Block bogon Networks with CGNAT

hispeed

I have a ISP who uses CGNAT and I have activated "Block bogon Networks".
Today I found out, that user who are having the same ISP as we do and if they have a CGNAT adress they can't connect to us. We're not using a CGNAT of this provider.

Is this a normal behavoir?
Is it save to deactivate on the WAN side this option: Block bogon Networks?
What can we do about that?
Is this a misconfiguration from our ISP?

Thank you for your answers.

johnpoz

@hispeed if your behind a cgnat - nobody from the public internet would be able to talk to your IP.. Unless your isp was doing a port forward to your cgnat IP 100.64.x.x - 100.127.x.x

Blocking bogon in general could be debated if its worth anything these days, for one the bogon space is really small anyway.. While it would cause you grief if someone from your same IP using cgnat as well was trying to talk to your pfsense cgnat address via the isp.

But that would have nothing to do with some device on the internet that is on cgnat space of their own, because they would be talking to whatever your actual public IP is, if your isp was forwarding that to your cgnat IP bogon wouldn't block it, unless the public IP the other isp was natting to was actually still on the bogon list.

Other case of bogon, bogons don't route - so either its udp with the source spoofed, or if tcp you would never be able to answer it anyway - so what sort of traffic would you be worried about? And either way it would only matter to what your port forwards are open too..

Not too worried about some stray packets that I can not answer anyway doing anything, only way I would be able to talk back to a bogon IP would be if it was on my ISP network.. They not going to route over the public internet.

While its good practice left over from the early days of the net, there is little reason from a security concern to be worried about blocking bogon.

hispeed

@johnpoz
We don't have a CGNAT adress because you can ask them (our ISP) and then you will recieve a public ip-adress.

I have a webshop running on this ip-adress so tcp 443.

So, the recommendation in fact ist to deactivate it if your ISP uses in anyway a CGNAT.

johnpoz

@hispeed it wouldn't matter.. Unless they were going to be talking to you in some way with a cgnat address.. it doesn't matter that rule only blocks source IP that is bogon.. In what scenario would unsolicited inbound traffic to your wan being coming from a bogon? That you would need to allow? I can not think of anything - even dhcp wouldn't matter because the hidden dhcp rules would be before the bogon rule.

But if your thinking it could be causing you grief, then sure turn it off - in the big picture turning that off is not some sort of security faux pas

hispeed

@johnpoz

We have an IP-Adresss for example: 188.6X.XXX.XXX

And the user had an IP-Adress 100.XXX.XXX.XXX and he said he couldn't open the website. So i turned off the bogon rule and it worked from his computer. He lives in an another town but we have the same ISP. I did also a verification test and activated again the Bogon Rule. The user said it doesn't work anymore. Then I turned the Bogn Rule off and it worked again.

It's a simple webshop via https traffic.

I also saw the users IP-Adress in the pfsense block log: 100.XXX.XXX.XXX .

This tells me that our provider is routing "internal" differently and direct from the source to the reciever and in this case it's somehow in the same network. The ISP is Swisscom so everything is possible they never do it the standard official way they always do it the Swisscom way. In most cases it's a bad way to do things and work like this ;).

johnpoz

@hispeed said in Block bogon Networks with CGNAT:

And the user had an IP-Adress 100.XXX.XXX.XXX and he said he couldn't open the website

Was that address 100.64-127.0.0 that is cgnat range - no he would not be able to talk with anyone on the internet with a cgnat address.. It would be changed by the ISP to some public IP..

have them google whats my IP and give you that IP, vs the IP that is on the router - that is the IP that would be hitting your pfsense wan.. CGnat is just a range of IPs like rfc1918, they do not route on the internet.. Just like pfsense changes your rfc1918 address of your devices behind it to a public IP..

I also saw the users IP-Adress in the pfsense block log: 100.XXX.XXX.XXX .

the whole 100.x is not cgnat, only 100.64-127 is cgnat. example

NetRange:       100.0.0.0 - 100.19.255.255
Organization:   Verizon Business (MCICS)

stephenw10

It sounds like your ISP has broken routing to me. Like they are allowing the other user to connect directly to your public IP with their CGN IP without NATing it. That should never happen but if both subnets are internal for them I could see how it might. It's an edge case.

Steve

johnpoz

@stephenw10 said in Block bogon Networks with CGNAT:

It sounds like your ISP has broken routing to me

Yeah if ISP has cgnat customer A, and then customer B without CGnat.. And the ISP allows customer A to talk to customer B public IP without natting customer A cgnat IP - yeah that is pretty borked ;)

hispeed

@johnpoz and @stephenw10

That's what i thought as well so I will "master" them again ;).
For me this enough information, this can be closed.

Thank you for your help