New/Updated Bogons list breaks all sorts of stuff

Started by mattsteg, July 02, 2025, 07:50:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 02, 2025, 07:50:04 PM
As best as I can tell this must have recently changed as all sorts of stuff started acting strangely and I see a bunch of other people reporting similar odd issues.

The bogons alias includes, in addition to bogons, !10.0.0.0/8, !172.16.0.0/12, !192.16.0.0/16, etc.  This is fine if you're using it alone in a rule to block as-intended, but if you've e.g. added it into an additional alias with private networks and are blocking on that...suddenly things can go haywire.  E.g. a rule that *was* blocking "bogons and private IPs would now potentially be blocking bogons and NONPRIVATE IPs which is...unexpected.
July 03, 2025, 08:28:00 AM #1
Quote from: mattsteg on July 02, 2025, 07:50:04 PM[...]This is fine[...]

I'll disagree with you there. But thanks for the note - I'd done exactly as you said: created composite aliases with private and bogon networks. The composite (I have one for v4 and one for v6, but bogonsv6 is, as always, broken) preferred the negated addresses. I've split up the policies to handle the goofiness; now I just have to remember why.

Automatic configuration is like autocorrect: Don't try to be too helpful.
July 14, 2025, 09:18:35 PM #2
I think I may be having a similar problem but don't know enough to fix it. I updated to 25.1.10 and my internet connection broke immediately. I had to downgrade to an older version and restore config. Stupid me forgot to create a snapshot first.
July 15, 2025, 07:48:37 AM #3
Can someone provide the real rub-in here vs. skipping to the change that is technically correct?

At least one person was using multiple aliases in the same rule which is a recent addition which does a different thing on invert, which is documented: https://docs.opnsense.org/manual/firewall.html#basic-settings "You can only invert single sources"

We're either looking at a pf bug or a configuration issue IMO. But still it only appears to affect a fraction of people, so it points to how aliases/rules are being used in conjunction, because I don't believe a flat table that it still is will have issues out of the box.

If you are using the bogons alias to write your own aliases or rules please let us know...


Cheers,
Franco
Print
Go Up Pages1
User actions