Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block private networks (RFC 1918) option && routing question

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erhardm
      last edited by

      I have a pfSense router(172.16.1.254) which has Block private networks option on the WAN interface enabled. Trying to access the router via the browser I mistakenly typed 172.16.4.254 which prompted me a login page(not the router's page).

      First I thought someone is on my LAN(coincidentally I tested a wifi AP), scanned that host with nmap and I did a traceroute and found out that the packets actually go through the ISP gateway:

      user@home:~# traceroute 172.16.4.254
      traceroute to 172.16.4.254 (172.16.4.254), 30 hops max, 60 byte packets
       1  daniya-rtr.localdomain (172.16.1.254)  0.696 ms  0.772 ms  0.359 ms
       2  10.0.0.1 (10.0.0.1)  0.909 ms  0.923 ms  1.751 ms <wan interface="" is="" pppoe="" and="" uses="" this="" as="" gateway="">
       3  10.32.60.33 (10.32.60.33)  2.789 ms  2.576 ms  2.218 ms
       4  172.16.4.254 (172.16.4.254)  3.737 ms  4.160 ms  4.966 ms</wan>
      
      1. Block private networks option shouldn't block the ingress AND egress private network traffic?
      2. The host seems to be a managed HP switch and has telnet and http port open. Should I contact the ISP and suggest them to put their switch's managing interface on a separate VLAN?
      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Firewall rules are strictly for ingress traffic on that interface. If you want to block private networks from leaving your network, you have to add such a rule on LAN.

        Yes your ISP definitely should not have their management interfaces of anything open to customers, but whether I'd contact them about that…maybe not. I've heard of that ending badly in too many cases ("you're hacking our network!"). Depends, if I knew the provider and had a relationship with them, I would let them know.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.