What do ISP "Middle Men" do?

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
My ISP-provided Cable Gateway (modem+router device) is in Bridged mode to prevent Double-NAT and my personal router gets a Public IP, a Subnet Mask, a Gateway IP directly from ISP via ISP DHCP Server. TraceRT shows that between my router's Private LAN IP (192.X.X.X) and any destination, there are 3 other Private IP addresses (1 in 10.X.X.X range and 2 in 172.16.X.X-172.31.X.X range). All destinations are routed through those 3 Private IP addresses. I use Static Routing feature on my router to block those addresses. There is no other way to block specific IP's on my router. Blocking those 3 Private IP's does not affect being able to reach any website and TraceRT shows that those 3 Private IP addresses cannot be reached when I use Static Routing to block them.

My guess is that those 3 Private IP's are from my ISP, but what purpose do those Private IP addresses serve? Is there any reason not to block them?
 

plugwash

[H]ard|Gawd
Joined
Sep 17, 2010
Messages
1,546
The provider is just using private addresses to address their access network infrastructure, presumably in an attempt to reduce their consumption of public addresses. This is quite common with cable providers.

Blocking them will mean you no longer receive ICMP errors from those routers, but unless there is a MTU bottleneck (in which case ICMP errors are important for path MTU discovery), it's unlikely to cause any real problems.
 

plugwash

[H]ard|Gawd
Joined
Sep 17, 2010
Messages
1,546
Private IPs on ISP routers does not imply CGNAT, it's perfectly possible for a client to have a public IP, but the routers in between to have private ones.

The IPs on a plain router (not a NAT) aren't really used for much other than deciding what the next hop should be. The only IPs in the actual packet are the source and destination IPs.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
180
most likely those are management IP's for the device, but the fact you say they are routed through those, and than you say it doesn't affect it when you block them doesn't make sense, especially if it is the first Hop to your ISP gear, FYI static routing isn't blocking anything, it is just bypassing things, but not blocking. My guess is that the reason it still works is because you're in bridged mode so it 'just works', but it's common for ISP's to have two IP addresses to Customer Equipment(CE) gear. One provided for customers internet, and the other to manage a device(add firmware updates etc), now they can usually also manage through the public IP they give you as well, but it's more common(and correct IMHO) to manage through a separate management network.
 

plugwash

[H]ard|Gawd
Joined
Sep 17, 2010
Messages
1,546
most likely those are management IP's for the device, but the fact you say they are routed through those, and than you say it doesn't affect it when you block them doesn't make sense
It makes perfect sense.

A regular router (not a NAT) does not put it's own IP (or one of it's own IPs, most routers will have more than one) into the data packets it forwards. So blocking it's IP will not effect regular data traffic. Even a NAT only puts it's own IP into packets on the internet side, not into packets on the LAN side.

Blocking traffic from a router in the path will affect ICMP errors*. That means you won't see it in traceroute and may cause problems if the router is at a MTU constriction, but otherwise it is unlikely to cause any noticeable problems.

Regarding static routing, it can be used to blackhole traffic TO an IP address, but unless reverse path filtering is in use it won't block traffic FROM an IP address.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Whenever I put my ISP-provided Gateway in Bridged mode, my personal router begins receiving Fraggle Attacks from ISP's Private 10.X.X.X address, the hop immediately after the Gateway hop, on Port 67. It is most likely a false positive that my router detects and manufacturer forums report similar issues. Whenever I use Static Routing and input that 10.X.X.X address, that Fraggle Attack report stops. I guess those Fraggle attacks can be improperly-detected ICMP errors, but personal router options are set to not allow pings from WAN. There is no MTU discrepancy anywhere.

If I use Static Routing to block my Gateway (set to NAT mode), will the NAT function and custom Port-blocking profile for that Gateway still have an effect?
 

SamirD

2[H]4U
Joined
Mar 22, 2015
Messages
4,000
Holy crap...smurf attack and now fraggle attack...who is naming this stuff and what channel where they watching every sat morning? :eek:
 
Top