Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Block Private Networks

    Firewalling
    5
    8
    2426
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Groen last edited by

      I have a single WAN with public IP.

      My ISP uses the 10.0.0.0/16 range for some of his other customers (outside).  I use the same private address range inside on my LAN and it causes confusion.

      I enabled "Block Private Networks" on the WAN interface.  I also attempted a rule on the LAN interface (see images).  I can still ping the outside 10.0.0.0 addresses on the WAN from inside on my LAN.

      How do I stop my network from seeing the private network on the outside ?

      Gaborone, Botswana

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User last edited by

        Hi Groen,

        Taking a quick look at your rules pings are allowed through because you have the protocol set to UDP/TCP. Pinging is done through the ICMP protocol and is therefore allowed through. Try setting the protocol to "IPv4/6 all" so that any traffic to/from that IP range is blocked.

        The rule right below your block rule is allowing this traffic through since it covers all possible protocols from your network to anywhere.

        Robbert

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          Using 10.anything is just asking for a collision.  (Even if you use something like 10.154.222.0/24 you'll still run into someone using 10.0.0.0/8).  IMHO, even though they might feel like they have no choice, your ISP is wrong for exposing such addresses/routes to you after you egress to them.  As you found out, it breaks a perfectly valid config on your part.

          I'd renumber to something else.

          Two random choices:

          172.17.69.0/24
          192.168.108.0/24

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            So your ISP has routing to 10.x.x.x addresses, and you have a public IP?  That you can hit?

            Can we see a traceroute to one of these 10 address you say you can get to?

            I am with derelict here, why are you using 10.0/16 in the first place - do you really have that many hosts or that many sub networks that your lan needs to be 10.0/16  That is just nuts.. And yup he is correct someone else could be using 10/8

            He to example networks would be better examples what to use on your lan than 10.0/16 – but agreed your ISP even if using 10.x address space should not really allow you to get there.  Especially if he is giving you a public address not in the rfc1918 space.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • G
              Groen last edited by

              @ rrijkse.  Thanks.  The IPV4all (IPV4*) solved my problem.

              Just to clear things up.

              My internal network is on 192.168.0.0/24.  I use 10.0.?.? between routers….. never knew it could cause problems (well, it did with the new ISP connection).  I will change it to 172.16.?.?

              Below is the traceroute.  168.167.smudge.smudge is the radio/antenna.  10.0.202.18 is on the ISP network.  I assume it is a base-station.

              Gaborone, Botswana

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                what does a trace to say public look like - google, are you just behind a NAT and he gave you what you think is a public?  Ie do you go through 10 on outbound trace?

                If you don't mind would you PM your public IP on your pfsense.. Like to see what a trace looks like from the public side.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                1 Reply Last reply Reply Quote 0
                • G
                  Groen last edited by

                  Apologies for the late reply.

                  Trace to public ( 8.8.8.8 ) goes only via public addresses.  Trace from public ( using kloth.net ) to my router goes only via public.

                  Gaborone, Botswana

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User last edited by

                    @johnpoz:

                    what does a trace to say public look like - google, are you just behind a NAT and he gave you what you think is a public?  Ie do you go through 10 on outbound trace?

                    If you don't mind would you PM your public IP on your pfsense.. Like to see what a trace looks like from the public side.

                    Strictly speaking it's a valid configuration. Public gateway > private subnet > public subnet. Not the first time it's been done, and with the shortage in IPv4s it's going to start getting a lot more widely used. When you mix engineers and management you only get to a single conclusive outcome: Do what is least expensive.

                    As far as I can remember such traceroutes fail only when hitting the private addresses, since that's what a private address is: An IP address without a global way to get to it.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post