How to add a blackhole route in OPNsense according to RFC6890 ?

[Gognic]

The router system I previously used was RouterOS, but recently I have been trying to replace my router system with OPNsense.

Previously, during the configuration of RouterOS, I referred to the article titled "Edge Router & BNG Optimisation Guide for ISPs"

https://www.daryllswer.com/edge-router-bng-optimisation-guide-for-isps/

The section "Routing loops with RFC6890 space" in the article explained why it is necessary to configure blackhole routes in RouterOS and provided specific configuration methods.

The author of the article describes the reasons as follows:

I have observed that in most of the networks, including my own personal home lab (AS149794), I find a lot of traffic where source IP = my end hosts or CPE WAN IP (either it is CGNAT IP or public IP), but destination IP = unused RFC6890 blocks. This is why I (and MikroTik themselves) created a forward rule to drop RFC6890 from escaping to WAN.

The code reference for configuring blackhole routes in RouterOS is as follows:

Code: [Select]


#RouterOS v7#
#Copy and paste these on both Edge and BNG routers#
/ip route
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=0.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=172.16.0.0/12
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.168.0.0/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=10.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=169.254.0.0/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=127.0.0.0/8
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=224.0.0.0/4
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=198.18.0.0/15
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.0.0.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.0.2.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=198.51.100.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=203.0.113.0/24
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=100.64.0.0/10
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=240.0.0.0/4
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=192.88.99.0/24
add blackhole comment="Blackhole route for RFC6890 (limited broadcast)" disabled=no dst-address=255.255.255.255/32


#RouterOS v7#
#Copy and paste these on both Edge and BNG routers#
/ipv6 route
add blackhole comment="Blackhole route for RFC6890" disabled=no dst-address=::1/128
add blackhole comment="Blackhole route for RFC6890" disabled=no dst-address=::/128
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=64:ff9b::/96
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=100::/64
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001::/23
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001::/32
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:2::/48
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:db8::/32
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2001:10::/28
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=2002::/16
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=fc00::/7
add blackhole comment="Blackhole route for RFC6890 (aggregated)" disabled=no dst-address=fe80::/10


Now I want to configure blackhole routes for both IPv4 and IPv6 in the OPNsense system, aiming to achieve the same effect.

I use PPPoE, and I am aware that the OPNsense system provides a default set of interception rules for Bogons networks. I have also enabled the "Block private networks" and "Block Bogon networks" features on the WAN interface.

However, upon carefully inspecting the firewall logs, I discovered that packets belonging to RFC6890 are still being forwarded to the WAN side.

I attempted to add RFC6890 to the firewall aliases and added corresponding drop rules, but it resulted in adverse effects such as abnormal network interruptions. This could be due to my incorrect configuration of firewall parameters (I'm still a novice).

Could you please advise on how to add this set of blackhole routes in OPNsense?

It would be greatly appreciated if you could provide firewall configuration examples or specific instructions.

 

[bimbar]

You can blackhole route on opnsense as well - nexthop would be the Null device.

[Gognic]

You can blackhole route on opnsense as well - nexthop would be the Null device.

Thank you，I'll try for that 

[RamSense]

Hi Gognic,

Did it work? If so, can you share your firewall rule(s) so i can learn from your example?

[Gognic]

I've added the following to the static route, and so far, it seems to be working fine

some address of loopback I've disabled 

[RamSense]

Ah!
They are static routes instead of firewall rules :-), never used them before. I will play around with them also to see how this works. thanks.

P.S. is there any downside of using this / black-holing?
P.S.S. if you disable the loopback addresses, why have you configured them?

[muchacha_grande]

Hi Gognic,
can yo share the steps to configure this?

Thank you and cheers

[lilsense]

Simple, really...
system > Routes > Configuration

click plus and add the addresses from https://www.rfc-editor.org/rfc/rfc6890.html

[muchacha_grande]

Ok. Thank you @lilsense. I have just seen the other half of the screenshot above. The gateway has to be null.

[lilsense]

Haha... yeah as the original post stated that the blackhole refers to /dev/nul on *nix systems and others.

[muchacha_grande]

Just for the record.
I've tested one blackhole-route. The one with fe80::/10 and it appears to solve an ancient problem I had with IPv6 link-local packets coming from android phones that don't have an assigned IPv6.
The OPNSense console was spammed with messages telling "Can't route fe80:7:..... to 2001:xx:....".
Now, with the blackhole route in place, there are no more messages.
I'll test this some more time, but up to now, it seems to be solved.
Thank you @Gognic for the heads up on this subject.

[Gognic]

Ah!
They are static routes instead of firewall rules :-), never used them before. I will play around with them also to see how this works. thanks.

P.S. is there any downside of using this / black-holing?
P.S.S. if you disable the loopback addresses, why have you configured them?

The problem with the loopback address is this, I have tried to enable those rules, but OPNsense seems to ignore them, especially the two rules of IPv6 ::1/128 and ::/128 .

If these rules are also working in your environment,  feedback is welcome, I will modify my configuration screenshot.   

[Patrick M. Hausen]

The advantage of static routes over firewall rules is that more specifics will always overrule them.

So you blackhole route e.g. 192.168.0.0/16, yet every locally connected or statically routed /24 out of that range will still be reachable. But every packet for a net not in your local and static /24s will be blackholed.

HTH,
Patrick