Security concerns with first hop being a private net IP



  • Recently, my ADSL ISP "upgraded" their network, and the node after my pfSense gateway has changed from a public IP to a private IP (172.16.100.1). Are there any new security (or other) concerns I should be aware of?

    The "block private networks" toggle does not seem to be causing any problems, I assume that is because no traffic (I am aware of) originates from there.



  • @Nullity:

    The "block private networks" toggle does not seem to be causing any problems, I assume that is because no traffic (I am aware of) originates from there.

    Correct - there should be no incoming connection attempts originated from those private IP addresses. And so actually having "block private networks" in this case is a good thing, because if someone inside your ISP network does attempt something, it will be blocked.

    If the ISP is now giving you a private IP and you previously had a public IP, then that will prevent you from offering any services to the outside world (e.g. a VPN server for you to connect in when you are outside…).

    They are using 172.16.. Mine use 10.. They should not be doing that, but they do. You might happen to have chosen 172.16.100.0/24 for your LAN, quite rightly according to the standards. And it would now conflict with what your ISP chose. The ISPs should be using the Carrier-Grade-NAT 100.64.0.0/10 https://en.wikipedia.org/wiki/Carrier-grade_NAT - by doing that they will be sure not to accidentally conflict with customer-chosen private address space.



  • @phil.davis:

    @Nullity:

    The "block private networks" toggle does not seem to be causing any problems, I assume that is because no traffic (I am aware of) originates from there.

    Correct - there should be no incoming connection attempts originated from those private IP addresses. And so actually having "block private networks" in this case is a good thing, because if someone inside your ISP network does attempt something, it will be blocked.

    If the ISP is now giving you a private IP and you previously had a public IP, then that will prevent you from offering any services to the outside world (e.g. a VPN server for you to connect in when you are outside…).

    They are using 172.16.. Mine use 10.. They should not be doing that, but they do. You might happen to have chosen 172.16.100.0/24 for your LAN, quite rightly according to the standards. And it would now conflict with what your ISP chose. The ISPs should be using the Carrier-Grade-NAT 100.64.0.0/10 https://en.wikipedia.org/wiki/Carrier-grade_NAT - by doing that they will be sure not to accidentally conflict with customer-chosen private address space.

    I still have a public IP, I think. I can definitely open ports and have them confirmed as "open" externally.

    Routing is an area I am not yet comfortable with, but I have read about egress routing being different than ingress routing (apologies for the poor explanation).

    I will read up on the topic of routing & carrier-grade NAT's peculiarities, but I was immediately paranoid about security. I guess, technically, an external  private IP is no different than an external publuc IP, from the firewalls's perspective.

    PS. Thanks for all your work with pfSense and the forums, Phil. You are a proper example of compassionate open-sourcery (along with cmb, ermal, etc). :)


Log in to reply