1
General Discussion / How to add a blackhole route in OPNsense according to RFC6890 ?
« on: May 25, 2023, 11:41:20 am »
The router system I previously used was RouterOS, but recently I have been trying to replace my router system with OPNsense.
Previously, during the configuration of RouterOS, I referred to the article titled "Edge Router & BNG Optimisation Guide for ISPs"
https://www.daryllswer.com/edge-router-bng-optimisation-guide-for-isps/
The section "Routing loops with RFC6890 space" in the article explained why it is necessary to configure blackhole routes in RouterOS and provided specific configuration methods.
The author of the article describes the reasons as follows:
I have observed that in most of the networks, including my own personal home lab (AS149794), I find a lot of traffic where source IP = my end hosts or CPE WAN IP (either it is CGNAT IP or public IP), but destination IP = unused RFC6890 blocks. This is why I (and MikroTik themselves) created a forward rule to drop RFC6890 from escaping to WAN.
The code reference for configuring blackhole routes in RouterOS is as follows:
Now I want to configure blackhole routes for both IPv4 and IPv6 in the OPNsense system, aiming to achieve the same effect.
I use PPPoE, and I am aware that the OPNsense system provides a default set of interception rules for Bogons networks. I have also enabled the "Block private networks" and "Block Bogon networks" features on the WAN interface.
However, upon carefully inspecting the firewall logs, I discovered that packets belonging to RFC6890 are still being forwarded to the WAN side.
I attempted to add RFC6890 to the firewall aliases and added corresponding drop rules, but it resulted in adverse effects such as abnormal network interruptions. This could be due to my incorrect configuration of firewall parameters (I'm still a novice).
Could you please advise on how to add this set of blackhole routes in OPNsense?
It would be greatly appreciated if you could provide firewall configuration examples or specific instructions.
Previously, during the configuration of RouterOS, I referred to the article titled "Edge Router & BNG Optimisation Guide for ISPs"
https://www.daryllswer.com/edge-router-bng-optimisation-guide-for-isps/
The section "Routing loops with RFC6890 space" in the article explained why it is necessary to configure blackhole routes in RouterOS and provided specific configuration methods.
The author of the article describes the reasons as follows:
I have observed that in most of the networks, including my own personal home lab (AS149794), I find a lot of traffic where source IP = my end hosts or CPE WAN IP (either it is CGNAT IP or public IP), but destination IP = unused RFC6890 blocks. This is why I (and MikroTik themselves) created a forward rule to drop RFC6890 from escaping to WAN.
The code reference for configuring blackhole routes in RouterOS is as follows:
Code: [Select]
#RouterOS v7#
#Copy and paste these on both Edge and BNG routers#
/ip route
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=0.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=172.16.0.0/12
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.168.0.0/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=10.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=169.254.0.0/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=127.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=224.0.0.0/4
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=198.18.0.0/15
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.0.0.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.0.2.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=198.51.100.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=203.0.113.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=100.64.0.0/10
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=240.0.0.0/4
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.88.99.0/24
add blackhole comment="Blackhole route for RFC6890 (limited broadcast)" disabled=no dst-address=255.255.255.255/32
#RouterOS v7#
#Copy and paste these on both Edge and BNG routers#
/ipv6 route
add blackhole comment="Blackhole route for RFC6890" disabled=no dst-address=::1/128
add blackhole comment="Blackhole route for RFC6890" disabled=no dst-address=::/128
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=64:ff9b::/96
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=100::/64
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001::/23
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001::/32
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:2::/48
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:db8::/32
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:10::/28
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2002::/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=fc00::/7
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=fe80::/10
Now I want to configure blackhole routes for both IPv4 and IPv6 in the OPNsense system, aiming to achieve the same effect.
I use PPPoE, and I am aware that the OPNsense system provides a default set of interception rules for Bogons networks. I have also enabled the "Block private networks" and "Block Bogon networks" features on the WAN interface.
However, upon carefully inspecting the firewall logs, I discovered that packets belonging to RFC6890 are still being forwarded to the WAN side.
I attempted to add RFC6890 to the firewall aliases and added corresponding drop rules, but it resulted in adverse effects such as abnormal network interruptions. This could be due to my incorrect configuration of firewall parameters (I'm still a novice).
Could you please advise on how to add this set of blackhole routes in OPNsense?
It would be greatly appreciated if you could provide firewall configuration examples or specific instructions.