I've been using PBR for a few months now, with a Guest network being routed through a VPN. Last week I tried to access a website and was blocked due to a cloudflare alert suggesting unexpected text, possibly SQL related (I didn't capture the text unfortunately) This alert occurred on the non-VPN protected network. I've since reverted to a two router solution and the issue has not resurfaced. I'm reluctant to use the original router (Plusnet hub2 with 23.05.5) with PBR installed . Are such alerts expected or a concern?
Without sufficient details, I don't think anyone is in a position to tell you what is happening. If I had to guess, it may have been an issue with the site you were visiting and nothing on your end.
Why? Have you tried this again to see if the issue manifests again?
2 Likes
If you are first day on the internet let me help you - all VPN exits are source of abuse, just like tor exits etc, at much higher rate than residential IP blocks. Most likely you just got address abused recently against cloudflare, it goes away over time. If you have CF account (cached website) you can ask other questions even for free. But nothing OpenWRT can change in your claim, just IP address reputation.
1 Like
This has happened a few times to me recently through my ISP. I don't use VPNs but Google labeled the public subnet of my ISP as "Spam" for a few days. I did notify my ISP of the issue but they normally clear on their own in a few days if the bad behavior someone is doing in the subnet goes away.
Its an unfortunate side effect of a lot more people becoming technically savvy and doing personal projects with OpenWRT and other open or semi-open source router projects.
Hopefully, as IPV6 continues to roll out which is happening very quickly in the last couple years for various reasons this will help by reducing the need for dynamic addressing and sites like Cloudfare and Google can filter smaller portions of a subnet when this occurs.
???
I'm not sure how you are connecting OpenWrt (or any specific router firmware) with bad behavior on the internet. If you're insinuating that OpenWrt is enabling or responsible for the blocks you're experiencing, that's entirely unfounded. Can you elaborate?
1 Like
Did not know spam ever was a hobby.
1 Like
Apologies I didn't mean to insinuate that OpenWRT was a cause, its just a tool.
I was speaking from experience with testing on IPV6 with GRE tunnels and such. The open platform IPV6 abilities like Hurricane Electric allows users, to create thier own tunnels using the service. Since some users of that service obviously SPAM Cloudfare, Google, and other sites Hurricane Electric tunnels are almost always getting SPAM responses from Google.
Going a bit deeper, for people like myself from home experimenting with OpenWRT and other open source projects we could unintendedly cause this behavior. Its not OpenWRTs fault or any other software for that matter just over the past 5-10 years the IT and network industry has grown so fast and more and more newcomers experiment at home.
What I'm getting at is the OP probably saw that response because others in his or her subnet did something that got caught up in an automated control / flag with the DNS service Cloudfare.
While I would imagine that spammers and the like are using a variety of tools (possibly including OpenWrt), the specific routing environments are not directly responsible for these issues.
What causes the problems you're seeing is twofold:
- true increases in spammers/spamming causing IPs to be marked as bad/spam.
- the rise of VPN services in general. The combination of the high loads from each of the VPN endpoints and the fact that spammers will use those same VPNs means that VPN services' IP addresses will be more likely to be marked as spam than most normal home IP addresses.
The spam detection algorithms of most of the major properties on the Internet are fairly robust, although not perfect by any means. They will typically flag spammy behaviors when it's really happening vs when there is just high loading from a given IP that is a VPN endpoint. Sometimes they speficially don't want the endpoints to have access (such as streaming services), so they may put an intentional ban on those anyway. But nothing is perfect.
OpenWrt isn't at fault here, though.
2 Likes
- and the fact that IPv4 addresses have run out, so ISPs resort to highly dynamic IPv4 addresses and recycle them for the next customer very quickly, making you inherit you the sins of the previous user. There is no quarantine period, before it gets reassigned.
3 Likes
Not my experience: I have been using a HE tunnel for years, and never noticed any issue.
I observed the issue once using an HE tunnel. Before masq6, I used the tunnel to statically assign IPv6 addresses to my VPN clients. One day, while on VPN, I attempted to browse to a restaurant to order food online, I was greeted by the CloudFlare warning.
It seems they don't like receiving takeaway orders from data center SRC IPs.
You might be more experienced than myself at setting those up. Since I don't have a static IPV4 there is a song and dance with the tunnel staying active with DDNS. I have experimented with it but I dont have a full understanding.
At the end of the day the core problem is VPN grouping as it makes many users seem like a single IP subnet and when you do that the others within the VPN endpoint subnet could be doing things that then get the subnet caught up in those automated "human checks."
Anyways I think we are getting off track of the OP.
HE assigns each endpoint to a single user. My exit IP address is not shared with other users, and I can only spoil my own tunnel.
1 Like
Sometimes simple SMTP HELO localhost is enough to land in spam lists.
Why? The problem occurred on the non-vpn protected wireless network as well as the traffic routed through the VPN. I inferred from that, and the fact that another VPN protected Openwrt router (same VPN provider) without PBR installed did not trigger the cloudflare alert, that PBR may have introduced the error.
Suspicious activity after introduction of a software component in my book is good reason to raise the question. I certainly would risk using the router unless satisfied that seemingly suspicious activity was in fact nothing sinister.
Install software to change your internet facing IP address?
Cmon, ask your internet providers after checking all your IP addresses in blacklists