Private subnets routing to somewhere unknown?
-
In the process of trying to pick random subnets in the 10.x.x.x/8 range, I keep seeming to conflict with random guest networks at businesses with my OpenVPN.
So then in trying to figure out good options, I stumbled onto somehow there's a 10.x.x.x network somewhere responding to stuff at home that I can't make sense of where it is, and seems to be between me and the internet.
How can I figure out what this is or why?
-
@mmiller7 What you wrote doesnt really make any sense.
- Are you trying to do a remote access VPN or a site2site VPN.
- As you pointed out, regardless of which VPN type, it needs to be non-conflicting but its unclear what do 'random guest networks at businesses with my OpenVPN' even means.
-
@michmoor I have remote access set up with OpenVPN, but randomly I'll go to say a hotel or something and find out that (for example) the hotel guest network is 10.0.0.0/24 and my VPN is also 10.0.0.1/24 and then nothing seems to work once connected.
So I pick something else and then I end up at say WalMart and discover oops my randomly picked other 10.1.2.0/24 is THEIR guest subnet and can't route thru my VPN.
In the process of trying to pick something, I am finding with nmap (at home, behind my pfsense) a 10.206.16.1 with unknown subnet information that seems to exist and be routable at home even though no VPN clients are connected and I have no subnet there. Seems to have a bunch of stuff on port 80 listening. It seems to be out my WAN even though my WAN IP is 24.x.x.x. I'm further confused because I believe I am blocking everything on the WAN interface in RFC1918_RFC4193 with a rule in the WAN interface firewall rules tab.
-
@mmiller7 The odds of ending up with the lan for vpn as that of a location you happen to be i would imagine is small but i can happen.
One solution would be to advertise /32 routes over your VPN tunnel so for example if your NAS sits at 10.1.1.2/32 then push a route for that over the tunnel using 'push route' commands.Secondly, regarding the 10.206.16.1, is that showing up in the pfsense route table? If you go to Diagnostics / Routes do you see that anywhere? Are you scanning your WAN side? I can see that being a cable modem or ONT
-
@mmiller7 which is why its good to use a non common network.. Pick some random in 172.16/12 range..
Say 172.29.42.0/24
10.0.0 would be a bad choice.. Anything at the very beginning of the range would be bad. I use 192.168.9.0/24 for my lan network. And other networks use 192.168.2 or above. 192.168.0 and 192.168.1 are very common you would find at say starbucks or at like a hotel or someone elses house..
-
I do not see it in routes, but it appears to be on/adjacent to any traceroute I attempt.
$ traceroute 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 64 hops max 1 192.168.1.1 4.128ms 3.878ms 2.550ms 2 10.206.216.1 18.748ms 8.820ms 10.186ms 3 209.196.183.8 10.554ms 10.391ms 10.309ms 4 209.196.183.162 12.501ms 14.367ms 15.613ms 5 * * * 6 154.54.87.150 23.756ms 19.356ms 31.230ms 7 154.54.87.77 29.314ms 28.743ms 25.706ms 8 * 38.88.214.142 21.408ms * 9 172.71.192.2 20.928ms 26.685ms 22.279ms 10 1.1.1.1 20.815ms 20.014ms 20.764ms $ traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 64 hops max 1 192.168.1.1 3.650ms 1.495ms 7.855ms 2 10.206.216.1 11.657ms 9.318ms 10.166ms 3 209.196.183.8 9.026ms 23.410ms 10.192ms 4 209.196.183.162 15.485ms 13.734ms 14.575ms 5 207.255.30.226 16.969ms 15.245ms 48.423ms 6 * * * 7 8.8.8.8 16.701ms 49.788ms 15.748ms $ traceroute www.google.com traceroute to www.google.com (172.253.63.147), 64 hops max 1 192.168.1.1 2.542ms 2.179ms 5.819ms 2 10.206.216.1 12.116ms 39.254ms 19.365ms 3 209.196.183.8 10.338ms 18.628ms 9.476ms 4 209.196.183.162 13.732ms 21.477ms 14.505ms 5 142.250.164.44 19.627ms 44.666ms 13.681ms 6 * * * 7 142.251.69.210 15.111ms 19.232ms 16.432ms 8 108.170.246.34 48.781ms 47.047ms 17.055ms 9 142.251.49.192 17.432ms 28.204ms 44.883ms 10 142.251.49.209 29.652ms 16.208ms 15.439ms 11 142.251.244.115 16.185ms 28.751ms 33.208ms 12 142.250.209.57 16.309ms 50.969ms 16.077ms 13 172.253.72.35 30.902ms 34.410ms 14.696ms 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 172.253.63.147 16.336ms 17.679ms 15.419ms
I would have thought my public IP address being 24.x.x.x and my WAN primary default gateway being 24.x.x.1 that I would see the next hop after my router be said default gateway?
igb0 - primary WAN (cable internet)
igb1 - failover WAN on packet loss (starlink)If I start trying to go to stuff in the 10.206.216.x (that was a typo 16 is wrong) it "looks" like some network stuff but I of course can't log in to try and make heads or tails of how/where/what/why.
-
@mmiller7 Yeah i figured. Thats your ONT.
If you see my traceroute its a similar thing. I am on ATT Fiber.
tracert -d google.com Tracing route to google.com [172.217.215.113] over a maximum of 30 hops: 1 1 ms <1 ms <1 ms 192.168.50.254 2 <1 ms <1 ms <1 ms 192.168.1.254 3 2 ms 1 ms 1 ms 104.13.92.1 4 2 ms 2 ms 2 ms 107.212.169.40 5 ^C
-
For a cable modem (what I have) it would be 192.168.100.1 or 192.168.0.1, no? That 192.168.100.1 is my cable modem config page. I'm perplexed where the other 10.x comes in?
-
@mmiller7 Just looking at the ping times i suspect its your cable services CMTS.
-
@mmiller7 said in Private subnets routing to somewhere unknown?:
2 10.206.216.1 18.748ms 8.820ms 10.186ms
From this I would say its upstream in your isp network. Those rtt would indicate its not actually local to you.. But somewhere upstream in the isp network.
There is nothing saying isp can not use rfc1918 in their network as transit.. It is not uncommon to see rfc1918 upstream in your trace. Not that long ago I was seeing a 10.x address at hop 3.. This could be the actual transit IP they are routing to in their network, or it could just be a loop-back address the router answers with, etc. But my isp changed something and I no longer see that..
Seeing rfc1918 in a trace is not uncommon.
-
So do I need to worry about my home subnets conflicting with unknown-size-and-location upstream subnets too now?
This is a first seeing/noticing something other than the 100 CGNAT or public-addresses "upstream" of my router...and if I hop to a machine at my parents' house (FiOS) their next-upstream-hop appears to be public address space after their home-router
-
@mmiller7 said in Private subnets routing to somewhere unknown?:
So do I need to worry about my home subnets conflicting
No they are just transit.. Unless you wanted to say like ssh to that isp device from your home network and they conflicted - then you would have a problem ;)
-
Nevermind, just read the bit about connecting to home via OpenVPN.
You mention using OpenVPN, if so have you selected "don't pull routes" if you don't it's likely your default route is via your OpenVPN connection rather than your WAN link.