Block Private Networks



  • I have a single WAN with public IP.

    My ISP uses the 10.0.0.0/16 range for some of his other customers (outside).  I use the same private address range inside on my LAN and it causes confusion.

    I enabled "Block Private Networks" on the WAN interface.  I also attempted a rule on the LAN interface (see images).  I can still ping the outside 10.0.0.0 addresses on the WAN from inside on my LAN.

    How do I stop my network from seeing the private network on the outside ?



  • Hi Groen,

    Taking a quick look at your rules pings are allowed through because you have the protocol set to UDP/TCP. Pinging is done through the ICMP protocol and is therefore allowed through. Try setting the protocol to "IPv4/6 all" so that any traffic to/from that IP range is blocked.

    The rule right below your block rule is allowing this traffic through since it covers all possible protocols from your network to anywhere.

    Robbert


  • LAYER 8 Netgate

    Using 10.anything is just asking for a collision.  (Even if you use something like 10.154.222.0/24 you'll still run into someone using 10.0.0.0/8).  IMHO, even though they might feel like they have no choice, your ISP is wrong for exposing such addresses/routes to you after you egress to them.  As you found out, it breaks a perfectly valid config on your part.

    I'd renumber to something else.

    Two random choices:

    172.17.69.0/24
    192.168.108.0/24


  • LAYER 8 Global Moderator

    So your ISP has routing to 10.x.x.x addresses, and you have a public IP?  That you can hit?

    Can we see a traceroute to one of these 10 address you say you can get to?

    I am with derelict here, why are you using 10.0/16 in the first place - do you really have that many hosts or that many sub networks that your lan needs to be 10.0/16  That is just nuts.. And yup he is correct someone else could be using 10/8

    He to example networks would be better examples what to use on your lan than 10.0/16 – but agreed your ISP even if using 10.x address space should not really allow you to get there.  Especially if he is giving you a public address not in the rfc1918 space.



  • @ rrijkse.  Thanks.  The IPV4all (IPV4*) solved my problem.

    Just to clear things up.

    My internal network is on 192.168.0.0/24.  I use 10.0.?.? between routers….. never knew it could cause problems (well, it did with the new ISP connection).  I will change it to 172.16.?.?

    Below is the traceroute.  168.167.smudge.smudge is the radio/antenna.  10.0.202.18 is on the ISP network.  I assume it is a base-station.


  • LAYER 8 Global Moderator

    what does a trace to say public look like - google, are you just behind a NAT and he gave you what you think is a public?  Ie do you go through 10 on outbound trace?

    If you don't mind would you PM your public IP on your pfsense.. Like to see what a trace looks like from the public side.



  • Apologies for the late reply.

    Trace to public ( 8.8.8.8 ) goes only via public addresses.  Trace from public ( using kloth.net ) to my router goes only via public.



  • @johnpoz:

    what does a trace to say public look like - google, are you just behind a NAT and he gave you what you think is a public?  Ie do you go through 10 on outbound trace?

    If you don't mind would you PM your public IP on your pfsense.. Like to see what a trace looks like from the public side.

    Strictly speaking it's a valid configuration. Public gateway > private subnet > public subnet. Not the first time it's been done, and with the shortage in IPv4s it's going to start getting a lot more widely used. When you mix engineers and management you only get to a single conclusive outcome: Do what is least expensive.

    As far as I can remember such traceroutes fail only when hitting the private addresses, since that's what a private address is: An IP address without a global way to get to it.


Log in to reply