1
20.1 Legacy Series / CGNAT, 100.64/10 separate from "Block private networks" option
« on: March 22, 2020, 02:18:25 pm »
Hy all!
As the COVID-19 spread across our country our students ordered to stay home and continue through online learning.
We have a server within school network which stores large media files (learning materials), I published it as FTP server, (not so) few user had trouble to reach this server then I realized our ISP using heavily CGNAT and these users are from same ISP.
So if the user (who is at the same ISP) wants to connect our server (it has fixed public IP) ISP just routing the traffic towards to our server through the ISP's CGNAT "private" network (100.64.0.0/10)
TL;DR:
- ISP change not an option currently
- We have fixed public IPv4 address for this FTP server.
- We use OPNsense 20.1.3 ( OPNsense 20.1.3-amd64 / FreeBSD 11.2-RELEASE-p17-HBSD / OpenSSL 1.1.1d 10 Sep 2019)
- Our ISP "advice" was not to block 100.64.0.0/10 (CGNAT) address range. This is blocked because I checked "WAN" interface / "Generic configuration" / "Block private networks" option.
How can I allow 100.64/10 perfectly on WAN interface?
Is there a plugin which allows to separate CGNAT from "private networks" block?
I think about an "allow" rule for 100.64.0.0/10 but I can't move this rule above the "Automatically generated rules"
If I disable "Block private networks" could I perfectly replace with custom "block" rule (10/8, 172.16/12, 192.168/16 + 127/8) ?
Is "Block bogon networks" option will affect on custom 100.64.0.0/10 "allow" rule?
Thanks in advance!
As the COVID-19 spread across our country our students ordered to stay home and continue through online learning.
We have a server within school network which stores large media files (learning materials), I published it as FTP server, (not so) few user had trouble to reach this server then I realized our ISP using heavily CGNAT and these users are from same ISP.
So if the user (who is at the same ISP) wants to connect our server (it has fixed public IP) ISP just routing the traffic towards to our server through the ISP's CGNAT "private" network (100.64.0.0/10)
TL;DR:
- ISP change not an option currently
- We have fixed public IPv4 address for this FTP server.
- We use OPNsense 20.1.3 ( OPNsense 20.1.3-amd64 / FreeBSD 11.2-RELEASE-p17-HBSD / OpenSSL 1.1.1d 10 Sep 2019)
- Our ISP "advice" was not to block 100.64.0.0/10 (CGNAT) address range. This is blocked because I checked "WAN" interface / "Generic configuration" / "Block private networks" option.
How can I allow 100.64/10 perfectly on WAN interface?
Is there a plugin which allows to separate CGNAT from "private networks" block?
I think about an "allow" rule for 100.64.0.0/10 but I can't move this rule above the "Automatically generated rules"
If I disable "Block private networks" could I perfectly replace with custom "block" rule (10/8, 172.16/12, 192.168/16 + 127/8) ?
Is "Block bogon networks" option will affect on custom 100.64.0.0/10 "allow" rule?
Thanks in advance!