Block private networks (RFC 1918) option && routing question



  • I have a pfSense router(172.16.1.254) which has Block private networks option on the WAN interface enabled. Trying to access the router via the browser I mistakenly typed 172.16.4.254 which prompted me a login page(not the router's page).

    First I thought someone is on my LAN(coincidentally I tested a wifi AP), scanned that host with nmap and I did a traceroute and found out that the packets actually go through the ISP gateway:

    user@home:~# traceroute 172.16.4.254
    traceroute to 172.16.4.254 (172.16.4.254), 30 hops max, 60 byte packets
     1  daniya-rtr.localdomain (172.16.1.254)  0.696 ms  0.772 ms  0.359 ms
     2  10.0.0.1 (10.0.0.1)  0.909 ms  0.923 ms  1.751 ms <wan interface="" is="" pppoe="" and="" uses="" this="" as="" gateway="">
     3  10.32.60.33 (10.32.60.33)  2.789 ms  2.576 ms  2.218 ms
     4  172.16.4.254 (172.16.4.254)  3.737 ms  4.160 ms  4.966 ms</wan>
    
    1. Block private networks option shouldn't block the ingress AND egress private network traffic?
    2. The host seems to be a managed HP switch and has telnet and http port open. Should I contact the ISP and suggest them to put their switch's managing interface on a separate VLAN?


  • Firewall rules are strictly for ingress traffic on that interface. If you want to block private networks from leaving your network, you have to add such a rule on LAN.

    Yes your ISP definitely should not have their management interfaces of anything open to customers, but whether I'd contact them about that…maybe not. I've heard of that ending badly in too many cases ("you're hacking our network!"). Depends, if I knew the provider and had a relationship with them, I would let them know.


Log in to reply