Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Should RFC1918 alias include more than just 3 or 4 subnets?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsensefanboy
      last edited by

      Hello All,

      I posed this question in one of my earlier posts (where it hasn't gotten any replies), but perhaps I should have broken it out into its own dedicated post from the very onset.

      Anyways, so there was this question/doubt as to whether subnet 127.0.0.0/8 should be blocked/rejected, by including it in a RFC1918 alias.

      In addition to that, the question I have is, whether other subnets should also be blocked?

      I ask this because I came across an excerpt (from a book on VOIP Security - see attached image) that mentions a whole bunch of subnets which must be blocked….and 127.0.0.0/8 is certainly one of them.  I do plan on having a RasPi running RasPBX behind my firewall, and the latter was the whole intent of me getting pfSense (or any firewall for that matter) installed at home.

      My RFC1918 alias currently has the following subnets included (the last one was added just two days back):

      192.168.0.0/16
          172.16.0.0
          10.0.0.0
          127.0.0.0

      The book mentions that the following subnets must also be included (refer to attached image for description of each subnet):

      0.0.0.018
          169.254.0.0/16
          192.0.2.0/24
          224.0.0.0/4
          240.0.0.0/5
          248.0.0.0/5
          255.255.255.255/32

      Makes sense, or hogwash?

      Thanks.

      BlockSubnets-RFC1918.jpg
      BlockSubnets-RFC1918.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Those are special-use nets (and that's not a complete list either!) which may or may not be useful to block depending on your network.

        Typically when people want to block "private" networks they only want the top three: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16  (be sure to get the subnet masks right on those!)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          pfsensefanboy
          last edited by

          Oh okay….thanks for providing me that information Jimp...much appreciated!

          Somehow my subnet masks didn't get posted correctly, but they are as follows:

          192.168.0.0/16
              172.16.0.0/12
              10.0.0.0/8
              127.0.0.0/8

          Do let me know if any of those aren't correct....and whether or not the last subnet should be included in there at all.

          Cheers.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Traffic from 127.0.0.0/8 is loopback and shouldn't be seen on the wire, so if you're looking to block invalid traffic, that's OK to block, but it is not what I'd consider a "private network". Bogon, sure, but not private.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              pfsensefanboy
              last edited by

              Perfect…thanks again  :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.