OPNsense Forum
English Forums => General Discussion => Topic started by: chemlud on April 02, 2019, 10:19:00 am
-
Hy!
Setup is a cable modem (Cisco) provided by ISP, opnsense (latest) with DHCP IPv4 on WAN ("block private networks" is enabled on WAN).
I had a minor hick-up at the tunnels and therefore had a look at the General logs of the sense and found that to my surprise the DHCP for my public WAN address (no CG-NAT, IP in the 80.x.y.z range) is done via a 10.x.y.z IP on the WAN interface:
Apr 2 08:42:39 dhclient[33436]: bound to 80.xxx.yyy.zzz -- renewal in 5211 seconds.
Apr 2 08:42:39 dhclient: Creating resolv.conf
Apr 2 08:42:39 dhclient[33436]: DHCPACK from 10.0.173.52
Apr 2 08:42:39 dhclient[33436]: DHCPREQUEST on em0 to 10.0.173.52 port 67
Traceroute gives
# /usr/sbin/traceroute -w 2 -n -m '18' -s '80.xxxx.yyy.zzz' '10.0.173.52'
traceroute to 10.0.173.52 (10.0.173.52) from 80.xxx.yyy.zzz, 18 hops max, 40 byte packets
1 10.190.1.66 11.226 ms 7.541 ms 7.763 ms
2 * * *
3 * * *
4 213.xxx.yyy.zzz 14.084 ms 15.887 ms 15.735 ms
5 10.20.41.71 33.475 ms
10.20.41.69 28.584 ms 16.428 ms
6 10.20.11.69 20.135 ms 16.666 ms
10.20.11.71 23.914 ms
7 10.20.12.70 21.543 ms 17.166 ms
10.20.11.70 19.720 ms
8 10.20.12.37 20.519 ms
10.20.11.37 17.143 ms 17.849 ms
9 10.0.1.113 21.072 ms 16.629 ms 19.003 ms
10 10.0.1.41 14.813 ms 15.923 ms 15.973 ms
11 10.0.1.41 15.873 ms 16.019 ms 16.052 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
Apparently this is going on for longer, oldest log is from 23. March, but maybe the log simply rotated for the GUI.
Can anybody help me understanding this setup...
-
Seems that your ISP uses RFC1918 addresses for transfer networks and infrastructur services.
-
Hi, thanks for reply! Is that a usual setup?
I can't make any sense of this traceroute. Private and public IPs in a wild mixture...
I initiated a new WAN IP, looks strange, with 2 DHCP servers replying
Apr 2 17:50:12 dhclient: Comparing IPs: Old: 80.xxx.yyy.zzz New: 80.aaa.bbb.ccc
Apr 2 17:50:12 dhclient: Starting delete_old_states()
Apr 2 17:50:12 dhclient[49751]: DHCPACK from 10.190.1.66
Apr 2 17:50:12 dhclient[49751]: DHCPREQUEST on em0 to 255.255.255.255 port 67
Apr 2 17:50:10 dhclient[49751]: DHCPOFFER from 10.190.1.67
Apr 2 17:50:10 dhclient[49751]: DHCPOFFER from 10.190.1.66
Apr 2 17:50:10 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 1
Apr 2 17:49:59 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 11
Apr 2 17:49:45 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 14
Apr 2 17:49:36 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 9
Apr 2 17:49:25 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 11
Apr 2 17:49:17 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 8
Apr 2 17:49:13 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 4
Apr 2 17:49:11 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 2
Apr 2 17:49:10 dhclient[49751]: DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 1
-
It is not a usual setup because it can conflict with private networks using the same shared address space. But, I had the same situation years ago with telefonica backend for my DSL.
-
As the DHCP client of the sense can freely communicate with this RFC1918 IP on WAN, does that mean that this service (and other services as well) are not under the control of pf (as RFC1918 is blocked on WAN in the GUI)?
-
Crosslink to related thread...
https://forum.opnsense.org/index.php?topic=12283