Bcp38 configuration

Hi,
I am new to OpenWRT. I can't find any installation or configuration documentation for bcp38. Please can you point me in the right direction?
Many thanks,
Chris.

https://forum.archive.openwrt.org/viewtopic.php?id=64402

http://www.bcp38.info/index.php/Main_Page

1 Like

If I remember correctly, there is a package called bcp38 or similar...

3 Likes

I have installed bcp38 and also luci-app-bcp38 through luci. However, I can't find any bcp38 interface!

network->firewall->bcp38

3 Likes

Perfect! Thanks.

Chris.

Or, a simple rule:

1 Like

I like your idea, but it's probably better to update the post to rely entirely on the firewall config:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset

1 Like

I previous had to load 400+ firewall rules/subnets. Needless to say, I had to migrate them to ipset instead.

But yes, this is a small list of subnets and iptables could be used.

1 Like

It looks like you misunderstood me. :sweat_smile:
I am not against IP sets and their use is perfectly justified for the current task.
What I mean is that it is best to define the IP set for BCP38 in the same firewall configuration using the UCI syntax.

1 Like

Sorry for the silly question, but I can't find a straightforward answer.
The bcp38 should be configured on

image

the lan, the bridge-lan, the wan?
By logic I'd say on the wan interface but...

Can anybody clarify this point a bit?

Thank you.

BCP38 is meant to filter out packets on WAN with an IP address that can only be used in a LAN. You should configure it on a WAN interface with a public IP address, and never on a LAN interface with a private IP address.

2 Likes

Does your network topology justify the use of bcp38?
The usual home scenario with NAT of private IPs doesn't need it.

1 Like

In that case, in which scenario it should be used?

where you route ( not NAT ) public prefixes...

it's like the mailman putting letters in your mailbox for 'darkman'... you wouldn't open it... with NAT... you wont open anything(forward/accept) that wasn't first requested... and it's highly unlikely your router would have knowledge/ability to forward to unknown public prefixes ( darkman lives in granny flat out the back )

96% chance your providers bgp edges already operate such features anyway...

3 Likes