v6 BOGONs list out of date

[switchback028]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

IPv6 Bogons list does not appear to have been recently updated. Notably my recently allocated ARIN Subnet 2602:2ba::/40 is listed in the OPNsense bogons list (https://pkg.opnsense.org/bogons/fullbogons-ipv6.txt) It is part of the 2602:2a0::/27 aggregate subnet.

To Reproduce

After giving an OPNsense system an IP inside the 2602:2ba::/40 subnet and trying to ping from another host within that subnet the traffic is blocked due to its status in the BOGON list.

Expected behavior

Can ping between systems within the address space listed above.

Describe alternatives you considered

Disabling the bogon rule was considered but that would have to be more manual intervention on my end. It would also affect any clients from accessing services hosted on that subnet due to the existence of the address on the BOGON list.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 23.1.6 (amd64, OpenSSL). Virtualized on VMware, 4vCPU 4GB RAM

[fichtner]

The file you describe is the legacy location no longer updated. The current lists are included in the respective major version sets repository. This is the second time this is falsely reported….

[switchback028]

Apologies if this is in the incorrect spot.

So from what I understand from what you said the BOGONs list will not be updated until the next major version?

[fichtner]

No, I would start by using your firewall to open alias diagnostics to inspect for the value you seek first…

[switchback028]

2602:2ba::/31 is listed in bogonsv6, even after clicking "update bogons". That encompasses 2602:2ba::/40 which has been allocated by ARIN to my ASN as of last month (March 30th). How often do these Bogon lists get updated? I can delete it on my end which I guess is a workaround but I'm curious what the OPNsense process is for these bogon updates.

[fichtner]

Internally once a week. 30th of March is relatively new. Maybe the upstream provider of the list hasn’t picked it up yet.

[fichtner]

I've updated the bogons to their latest version. Our source still is: https://team-cymru.org/Services/Bogons/fullbogons-ipv6.txt and I can't find 2602:2ba::/31 in this one anymore.

Cheers, Franco

[dagraver]

I'm commenting on this, because I think what OP meant is that the bogonsv6 that currently ships with OPNsense contains ranges that are in actual use today. I was affected by this too, since my ISP has 2a10:3780::/29 and the stock bogonsv6 contains 2a10::/12:

route6:         2a10:3780::/29
origin:         AS206238
mnt-by:         mnt-nl-freedom-1
created:        2020-03-27T10:37:49Z
last-modified:  2020-03-27T10:37:49Z
source:         RIPE

This causes issues until the bogon lists are updated manually or the monthly update is triggered on new installations. According to Github, the file was last updated 8 years ago...

[fichtner]

OMG this file wasn’t used by a release in the last 8 years too. I’m not sure how I could make this any clearer…

[fichtner]

You know what. I’ll just close this. Hijacking and implicating is difficult. You mean the file we have for bootstrapping. I don’t see a problem as it’s going to be replaced.