I wondered what those blocked entries in my firewall log are (see attachment):
WAN in TCP from 2603:10b0:b14:89d8:0:1:4b:73f3 port 443 to 2100::xxxxxx port yyyy tcpflags PA
All come from IPs within 2603:10b0::/32 (owned my Microsoft, apparently MS Azure), source port 443 and they have PSH and ACK flags set (which makes it hard to even create a rule to let those packets pass, because you have to use advanced options).
I would not bother about this, if it were not for the fact that the destination IPs are only Windows PCs in my network - and those are correct SLAAC temporary addresses only (not a random scan) which would be hard to guess.
Digging a little into the matter, I found that the sender IPs apparently do not react to anything and I can see no outgoing packets to those IP addresses originating from my PC (on any port). The incoming TCP payload is gibberish...
I wonder how my temporary IPv6 leak to whatever machines send these packets - is this a residue of a legit Microsoft service (like Windows update) or an indication of some malware that is already on my Windows machines, phoning home to some Azure-based command-and-control servers, but not getting answered because my firewall blocks it?
Does somebody know what this is?
maybe something interesting will be in the client's dns cache after loading?
You can also try to sniff outgoing traffic at the time the client is loaded - maybe something will be seen in the SNI header?
I sniffed the traffic and there was no outgoing connection to those IPs. I then tried to disable the network interface of the affected PCs and afterward re-enabled them. This has the effect of changing the temporary IPv6. Afterwards, the new IPv6 got contacted.
Then, I disabled the Windows update service (net wuauservice stop) and repeated the same routine - afterwards, not a single contact in 5 minutes. So I assume that this is an artifact of the background intellgent transfer service (BITS). For now, I am content that OpnSense blocks such traffic, because I have found no way of completely disabling my PCs (and bandwidth) being used to help Microsoft deliver their updates to other customers.