Block ip range from wan

deadlock · October 6, 2020, 8:32am

I am using some local ip ranges in my lan and to various VPNS I am connected to. Lets say they are:
10.40.0.0/16
10.41.0.0/16
10.42.0.0/16

Now it turns out that our ISP started to use one of these ranges. I hade troubles with StrongSwan going down repeatedly for days and could not figure it out.

Now to the question. Can I block off 10.0.0.0/8, 196.168.0.0/16 so that no traffic from these IPs can reach my router from wan? What is the correct way to deal with this?

Apart from the VPNs I have a standard setup with zones where LAN can reach WAN.

Kind regards
Jens

tievolu · October 6, 2020, 8:58am

Something like this?

iptables -I INPUT   -i [WAN interface] -s 192.168.0.0/16 -j DROP
iptables -I INPUT   -i [WAN interface] -s 10.0.0.0/8     -j DROP
iptables -I FORWARD -i [WAN interface] -s 192.168.0.0/16 -j DROP
iptables -I FORWARD -i [WAN interface] -s 10.0.0.0/8     -j DROP

e.g.

iptables -I INPUT   -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I INPUT   -i eth0 -s 10.0.0.0/8     -j DROP
iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I FORWARD -i eth0 -s 10.0.0.0/8     -j DROP

deadlock · October 6, 2020, 9:00am

Thanks @tievolu

This sounds reasonable! However what I am thiniking about is if I can add these rules via LUCI or if I need to add custom rules with ip tables.

Kind regards
Jens

tievolu · October 6, 2020, 9:07am

Either way will work. In LuCI (Network > Firewall > Traffic Rules > Add) it would look like this I think:

trendy · October 6, 2020, 9:46am

Firewall rules don't have any effect here. WAN to device or WAN to LAN is anyway blocked by default. The main problem here is IP conflict if the provider assigns these IPs to customers. Which is against the convention of using 100.64 for CGNAT.
So you can either notify your ISP about that, or change your addresses.

deadlock · October 6, 2020, 10:34am

Thanks, I thought that would be against the rules. Good to have a reference on that.
ISP has fixed the problem but I dont like the idea of where a misconfiguration on WAN side would affect LAN side. I wonder if there is a solution to this.

trendy · October 6, 2020, 11:01am

There isn't, that is why there is the convention. 192.168.0.0/16 , 172.16.0.0/12 and 10.0.0.0/8 are private address spaces, not to be used on the internet routing tables. Since your WAN interface is part of the internet, it must either have a public IP or the ISP must use the CGNAT addresses in this case to avoid the conflicts you witnessed.

erdoukki · October 6, 2020, 12:43pm

look at banip package

deadlock · October 9, 2020, 8:42am

Thanks for all the replies, gave me a lot of imput

trendy · October 10, 2020, 5:08pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

segal_72 · May 22, 2021, 11:13pm

hello, can you help me please, I have configured an ip a ban range because the matchmaking always makes me play on this game server, unfortunately my game experience is catastrophic, my route trace gives me 29 hops .. here is the photo of my configuration, unfortunately it doesn't work .. what can i do? is that wrong?

segal_72 · May 22, 2021, 11:13pm

trendy · May 23, 2021, 1:17am

First of all, do not hijack some other topic, you can open your own. Second the rule is wrong as the Destination zone should be the lan, not the Device.

segal_72 · May 23, 2021, 2:27am

sorry i copied tievolu's screen above .. i thought i was in the right place .. i put input instead of ans forward .. εφκαριστο Παναγιώτης σορρι

system · June 2, 2021, 2:27am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.