Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bogon Alias address created for pppoe WAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    22 Posts 4 Posters 1.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB Offline
      Bob.Dig LAYER 8 @dandare100
      last edited by Bob.Dig

      @dandare100 Go to https://whatismyipaddress.com/ and if it shows the same IP as your WAN-IP in pfSense, you are not NAted. And a gateway is not the same as the interface-ip address. It doesn't matter if it is from the CG-NAT range or whatever.

      D 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @dandare100
        last edited by

        @dandare100 said in Bogon Alias address created for pppoe WAN:

        I am not experiencing any issues. The main reason for my post is to understand where the 100.64.0.225 is coming from. It wasn't there before.

        You can compare pppoe with what DHCP does.
        When a devices (example : a LAN PC)emits a request for a DHCP lease, the DHCP server (for example pfSense) gives the client a
        IP, like 192.168.1.10
        Network, like 25.255.255.0
        A gateway IP, which is the pfSense LAN IP, for example 192.168.1.1
        A DNS IP, which is the pfSense LAN, so the device know who it can contact to do DNS searches.
        ( more info can get requested, like, for example, a NTP IP)

        The gateway is very important.
        Because the IP received is 192.168.1.10, and the network 'mask' is 255.255.255.0, the device now knows that it can contact all IP's from 192.168.1.1 to 192.168.1.254 directly. All other IPs, all other network, like the entire internet, can be reached by using the gateway. Typically, the gateway knows how to route, as it is a router ^^
        Your 100.64.0.225 is probably the router the pfSense WAN uses to go "the Internet".
        A CGNAT IP btw.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dandare100 @Bob.Dig
          last edited by

          @Bob-Dig Done and it matches the public ip in pfsense, thanks

          1 Reply Last reply Reply Quote 0
          • D Offline
            dandare100 @Gertjan
            last edited by

            @Gertjan Thank you for the explanation, makes sense.

            It just seems weird that the ISP is assigning the "100.64.0.225" as the gateway for a pppoe interface with a public ip address.

            I understand that I am not a network fundi :-) and that this setup may be completely normal, I am just trying to understand the setup because it was not previously like that.

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @dandare100
              last edited by Bob.Dig

              @dandare100 It is just efficient. Your ISP is saving on public-IPv4-space.

              My WAN looks like this.

              IPv4 Address
                  46.*.*.* 
              Subnet mask IPv4
                  255.255.255.255 
              Gateway IPv4
                  94.*.*.* 
              

              You can see, there is no relationship between the IP-address on my WAN and its gateway.

              D johnpozJ 2 Replies Last reply Reply Quote 0
              • D Offline
                dandare100 @Bob.Dig
                last edited by

                @Bob-Dig Ok cool. Thank you. I understand now and will let it go.

                Thanks for the patience guys

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @Bob.Dig
                  last edited by johnpoz

                  @Bob-Dig said in Bogon Alias address created for pppoe WAN:

                  You can see, there is no relationship between the IP-address on my WAN and its gateway.

                  I wouldn't say that - that is not how a typical network is setup.. Normally the gateway off a network, needs to be on the network your trying to get off of, how else would you get there. But yes you can go against normal practice. Multiple layer3 on the same layer 2.. Where the IP is different layer 3 but your on the same layer 2 network so the client can get the mac of its gateway.

                  PPPoe is a tunnel so its a bit different. But normally the gateway would and should be on the same network space.. If its not you normally have to let the client know this.

                  If you go into routing and, and look at your dhcp gateway - if that IP is outside your network you get - you would normally have to set this.

                  gateway.jpg

                  https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html#advanced-gateway-settings

                  The Use non-local gateway through interface specific route option allows a non-standard configuration where a gateway IP address exists outside of an interface subnet. Some providers attempting to scrape the bottom of the IPv4 barrel have resorted to this in order to not put a gateway into each customer subnet. Do not activate this option unless required to do so by the upstream provider.

                  Normally if you manually set that - the OS should scream at you.

                  warning.jpg

                  So while it "can" be done - it is not your typical setup..

                  When a client decides that hey this IP is not on my network, I need to send it to my gateway - it would arp for the mac address of the gateway (that is on its network) and send the traffic there.. In a typical setup if the gateway is not on the same network, how would the client get the mac to actually send the traffic to.. So there are some caveats to be sure if doing such a setup.. So please don't get the idea that you can make your network 192.168.1.0/24 and just set a gateway as 192.168.2.1 and it will work.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  Bob.DigB 1 Reply Last reply Reply Quote 2
                  • Bob.DigB Offline
                    Bob.Dig LAYER 8 @johnpoz
                    last edited by

                    @johnpoz said in Bogon Alias address created for pppoe WAN:

                    When a client decides that hey this IP is not on my network, I need to send it to my gateway - it would arp for the mac address of the gateway (that is on its network) and send the traffic there.. In a typical setup if the gateway is not on the same network, how would the client get the mac to actually send the traffic to..

                    @johnpoz I am curious. Normally it would arp for the MAC of the gateway. Now when this is not on its network, it would still arp for the MAC of the gateway? So it is basically the same? What are the caveats of this approach.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator @Bob.Dig
                      last edited by

                      @Bob-Dig clients don't normally arp for an IP that is not on their own network. This is why you need to tell the device - hey that is your gateway you can talk to it on the same L2 network, so you can get the mac if you arp.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      Bob.DigB 2 Replies Last reply Reply Quote 1
                      • Bob.DigB Offline
                        Bob.Dig LAYER 8 @johnpoz
                        last edited by Bob.Dig

                        @johnpoz So it is basically the same.
                        I am asking because I have a VPS and proxmox on it. The VPS-Provider gave the following, single IP-configuration: IP 5.5.5.5/24, Gateway 5.5.5.1

                        In Proxmox, the local subnet has more rights, for instance, it doesn't get blocked if it uses the wrong credentials too many times.
                        That is why I changed the network config on that VPS to be: IP 5.5.5.5/32, Gateway 5.5.5.1

                        No questions asked, it just works (Debian).

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • Bob.DigB Offline
                          Bob.Dig LAYER 8 @johnpoz
                          last edited by Bob.Dig

                          @johnpoz said in DNS Rebind attack conditions doesn't make sense:

                          if pfsense has no portward to itself then it must think that IP is his.

                          Really, his? 😱 😉

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator @Bob.Dig
                            last edited by johnpoz

                            @Bob-Dig You can set the gateway to any IP you want, but its not a normal, typical setup - and like the warning I showed you - the OS thinks you must of made a typo ;) It might still arp for it since its gateway IP and has to be reachable on the same L2

                            arp.jpg

                            But you can not be sure device or OS will do that. Nor can you be sure what your arping for will answer if the IP is not on the gateways network IP range.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.