ip address silently blocked

lifeboy

@johnpoz, look I really don't care about the semantics of what you're explaining (which is not wrong) ...

The fact is that when I turn bogon filtering off, the packets are allowed, and when I turn it back on, the packets silently are blocked. pfSense does that. It has nothing to do with how or whether I sniff the traffic or not.

So, how to do file a bug report?

johnpoz

So did you validate what is in pfsense bogon table, look under diag, tables bogon. maybe yours is old..

I don't see that listed..

Should show you when last updated

lifeboy

@johnpoz, I explained in detail in my previous reply that I did interrogate the list and didn't find a match. I even speculated that it the /17 might be a filtered as a /16, so again: Why are why going in circles?

bogon filter on: nothing is "seen" by pfSense' packet capture tool. pings time out.
bogon filter off: packets are recording by the packet filter. pings get a reply.

Conclusion: There's a problem with the bogon filter.

Clear enough?

Please don't be obnoxious about this, even if you're a global moderator.

johnpoz

@lifeboy I just PM you my IP, have that IP ping my IP.. I have bogon blocked, I have it set to log and I allow ping. And running a sniff. If can show its being blocked more than happy to help you fill out a bug report.

johnpoz

Ok.. Now we are getting somewhere with info we can work with for bug report.

From my quick look at my bogon table - that should not be blocked. But clearly it is being blocked..

But also seeing it via sniff - so have no idea what going on why your not seeing sniff..

edit: Ok it should be blocked by bogon - with this entry
102.218.128.0/19
102.218.128.0 - 102.218.159.255

So need to see if bogon is just not updated..

https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

102.218.0.0/18
102.218.64.0/19
102.218.96.0/21
102.218.104.0/22
102.218.128.0/23
102.218.131.0/24
102.219.56.0/22
102.221.132.0/22
102.221.136.0/21
102.223.180.0/22
102.223.184.0/21

edit: Doh I can not read this afternoon - looks like updated list it is removed. That /19 changed to a /23

lifeboy

@johnpoz I just had a look at my log setting and see that "Log packets blocked by 'Block Bogon Networks' rules" is not turned on, which explains why I didn't see them in the log. I see the bogon block log now.

johnpoz

@lifeboy From what I can tell its still listed as bogon.. So yeah not really a bug of any sort.. Who ever the ISP is that is using that IP needs to get it removed off bogon list.

lifeboy

@johnpoz You're quite right, 102.218.128.0/19 does include that ip.

I'll report it to the ISP.

Thanks for your effort and assistance. Much appreciated!

johnpoz

@lifeboy Wait... I had a misread - I don't see it listed.. The updated list seems to be good. Just need to get pfsense list to update.. Mine hasn't been updated since aug 20th

well hmmm - that doesn't seem to be working. Still showing aug20th

edit: OK - problem is the bogon list from pfsense/netgate is dated..

https://files.netgate.com/lists/fullbogons-ipv4.txt
last updated 1629435001 (Fri Aug 20 04:50:01 2021 GMT)

We can file a bug report on that.. Or can just flag maybe @stephenw10 or @Derelict and maybe they can get the bogon list that is hosted by pfsense updated.. Since I do not show that 102 IP address on the actual current list.

edit: Glad we got to the bottom of this ;) Sniffing sent us on a wild goose chase it seems.. Not sure what is going on with your sniffing.. But sniffing always before firewall, nothing the firewall can do to prevent sniff from seeing traffic that is getting to the interface.

lifeboy

@johnpoz Hmmm. How do we know that 102.218.128.0/19 is not on the current list anymore? Mine is also from 20 August, but I was not able to find the authorative source by searching the web.

johnpoz

The authoritative list is the one I linked to above..

https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

team-cymru has been providing bogon list for YEARS and YEARS.. That really is the go to place for current bogon lists.

I would assume that is where pfsense/netgate pulls from - but store on their own resource since they sure wouldn't want every pfsense box to be talking to team-cymru, they prob get pissed ;) How many pfsense install out there - millions? 100s of thousands for sure ;)

They update that list like every 4 hours.

lifeboy

@johnpoz, I assume it's safe to disable the bogon filters for the time being then?

NogBadTheBad

@lifeboy Could you not create your own bogons aliases from the entries in Diagnostics -> Tables - bogons & bogonsv6 and remove the subnet your having issues with short term, create a firewall rule with the aliases and disable the default bogon rule at the top ?

You could even create the alias from the url that John posted further up and pop a pass rule above it for 102.218.142.79 if the subnet is still in the bogon list.

johnpoz

Blocking bogon is not a requirement to be secure..The IPs by the very nature of what a bogon are shouldn't even be able to talk to your wan.. Just turn blocking them off.. Not an issue at all.

lifeboy

@nogbadthebad, I could, but I don't know it it's worth the effort if this issue will be addresses by an updated bogon table.