Having experimented a bit now with v7.1.1, I note that it’s seemingly no longer possible to create an “unreachable” route. On my old v6 configuration I had
a set of unreachable RFC1918 routes for 10/8, 172.16/12 and 192.168/16 to act as a last line of defence against certain flavours of stupidity, but the conversion to a v7 config
seems to have made these all into blackhole routes.
Was this feature explicitly dropped for some very good reason I don’t as yet understand or is it something yet to be ported into v7?
I guess that I could rejig things so that the RFC1918 routes route to a special loopback interface, and then add a forwarding firewall rule to ICMP unreachable anything hitting that interface.
Is that feasible, should I so desire to retain the last-ditch “unreachable” functionality?
It makes sense, but nice thing about unreachable routes was that it automatically handled exceptions, e.g. when 10.0.0.0/8 was unreachable, but there was another route to 10.20.0.0/16. Handling it with only firewall wouldn’t be pleasant. But pointing unreachable routes to empty bridge seems like ok solution.
Many thanks for the clarification and reference to the original reference in the beta release topic, mrz and sob.
Because of other WebFig issues with v7, I’ve rolled back to v6 for the present, but I’ve added a firewall solution which rejects RFC1918 trying to exit via the Internet handoff. Works Ok so far.
I’ll try and refine that in due course by creating a “fake” bridge interface, some extra routes, and a firewall rule bound to that interface, which would be a more generic solution if I can get it to work.