DHCP on WAN with public IP via RFC1918?

[chemlud]

Hy!

Setup is a cable modem (Cisco) provided by ISP, opnsense (latest) with DHCP IPv4 on WAN ("block private networks" is enabled on WAN).

I had a minor hick-up at the tunnels and therefore had a look at the General logs of the sense and found that to my surprise the DHCP for my public WAN address (no CG-NAT, IP in the 80.x.y.z range) is done via a 10.x.y.z IP on the WAN interface:

Code: [Select]

Apr 2 08:42:39 dhclient[33436]: bound to 80.xxx.yyy.zzz -- renewal in 5211 seconds.
Apr 2 08:42:39 dhclient: Creating resolv.conf
Apr 2 08:42:39 dhclient[33436]: DHCPACK from 10.0.173.52
Apr 2 08:42:39 dhclient[33436]: DHCPREQUEST on em0 to 10.0.173.52 port 67
Traceroute gives

Code: [Select]

# /usr/sbin/traceroute -w 2 -n  -m '18' -s '80.xxxx.yyy.zzz'   '10.0.173.52'
traceroute to 10.0.173.52 (10.0.173.52) from 80.xxx.yyy.zzz, 18 hops max, 40 byte packets
 1  10.190.1.66  11.226 ms  7.541 ms  7.763 ms
 2  * * *
 3  * * *
 4  213.xxx.yyy.zzz  14.084 ms  15.887 ms  15.735 ms
 5  10.20.41.71  33.475 ms
    10.20.41.69  28.584 ms  16.428 ms
 6  10.20.11.69  20.135 ms  16.666 ms
    10.20.11.71  23.914 ms
 7  10.20.12.70  21.543 ms  17.166 ms
    10.20.11.70  19.720 ms
 8  10.20.12.37  20.519 ms
    10.20.11.37  17.143 ms  17.849 ms
 9  10.0.1.113  21.072 ms  16.629 ms  19.003 ms
10  10.0.1.41  14.813 ms  15.923 ms  15.973 ms
11  10.0.1.41  15.873 ms  16.019 ms  16.052 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
Apparently this is going on for longer, oldest log is from 23. March, but maybe the log simply rotated for the GUI.

Can anybody help me understanding this setup...

[hbc]

Seems that your ISP uses RFC1918 addresses for transfer networks and infrastructur services.

[chemlud]

Hi, thanks for reply! Is that a usual setup?

I can't make any sense of this traceroute. Private and public IPs in a wild mixture...

I initiated a new WAN IP, looks strange, with 2 DHCP servers replying

Code: [Select]

Apr 2 17:50:12 dhclient: Comparing IPs: Old: 80.xxx.yyy.zzz New: 80.aaa.bbb.ccc
Apr 2 17:50:12 dhclient: Starting delete_old_states()
Apr 2 17:50:12 dhclient[49751]: DHCPACK from 10.190.1.66
Apr 2 17:50:12 dhclient[49751]: DHCPREQUEST on em0 to 255.255.255.255 port 67
Apr 2 17:50:10 dhclient[49751]: DHCPOFFER from 10.190.1.67
Apr 2 17:50:10 dhclient[49751]: DHCPOFFER from 10.190.1.66
Apr 2 17:50:10 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 1
Apr 2 17:49:59 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 11
Apr 2 17:49:45 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 14
Apr 2 17:49:36 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 9
Apr 2 17:49:25 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 11
Apr 2 17:49:17 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 8
Apr 2 17:49:13 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 4
Apr 2 17:49:11 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 2
Apr 2 17:49:10 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 1

[schnipp]

It is not a usual setup because it can conflict with private networks using the same shared address space. But, I had the same situation years ago with telefonica backend for my DSL.

[chemlud]

As the DHCP client of the sense can freely communicate with this RFC1918 IP on WAN, does that mean that this service (and other services as well) are not under the control of pf (as RFC1918 is blocked on WAN in the GUI)?

[chemlud]

Crosslink to related thread...

https://forum.opnsense.org/index.php?topic=12283