LSI Addresses in the 1.0.0.0/8 subnet

Airwall products use the 1.0.0.0/8 subnet by default to route packets between protected devices. It then translates those addresses to the addresses and subnets you configure in Conductor.

These addresses are called Local Scope Identifiers (LSI), and they are cryptographically derived from the Host Identity Tag (HIT).

You can change it if you are sure of your settings. If you can't, here are some caveats:

  • These APs cannot use Cloudflare DNS, and they badly interfere with Airwall Agents and Servers.
  • You cannot connect to anything on the 1.0.0.0/8 subnet. This includes Cloudflare's 1.1.1.1 DNS service. On Airwall Agents and Servers, it stops routing traffic to that subnet, despite being a split-tunnel. On Airwall Gateways, it routes to the LSI gateway, rather than out of your Internet gateway (provided you have one configured).
  • There is also a tiny chance that that two Airwall Edge Services might end up colliding. If this happens (extremely rare!), factory reset your Airwall Gateway or delete your profile on your Airwall Agent or Server to generate a new HIT.

Cause

This subnet was initially unused, and is not one covered under RFC-1918. It wasn't in use on the Internet when we (and other companies) first started using it; however, it is now fully allocated in Asia and the Pacific - and the 1.1.1.0/24 subnet has been famously purchased by CloudFlare for the 1.1.1.1 DNS service.

Related information

LSI conflict error on the Conductor

You cannot use any part of the 1.0.0.0/8 subnet privately. If your underlay subnet overlaps the 1/8 subnet, tunnels do not form between Airwall Edge Services. This issue includes over the Internet, so users who have real 1.0.0.0/8 WAN addresses would be unable to use Airwall Edge Services via these networks.