It would be nice if the configuration of static routes would also support blackhole routes, e.g. to prevent packets addressed to non-local private addresses to be routed to the ISP (via the default route). At the moment I have to set them via /etc/rc.local:
ip addr add blackhole 10.0.0.0/8
ip addr add blackhole 172.16.0.0/12
ip addr add blackhole 192.168.0.0/16
ip -6 addr add blackhole fc00::/7
Edit: replace 'addr' with 'route'
Are you sure???
Thanks for showing me where the feature is hidden! My bad.
https://openwrt.org/docs/guide-user/network/routing/ip_rules
Ohh, nice! I have wondered about this also a long time.
I have made a “black hole” on a more manual way until I found this tread.
I have seen this routing instruction also that mention blackhole as a action.
If we pretend there is a VLAN called black_hole through out the network going around collecting “garbage” from all other interfaces and VLAN:s.
If I want to connect this BH VLAN to this routing black hole function. Do I need to have a unmanaged interface in between the routing rule and the VLAN?
To make the blackhole route work you need a numbered interface. And that has to be the default gateway for the local network (or at least the gateway for the prefixes to be blackholed).
Incorrect.
Actually, your manual commands were wrong - they should have been:
ip route add blackhole 10.0.0.0/8
ip route add blackhole 172.16.0.0/12
ip route add blackhole 192.168.0.0/16
ip route add blackhole fc00::/7
It appears you made an interface called "blackhole" and merely routed traffic to it by adding that network (and by your wording, a valid IP from those ranges). That was unnecessary. You merely had to route them to the blackhole - instead of ip add IPs to a "dummy" interface containing them.
The device with the blackhole routes has to be the router/firewall/default gateway for all the VLANs in your network (I think @madires meant this). Otherwise, you have to make blackholes on those devices or route the traffic to the OpenWrt for disposal!
Also note - you cannot talk between upstream VLANs with RFC1918 Private IPs because you blackholed routing! Specific routes on the LANs in the OpenWrt device/interfaces/route table will still work.
Yep, I messed up 'route' with 'addr' when writing the post. Of course I was adding routes. A blackhole route for private address prefixes won't cause any problem with more specific routes within the prefix. When you deal with prefixes of the same size you could try to set a higher metric for the blackhole route so that the route with a better metric will win. For larger networks I'd recommend to run an IGP, such like OSPF or ISIS, instead of the cumbersome management of static routes on many routers.
I know the topic has been solved but I have to say that I really don't see an advantage using blackhole instead of unreachable routes in this case. WIth unreachable routes the endpoints trying to contact an unused private subnet will receive host unreachable icmp responses, and doesn't need to wait for the connection to time out.
Choose whatever method suits you best. The 'unreachable' route feature will notify the client and that means the router has to generate those ICMP messages (-> CPU/network load). Or maybe you don't want a client to know which local networks are not reachable vs. blocked by a firewall. It depends on your use case.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.