Noob question here on double NAT and BOGON FW filtering on “internal” router.
My network structure is as follows: I have ISP’s router (fiber) with DHCP srv; My router’s WAN is connected to one of ISP’s ETH ports. I know MAC address of the ISP’s port and have basic access to ISP’s router settings. My router’s WAN gets 192.168.0.2 address and ISP’s router is respectively 192.168.0.1
On my router I have FW rules at the top to drop input/fwd trafic from BOGON addresses. As my router’s WAN get’s IP from ISP’s one, of course it falls into rfc1918 range of private addresses.
What’s the proper way to configure my router not to drop traffic that may be considered safe?
And is there a way to distinguish malicious traffic that came from ext. malicious host that by chance is using IP address that is identical to ISP’s known “192.168.0.1”?
Or am I overly caucious here and it’s OK to simply exclude “192.168.0.1”/MAC from BOGON input/fwd rules (by specifying them explicitly with “!”)?
Thank’s and I’m sorry if I’ve missed similar topic - I’ve tried to search, but couldn’t find anything, maybe as terms double nat, BOGON, etc are kinda wide.
If you know for sure the BOGON address your ISP is going to present you, just put a FW rule ahead of the blocking one that jumps around the blocking one for traffic from that address. That lets you continue to decide what input and forarding traffic you are going to accept from the ISP connection, because you won’t want to accept all of it.
If somebody external tries to fake the same address your ISP is using, his traffic is going to get lost anyway.
I think it is equal to excluding 192.168.0.1 explicitly in the rule that blocks BOGON, right?
I thought it may still bring some “hole”, but if there is no way to distinguish “real” traffic from my ISP’s router from bogon’ed, then it’s OK. Thanks!
Filtering BOGON addresses normally is not going to bring you any additional security. Of course it can bring you problems.
When your network skills are not good enough to analyze and solve those problems, I would recommend not trying to setup such filters.
yep, 0/0 counters in BOGON rules of FW so far tells it may be not as useful, as blacklist/tor_nodes. At the same time, full BOGONs are biggest lists - v4 is 112K and v6 - 9M, so it takes resources…
Will keep them for some time though, so thanks for heads up, I’ll know what to look at if I face strange behavior.