Block ip range from wan

I am using some local ip ranges in my lan and to various VPNS I am connected to. Lets say they are:
10.40.0.0/16
10.41.0.0/16
10.42.0.0/16

Now it turns out that our ISP started to use one of these ranges. I hade troubles with StrongSwan going down repeatedly for days and could not figure it out.

Now to the question. Can I block off 10.0.0.0/8, 196.168.0.0/16 so that no traffic from these IPs can reach my router from wan? What is the correct way to deal with this?

Apart from the VPNs I have a standard setup with zones where LAN can reach WAN.

Kind regards
Jens

Something like this?

iptables -I INPUT   -i [WAN interface] -s 192.168.0.0/16 -j DROP
iptables -I INPUT   -i [WAN interface] -s 10.0.0.0/8     -j DROP
iptables -I FORWARD -i [WAN interface] -s 192.168.0.0/16 -j DROP
iptables -I FORWARD -i [WAN interface] -s 10.0.0.0/8     -j DROP

e.g.

iptables -I INPUT   -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I INPUT   -i eth0 -s 10.0.0.0/8     -j DROP
iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I FORWARD -i eth0 -s 10.0.0.0/8     -j DROP
1 Like

Thanks @tievolu

This sounds reasonable! However what I am thiniking about is if I can add these rules via LUCI or if I need to add custom rules with ip tables.

Kind regards
Jens

Either way will work. In LuCI (Network > Firewall > Traffic Rules > Add) it would look like this I think:

image

image

1 Like

Firewall rules don't have any effect here. WAN to device or WAN to LAN is anyway blocked by default. The main problem here is IP conflict if the provider assigns these IPs to customers. Which is against the convention of using 100.64 for CGNAT.
So you can either notify your ISP about that, or change your addresses.

4 Likes

Thanks, I thought that would be against the rules. Good to have a reference on that.
ISP has fixed the problem but I dont like the idea of where a misconfiguration on WAN side would affect LAN side. I wonder if there is a solution to this.

There isn't, that is why there is the convention. 192.168.0.0/16 , 172.16.0.0/12 and 10.0.0.0/8 are private address spaces, not to be used on the internet routing tables. Since your WAN interface is part of the internet, it must either have a public IP or the ISP must use the CGNAT addresses in this case to avoid the conflicts you witnessed.

1 Like

look at banip package

Thanks for all the replies, gave me a lot of imput

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

hello, can you help me please, I have configured an ip a ban range because the matchmaking always makes me play on this game server, unfortunately my game experience is catastrophic, my route trace gives me 29 hops .. here is the photo of my configuration, unfortunately it doesn't work .. what can i do? is that wrong?

First of all, do not hijack some other topic, you can open your own. Second the rule is wrong as the Destination zone should be the lan, not the Device.

sorry i copied tievolu's screen above .. i thought i was in the right place .. i put input instead of ans forward .. εφκαριστο Παναγιώτης σορρι

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.