News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: Block private networks
Pages: [1]
Topic: Block private networks  (Read 4172 times)
« on: January 09, 2010, 17:57:38 »
tsma *
Posts: 8
Hi-

I'm hoping one of you could take a moment to answer a question about the "Block private networks" setting.  I'm unclear conceptually as to why one would either choose to block or not block private network IP addresses on the WAN side.  Checking or unchecking this option doesn't seem to have any effect on my simple setup.  Where does this come into play?


Thank you in advance,


-bryan
« Reply #1 on: January 10, 2010, 09:43:32 »
thedix ***
Posts: 164
Checking "Block private networks" checkbox will create WAN firewall rules blocking incoming packets from private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This option does not affect LAN interface.
If your WAN IP address doesn't belong to these networks you generally should check this option to block unwanted traffic.
For more info read:
http://en.wikipedia.org/wiki/Private_network
« Reply #2 on: January 10, 2010, 14:52:36 »
tsma *
Posts: 8
Thanks for replying.  I had already read that entry on wikipedia as well as many other documents pertaining to private networks.

Unfortunately, none of this answers my question.

Is checking "Block private networks" a good idea simply because there is a remote possibility that another machine/device out there on the WAN would be using the exact same IP address as a device on my LAN?


-bryan
« Reply #3 on: January 10, 2010, 19:38:38 »
knightmb ****
Posts: 341
Quote from: tsma on January 10, 2010, 14:52:36
Thanks for replying.  I had already read that entry on wikipedia as well as many other documents pertaining to private networks.

Unfortunately, none of this answers my question.

Is checking "Block private networks" a good idea simply because there is a remote possibility that another machine/device out there on the WAN would be using the exact same IP address as a device on my LAN?


-bryan
Yes and no.

Some ISP block this and others don't. Since the ISP usually won't give you a straight answer on that kind of question, it's just safer to block them. There should be no such thing as a device on 192.168.1.1 existing in the WAN cloud, but it is possible by merely setting your WAN as such.

It serves no purpose to set your device to 192.168.1.1 because it won't be able to route anywhere, but otherwise, the first dummy who plugs in his Netgear router backwards into the WAN might confuse the other devices that expect 192.168.1.X to exist on the LAN, but it's seeing it on the WAN for some reason.

Most ISP should block this, but a lot don't surprisingly.
Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #4 on: January 10, 2010, 20:54:01 »
tsma *
Posts: 8
Gotcha.  I get it now.  I appreciate your willingness to take a moment to answer the question for me.  I suspect it seems all-too-basic, but that little checkbox has been gnawing at me for a couple years now.

Wink


-bryan
« Reply #5 on: January 10, 2010, 21:17:29 »
brushedmoss ****
Posts: 446
private ip address traffic may hit your WAN interface in cable modem networks and it's legitimate to also receive traffic on your WAN sourced from private space, from within your ISP network, maybe nntp , dns  or ntp servers that they do not want routable outside their network.

for example, all cable modems are supposed to have an ip of 192.168.100.1 , if you had a cable modem pci card inside your m0n0wall you wouldn't want to tick this box as it wouldn't be able to tftp down it's config.
« Reply #6 on: January 11, 2010, 03:05:23 »
tsma *
Posts: 8
Aha!  Now there's a nice morsel to tuck away for future configurations.  Thank you!

-bryan
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines