Block Private Networks
-
I have a single WAN with public IP.
My ISP uses the 10.0.0.0/16 range for some of his other customers (outside). I use the same private address range inside on my LAN and it causes confusion.
I enabled "Block Private Networks" on the WAN interface. I also attempted a rule on the LAN interface (see images). I can still ping the outside 10.0.0.0 addresses on the WAN from inside on my LAN.
How do I stop my network from seeing the private network on the outside ?
-
Hi Groen,
Taking a quick look at your rules pings are allowed through because you have the protocol set to UDP/TCP. Pinging is done through the ICMP protocol and is therefore allowed through. Try setting the protocol to "IPv4/6 all" so that any traffic to/from that IP range is blocked.
The rule right below your block rule is allowing this traffic through since it covers all possible protocols from your network to anywhere.
Robbert
-
Using 10.anything is just asking for a collision. (Even if you use something like 10.154.222.0/24 you'll still run into someone using 10.0.0.0/8). IMHO, even though they might feel like they have no choice, your ISP is wrong for exposing such addresses/routes to you after you egress to them. As you found out, it breaks a perfectly valid config on your part.
I'd renumber to something else.
Two random choices:
172.17.69.0/24
192.168.108.0/24 -
So your ISP has routing to 10.x.x.x addresses, and you have a public IP? That you can hit?
Can we see a traceroute to one of these 10 address you say you can get to?
I am with derelict here, why are you using 10.0/16 in the first place - do you really have that many hosts or that many sub networks that your lan needs to be 10.0/16 That is just nuts.. And yup he is correct someone else could be using 10/8
He to example networks would be better examples what to use on your lan than 10.0/16 – but agreed your ISP even if using 10.x address space should not really allow you to get there. Especially if he is giving you a public address not in the rfc1918 space.
-
@ rrijkse. Thanks. The IPV4all (IPV4*) solved my problem.
Just to clear things up.
My internal network is on 192.168.0.0/24. I use 10.0.?.? between routers….. never knew it could cause problems (well, it did with the new ISP connection). I will change it to 172.16.?.?
Below is the traceroute. 168.167.smudge.smudge is the radio/antenna. 10.0.202.18 is on the ISP network. I assume it is a base-station.
-
what does a trace to say public look like - google, are you just behind a NAT and he gave you what you think is a public? Ie do you go through 10 on outbound trace?
If you don't mind would you PM your public IP on your pfsense.. Like to see what a trace looks like from the public side.
-
Apologies for the late reply.
Trace to public ( 8.8.8.8 ) goes only via public addresses. Trace from public ( using kloth.net ) to my router goes only via public.
-
what does a trace to say public look like - google, are you just behind a NAT and he gave you what you think is a public? Ie do you go through 10 on outbound trace?
If you don't mind would you PM your public IP on your pfsense.. Like to see what a trace looks like from the public side.
Strictly speaking it's a valid configuration. Public gateway > private subnet > public subnet. Not the first time it's been done, and with the shortage in IPv4s it's going to start getting a lot more widely used. When you mix engineers and management you only get to a single conclusive outcome: Do what is least expensive.
As far as I can remember such traceroutes fail only when hitting the private addresses, since that's what a private address is: An IP address without a global way to get to it.
