Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alias Native not combining ASN enumeration with custom list in same rule

    Scheduled Pinned Locked Moved pfBlockerNG
    24 Posts 4 Posters 3.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @lohphat
      last edited by johnpoz

      @lohphat what you posted is no where close to have downloaded those ASNs I thought I showed like 8000 some entries..

      I can not duplicate your problem..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      lohphatL 2 Replies Last reply Reply Quote 0
      • lohphatL Offline
        lohphat @johnpoz
        last edited by lohphat

        @johnpoz I just pasted the segment of where the CIDRs should have been. The alias is 3318 lines now,

        Alias table IP Counts
        -----------------------------
           23826 total
           16716 /var/db/aliastables/pfB_PRI1_v4.txt
            3763 /var/db/aliastables/pfB_ASN_List_v6.txt
            3318 /var/db/aliastables/pfB_ASN_List_v4.txt
              16 /var/db/aliastables/pfB_PRI1_6_v6.txt
              11 /var/db/aliastables/pfB_ASN_List_CIDR_v4.txt
               2 /var/db/aliastables/pfB_ASN_List_CIDR_v6.txt
        

        SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @lohphat
          last edited by

          @lohphat I show way more IPs in those ASNs

          [ AS16509_v4 ]			 Downloading update .
            Downloading ASN: 16509... completed
          . completed ..
          
          [ AS13335_v4 ]			 Downloading update [ 10/15/22 13:27:59 ] .
            Downloading ASN: 13335... completed
          . completed ..
          
          [ AS15169_v4 ]			 Downloading update [ 10/15/22 13:28:01 ] .
            Downloading ASN: 15169... completed
          . completed ..
          
          
          ===[  Aliastables / Rules  ]==========================================
          
          No changes to Firewall rules, skipping Filter Reload
          
           Updating: pfB_asntest_v4
          1 table created.9753 addresses added.
          

          table.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          lohphatL 2 Replies Last reply Reply Quote 1
          • lohphatL Offline
            lohphat @johnpoz
            last edited by lohphat

            @johnpoz Could it be that the "#" comments are throwing it off? There's no help text I can find about that section even though it mentions "IPv4 addresses entered directly into the custom list, as per the required format." but doesn't say what the "required format" is.

            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @lohphat
              last edited by

              @lohphat If you don't know, you ain't worthy. 😉

              1 Reply Last reply Reply Quote 0
              • lohphatL Offline
                lohphat @johnpoz
                last edited by lohphat

                @johnpoz said in Alias Native not combining ASN enumeration with custom list in same rule:

                13335

                I have De-Duplication and CIDR Aggregation enabled too.

                
                [ AS16509_v4 ]			 Downloading update [ 10/15/22 15:12:43 ] .
                  Downloading ASN: 16509... completed
                . completed ..
                
                  Aggregation Stats:
                  ------------------
                  Original Final      
                  ------------------
                  7329     2902       
                  ------------------
                
                [ AS15169_v4 ]			 Downloading update [ 10/15/22 15:12:49 ] .
                  Downloading ASN: 15169... completed
                . completed ..
                
                  Aggregation Stats:
                  ------------------
                  Original Final      
                  ------------------
                  818      84         
                  ------------------
                
                [ AS13335_v4 ]			 Downloading update [ 10/15/22 15:12:51 ] .
                  Downloading ASN: 13335... completed
                . completed ..
                
                  Aggregation Stats:
                  ------------------
                  Original Final      
                  ------------------
                  1606     361        
                  ------------------
                
                [ ASN_List_custom_v4 ]		 Reload [ 10/15/22 15:12:53 ] . completed ..
                

                SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                1 Reply Last reply Reply Quote 0
                • lohphatL Offline
                  lohphat @johnpoz
                  last edited by lohphat

                  @johnpoz

                  OK, I think I found the core problem: partial PEBKAC

                  Where I was looking for the custom CIDR blocks was in "Firewall / pfBlockerNG / Log Browser" not in "Diagnostics / Tables".

                  The custom CIDRs are correctly listed in the latter in a correctly sorted order.

                  BUT they ARE in the "Firewall / pfBlockerNG / Log Browser" at the END of the file, partially sorted. The Custom list is sorted but just appended to the main file.

                  Completely unexpected behavior.

                  I was unaware of the "Diagnostics / Table" section and didn't expect a difference in content.

                  SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                  J 1 Reply Last reply Reply Quote 1
                  • J Offline
                    jdeloach @lohphat
                    last edited by

                    @lohphat said in Alias Native not combining ASN enumeration with custom list in same rule:

                    I was unaware of the Diagnostics / Table" section .....

                    Don't feel bad, I was also not aware of the Diagnostics/Table section either, but THANKS to @johnpoz , I learned something new today as well.

                    lohphatL 1 Reply Last reply Reply Quote 1
                    • lohphatL Offline
                      lohphat @jdeloach
                      last edited by lohphat

                      @jdeloach

                      Shouldn't the CIDR aggregation merge these 2607:f8b0:4000:: CIDRs into the main 2607:f8b0::/32 network?

                      From: PfB_ASN_List_v6 Table

                      2607:f8b0::/32
                      2607:f8b0:4000::/48
                      2607:f8b0:4001::/48
                      2607:f8b0:4002::/48
                      2607:f8b0:4003::/48
                      2607:f8b0:4004::/48
                      2607:f8b0:4005::/48
                      2607:f8b0:4006::/48
                      2607:f8b0:4007::/48
                      2607:f8b0:4008::/48
                      2607:f8b0:4009::/48
                      2607:f8b0:400a::/48
                      2607:f8b0:400b::/48
                      2607:f8b0:400c::/48
                      2607:f8b0:400d::/48
                      2607:f8b0:400e::/48
                      2607:f8b0:400f::/48
                      2607:f8b0:4010::/48
                      2607:f8b0:4011::/48
                      2607:f8b0:4012::/48
                      2607:f8b0:4013::/48
                      2607:f8b0:4014::/48
                      2607:f8b0:4015::/48
                      2607:f8b0:4016::/48
                      2607:f8b0:480e::/48
                      2607:f8b0:480f::/48
                      2607:fb90:c150::/48
                      

                      SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @lohphat
                        last edited by

                        @lohphat said in Alias Native not combining ASN enumeration with custom list in same rule:

                        2607:f8b0::/32

                        yeah you would think.. @BBcan177 would know ;) I don't really load any IPv6 addresses into pfblocker at all.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        lohphatL 1 Reply Last reply Reply Quote 0
                        • lohphatL Offline
                          lohphat @johnpoz
                          last edited by lohphat

                          @johnpoz Given that aggregation stats are given in the logs when IPv4 ASNs are downloaded but not IPv6 ASNs, it may be that aggregation only applies to IPv4 at this time. The settings descriptions need updating to reflect this apparent limitation.

                          IPv4 update log:

                          
                          [ AS16509_v4 ]			 Downloading update [ 10/15/22 19:24:44 ] .
                            Downloading ASN: 16509... completed
                          . completed ..
                          
                            Aggregation Stats:
                            ------------------
                            Original Final      
                            ------------------
                            7329     2902       
                            ------------------
                          
                          [ AS13335_v4 ]			 Downloading update [ 10/15/22 19:24:50 ] .
                            Downloading ASN: 13335... completed
                          . completed ..
                          
                            Aggregation Stats:
                            ------------------
                            Original Final      
                            ------------------
                            1606     361        
                            ------------------
                          
                          [ AS15169_v4 ]			 Downloading update [ 10/15/22 19:24:52 ] .
                            Downloading ASN: 15169... completed
                          . completed ..
                          
                            Aggregation Stats:
                            ------------------
                            Original Final      
                            ------------------
                            818      84         
                            ------------------
                          
                          [ ASN_List_custom_v4 ]		 Reload [ 10/15/22 19:24:54 ] . completed ..
                          
                          

                          IPv6 update log:

                          [ AS8075_v6 ]			 Downloading update .
                            Downloading ASN: 8075... completed
                          . completed ..
                          
                          [ AS13335_v6 ]			 Downloading update [ 10/15/22 19:24:55 ] .
                            Downloading ASN: 13335... completed
                          . completed ..
                          
                          [ AS15169_v6 ]			 Downloading update [ 10/15/22 19:24:57 ] .
                            Downloading ASN: 15169... completed
                          . completed ..
                          
                          [ AS16509_v6 ]			 Downloading update [ 10/15/22 19:24:58 ] .
                            Downloading ASN: 16509... completed
                          . completed ..
                          
                          [ ASN_List_custom_v6 ]		 Reload [ 10/15/22 19:25:33 ] . completed ..
                          
                          

                          Note the lack of "Aggregation Stats" in the IPv6 logs.

                          SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                          J 1 Reply Last reply Reply Quote 0
                          • J Offline
                            jdeloach @lohphat
                            last edited by

                            @lohphat said in Alias Native not combining ASN enumeration with custom list in same rule:

                            Note the lack of "Aggregation Stats" in the IPv6 logs.

                            There are probably a lot of things to do with IPv6 in this package that are not implemented yet because IPv6 is still fairly new and not that widely used. I wouldn't expect those updates to be done for another year or so given that the maintainer of this package, @BBcan177 , has limited time right now to devote to this package. He is quite busy working other things.
                            I would say to just post any issues you find with IPv6 and he will work them as time permits.

                            lohphatL johnpozJ 2 Replies Last reply Reply Quote 0
                            • lohphatL Offline
                              lohphat @jdeloach
                              last edited by

                              @jdeloach I understand. But if simple updates to UI text to set expectations and clarify before features are implemented, that seems a reasonable course.

                              I'm from the world of software development so I do understand the pressures, but small incremental changes can make a big difference.

                              IPv6 is here and if you network can handle it, the large players are using it (e.g. YouTube content), and some countries ONLY have IPv6 addressing. We have to get used to it sooner than later.

                              SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator @jdeloach
                                last edited by

                                @jdeloach said in Alias Native not combining ASN enumeration with custom list in same rule:

                                IPv6 is still fairly new and not that widely used.

                                Not sure if 20 some years counts as fairly new ;) Arin made their first assignments of IPv6 back in 1999. But not that widely used I would agree with.. We all get it, its the future.. But currently to be honest, there is zero reason to have it, other than a learning tool.

                                Name 1 actual resource that would require you to have it? Just one, been asking that question for years here, and have yet to get an answer..

                                I am all for moving towards it, and I have been playing with it for 13 years + but have yet to find and actual requirement that says yeah I have to have that.. My isp currently doesn't even provide it. I get my ipv6 from a HE tunnel.

                                Sure in some parts of the world - hey that is what the ISP gives you.. And then they convert your ispv6 to an ipv4 on their network via say 464XLAT. And with the billions of phones on the globe yeah ipv4 isn't going to cut it.. Now think about cars all being connected as we move towards self driving, etc. IPv4 can't really handle that.. But, still - what actual main public resource requires IPv6? Name one?? Name one game that requires you to have IPv6 to play on your consoles.. And that really should be a driving force for people demanding IPv6 from their ISPs, etc.

                                We are like 20 years in, and ISPs still can not get it right.. Hand your users a /48 prefix, assign that to them.. So it doesn't change every other day.. Let them do with that what they will.. Its not like there is not enough already assigned IPv6 space to give like everyone on the planet 4000 some /48's each. Or a /56 or even a /60 for gosh sake.. And the amount of available IPv6 is just the very tip of the iceberg of the total available space, etc. But ISP continue to hand out single /64s that change when the wind blows, etc.

                                If you are new to IPv6, be ready for a learning curve, be ready for issues and problems - Its just much easier to just not use it, unless your stuck with it - ie your in some isp that won't actually give you a public IPv4, and you want to have inbound unsolicited traffic. And then just hope your users that want to access your resource actually have IPv6, or are smart enough to setup a IPv6 tunnel, etc.

                                Sorry IPv6 is one of those topics that just drives me nuts, especially after a few cocktails ;) I want it to move forward, I want it to be done right, but I have been banging my head against a wall for like 10 years at work, and have yet to see progress - and I work for a major player.. And have seen no real progress other than in the mobile device space. Finally a year or so ago I got to assign a /32 from arin for use in some car related project - that has not gone anywhere really.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                lohphatL Bob.DigB 2 Replies Last reply Reply Quote 1
                                • lohphatL Offline
                                  lohphat @johnpoz
                                  last edited by lohphat

                                  @johnpoz I agree. I owe you some cocktails for all the sh!t I've stirred up anyway. 😉

                                  I view IPv6 akin to saying please and thank you -- you don't NEED to use them, but it makes the world a better place if you do. It's not about either/or IPv4 vs IPv6 it's AND.

                                  I've been beating on IPv6 for years too but I'm lucky my ISP supports it and pissed that FiOS STILL doesn't in many markets (but that's changing).

                                  Local nets and IoT will be using IPv4 NAT (RCT1918) for the foreseeable future, but like any new thing, the more we encourage its use, the sooner well get there.

                                  More than 40% of users hitting Google are IPv6 clients. It's no longer a "niche":

                                  IPv6 Google User Stats

                                  And in the US and EU , the adoption rate is more than 50%:

                                  IPv6 Adoption By Country / Region

                                  SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • Bob.DigB Offline
                                    Bob.Dig LAYER 8 @johnpoz
                                    last edited by Bob.Dig

                                    @johnpoz said in Alias Native not combining ASN enumeration with custom list in same rule:

                                    But, still - what actual main public resource requires IPv6? Name one?? Name one game that requires you to have IPv6 to play on your consoles..

                                    I can't but many people will have to use IPv6 to vpn into their own homes in the near future around my place.

                                    And pfSense is not doing a great job regarding dynamic IPv6, so the people in this forum might be last ones, who will be using IPv6. I reduced it to one host at home.
                                    dhcpd is almost eol so I hope we get better dynamic IPv6 support in the future?!

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @lohphat
                                      last edited by johnpoz

                                      @lohphat said in Alias Native not combining ASN enumeration with custom list in same rule:

                                      but like any new thing, the more we encourage its use

                                      No I don't buy this to be honest.. A user or 2, or even 10,000 of them isn't going to move IPv6 along any faster ;) If your isp hands you out some shitty deployment of IPv6 you using it or not using it isn't going to slow or speed up the adoption of IPv6 at a global scale.

                                      Now if enough users called their isp and said hey we need IPv6.. Maybe they might think about adding it, but they can also ask you why you need it - what resource are you trying to get to that you can not ;)

                                      And they might up your cost, because hey switching to and deploying IPv6 sure isn't free ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      lohphatL 1 Reply Last reply Reply Quote 0
                                      • lohphatL Offline
                                        lohphat @johnpoz
                                        last edited by

                                        @johnpoz This is a protocol issue transparent to the user community.

                                        It no different than you asking your airline which tires they use on their aircraft or what they fill them with. The decision to use a particular vendor and to use nitrogen instead of air was not a user issue, but one of operations to improve reliability. The users weren't consulted.

                                        The decision of IPv6 functionality is not at the user level no more than a user deciding what the flag bits are in a TCP packet or enet frame.

                                        Users don't deal with the IETF or even need to know they exist, but WE at the operational level do.

                                        IPv6 is a thing. QUIC is a thing. Infrastructure vendors need to accommodate progress or stand aside with their excuses so that others can meet the market changes.

                                        SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator @lohphat
                                          last edited by

                                          @lohphat said in Alias Native not combining ASN enumeration with custom list in same rule:

                                          IPv6 is a thing. QUIC is a thing

                                          While I agree, vendors do need to support current protocols, etc. but doesn't mean the users have to leverage them if they see no benefit.

                                          A user not using IPv6 is not going to slow down progress was my point.. Me and the local ipv6 cheerleader bump heads over this quite a bit.. My advice to a user that is having issues with IPv6, and doesn't want to put in the time to learn about all the differences, and how to properly manage and or even have to deal with a isp nonsense deployment of it.. The simple solution is just put it away for another day.. And you will save yourself a lot of grief.. The "requirement" of having IPv6 is years away, years! Now it could come quickly at some point in the future as when they finally get to the top of the hill and start rolling down the other side.. To me IPv6 is actually here when you have a major player say, hey on XYZ date, even if 10-15 years in the future will be turning off IPv4 access..

                                          Have you heard of any such announcements? Until that happens, IPv6 is just an option that you do not need to use if you do not want too. Until there is actually something that requires you to have IPv6 - it is a choice.. Users making the choice to use or not use is not going to slow down or speed up its global adoption.. Quic is an option, Some site that says hey you can use quic to connect to me, nothing saying I have to allow or use that.. Unless they turn off other normal means of access. Quic has been around for a long time as well, don't really see it taking off like a rocket either ;)

                                          We are going to be stuck in this middle ground for a really long time, where mobile devices, things that require large number of IPs will leverage IPv6, this just frees up IPv4 space for other users where it not cost effective to transition to IPv6..

                                          To be honest there is a very large grey market for selling IPv4 space.. We had sold off a portion of our IPv4 space that we were not using, and really had no plans of ever using for a nice chunk of change.. And now those locked away IPv4 can be used by people that have need/use of them, its a win win for al involved.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          lohphatL 1 Reply Last reply Reply Quote 0
                                          • lohphatL Offline
                                            lohphat @johnpoz
                                            last edited by lohphat

                                            @johnpoz The either/or of IPv4 vs Ipv6 is a false dichotomy you're imposing on yourself where it doesn't exist from external pressure. Not even the IETF is proposing a sundown for IPv4 but they ARE pushing for dual stack interoperability ASAP.

                                            The better throughput due to improved congestion handling is a big one. Most of my Google/YouTube traffic (the bulk of my traffic is streaming media) and now, some of my gaming traffic is IPv6. Most of my mobile traffic is IPv6.

                                            The "we don't have to because IPv4 is not going away" mantra is only a form of procrastination and ignoring the market trend. We're already past 50% adoption in the developed world. Get your IPv6 skills and infrastructure in the game as soon as you can so that you're comfortable with it and prepared so that it's not a mystery.

                                            As an infrastructure player, pfSense needs to stay in the game. Fine, make your personal choices for your use case, but from this point forward, if an infrastructure vendor isn't IPv6 compliant, it's off my vendor list. I'm not going to make capital investments in hobbled gear who can't support a 20 year ratified protocol with over 50% adoption.

                                            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.