Messages

1

General Discussion / Re: How to add a blackhole route in OPNsense according to RFC6890 ?

« on: June 02, 2023, 07:47:16 am »

Ah!
They are static routes instead of firewall rules :-), never used them before. I will play around with them also to see how this works. thanks.

P.S. is there any downside of using this / black-holing?
P.S.S. if you disable the loopback addresses, why have you configured them?

The problem with the loopback address is this, I have tried to enable those rules, but OPNsense seems to ignore them, especially the two rules of IPv6 ::1/128 and ::/128 .

If these rules are also working in your environment,  feedback is welcome, I will modify my configuration screenshot.   

2

General Discussion / Re: How to add a blackhole route in OPNsense according to RFC6890 ?

« on: May 28, 2023, 06:06:58 pm »

I've added the following to the static route, and so far, it seems to be working fine

some address of loopback I've disabled 

3

General Discussion / Re: How to add a blackhole route in OPNsense according to RFC6890 ?

« on: May 27, 2023, 01:56:44 pm »

You can blackhole route on opnsense as well - nexthop would be the Null device.

Thank you，I'll try for that 

4

23.1 Legacy Series / Re: Unable to access web interface. Fatal error:

« on: May 27, 2023, 01:54:33 pm »

You and I have encountered exactly the same problem.

WebUI 503 Service Unavailable  :'(

5

General Discussion / How to add a blackhole route in OPNsense according to RFC6890 ?

« on: May 25, 2023, 11:41:20 am »

The router system I previously used was RouterOS, but recently I have been trying to replace my router system with OPNsense.

Previously, during the configuration of RouterOS, I referred to the article titled "Edge Router & BNG Optimisation Guide for ISPs"

https://www.daryllswer.com/edge-router-bng-optimisation-guide-for-isps/

The section "Routing loops with RFC6890 space" in the article explained why it is necessary to configure blackhole routes in RouterOS and provided specific configuration methods.

The author of the article describes the reasons as follows:

I have observed that in most of the networks, including my own personal home lab (AS149794), I find a lot of traffic where source IP = my end hosts or CPE WAN IP (either it is CGNAT IP or public IP), but destination IP = unused RFC6890 blocks. This is why I (and MikroTik themselves) created a forward rule to drop RFC6890 from escaping to WAN.

The code reference for configuring blackhole routes in RouterOS is as follows:

Code: [Select]


#RouterOS v7#
#Copy and paste these on both Edge and BNG routers#
/ip route
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=0.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=172.16.0.0/12
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.168.0.0/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=10.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=169.254.0.0/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=127.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=224.0.0.0/4
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=198.18.0.0/15
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.0.0.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.0.2.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=198.51.100.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=203.0.113.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=100.64.0.0/10
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=240.0.0.0/4
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.88.99.0/24
add blackhole comment="Blackhole route for RFC6890 (limited broadcast)" disabled=no dst-address=255.255.255.255/32


#RouterOS v7#
#Copy and paste these on both Edge and BNG routers#
/ipv6 route
add blackhole comment="Blackhole route for RFC6890" disabled=no dst-address=::1/128
add blackhole comment="Blackhole route for RFC6890" disabled=no dst-address=::/128
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=64:ff9b::/96
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=100::/64
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001::/23
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001::/32
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:2::/48
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:db8::/32
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:10::/28
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2002::/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=fc00::/7
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=fe80::/10


Now I want to configure blackhole routes for both IPv4 and IPv6 in the OPNsense system, aiming to achieve the same effect.

I use PPPoE, and I am aware that the OPNsense system provides a default set of interception rules for Bogons networks. I have also enabled the "Block private networks" and "Block Bogon networks" features on the WAN interface.

However, upon carefully inspecting the firewall logs, I discovered that packets belonging to RFC6890 are still being forwarded to the WAN side.

I attempted to add RFC6890 to the firewall aliases and added corresponding drop rules, but it resulted in adverse effects such as abnormal network interruptions. This could be due to my incorrect configuration of firewall parameters (I'm still a novice).

Could you please advise on how to add this set of blackhole routes in OPNsense?

It would be greatly appreciated if you could provide firewall configuration examples or specific instructions.