

        In both cases (even You try to change static main gate WAN IPs once a hour :) - traffic overload the link capacity and Your services would be switched off (by Yourself in first case and by uplink ISP(s) in second case).

        —
        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
        Help Ukraine to resist, save civilians people’s lives !
        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

        1 Reply Last reply Reply Quote 0
        • Sergei_ShablovskyS
          Sergei_Shablovsky @johnpoz
          last edited by

          @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

          If your trying to run a business, and your worried about ddos then really the correct solution is to get with your ISP about ddos protection.. Any major isp you get your connection from will offer ddos mitigation services, be it as a pay you go option or as an insurance sort of option you buy, etc.. They will provide you with a specific threat number to call if your under attack, etc. etc..

          As I wrote previously, the cost of DDoS nowadays are much lower for attacker, and profit loss for business are comparatively high than attacker charge You, but the same time this profit loss for business are much less than yearly TOC for ISP service to against DDoS attacks like this.

          These are all things you have to take into account as your company grows and your connection becomes vital to the business, and not just your workers shopping amazon on their free time ;) on your $100 a month "business line" ;)

          Here is the thing - none of its free! Thinking your going to find some solution with a 20$ a month vpn service is just plain nonsense..

          In my reply’s I try each time point that our topic is not for “gamers that need solution for $20-100” ;)

          If your wanting to run with the big dogs, going to have to learn how to piss in the tall grass ;)

          Agree but here we return to point that I wrote before: most of osiers here on pfSense are small/middle rage business (in best case) and not able to pay $500-2k for ISP service this kind.

          —
          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
          Help Ukraine to resist, save civilians people’s lives !
          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

          1 Reply Last reply Reply Quote 0
          • Sergei_ShablovskyS
            Sergei_Shablovsky @gcu_greyarea
            last edited by

            @gcu_greyarea said in How to prevent users from LAN to know the external local WAN IP ?:

            So we went all the way - from "hiding WAN IP from internal users" to "protecting an enterprise from DDOS".

            And we want all of that for free :)

            If you cannot afford to host you application/website with one of the large providers you could still try this.

            Rent a small VPS. Buy sufficient bandwidth and CPU to run a reverse proxy...

            Connect to you VPS via VPN. Run all your public facing websites or application front-ends off the VPS...

            Do the processing and Databases etc at home.

            If you VPS gets attacked - switch over to another one...

            And yes, there will be latency and costs of some sort.

            Totally agree.

            I more than sure the topic would be helpful for much more people’s in this forum. And this is also good for pfSense company ;)

            —
            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
            Help Ukraine to resist, save civilians people’s lives !
            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

            1 Reply Last reply Reply Quote 0
            • Sergei_ShablovskyS
              Sergei_Shablovsky @johnpoz
              last edited by

              @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

              And yup, again going to say it again.

              If your wanting to run with the big dogs, going to have to learn how to piss in the tall grass ;)

              Hey I plugged in the switch and it worked.. I'm a network engineer ;)

              If I could just keep everyone from knowing my IP they couldn't ddos me <rolleyes>

              C'mon, my friend, I love You ! ;)
              One of my work are network engendering also.

              But hardware are nothing about solution.

              We need to thinking widely, what we may propose to our employee and how this solution help our employee to running business and to solving his potential problems in a future.

              —
              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
              Help Ukraine to resist, save civilians people’s lives !
              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Dude if you think hiding your IP is some sort of solution to anything your mistaken...

                If you suggest hiding your IP as solution - you shouldn't have a job in the field. Plain and simple!

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  If you're big enough to have static IPs but not big enough to have a routed subnet that you advertise then there is no easy (cheap?) solution here. Only the ISP can do anything about a DoS attack in that instance so they can charge whatever they want for doing that.

                  Steve

                  1 Reply Last reply Reply Quote 1
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    in the 90's i remember there was this conspiracy theory that antivirus computers create viruses in order to sell antivirus software... say no more ... now that your isp know your fear it will ddos you to take your money ... big fish eat small fish !

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      This is not pfSense specific. Moving it to off-topic to continue.

                      1 Reply Last reply Reply Quote 0
                      • Sergei_ShablovskyS
                        Sergei_Shablovsky @kiokoman
                        last edited by Sergei_Shablovsky

                        @kiokoman said in How to prevent users from LAN to know the external local WAN IP ?:

                        in the 90's i remember there was this conspiracy theory that antivirus computers create viruses in order to sell antivirus software... say no more ... now that your isp know your fear it will ddos you to take your money ... big fish eat small fish !

                        Because amateur may be You newer come under real DDoS.

                        P.S. Another perfect example of new attacks vectors, that You may newer know https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/

                        —
                        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                        Help Ukraine to resist, save civilians people’s lives !
                        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.