16
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
« on: August 05, 2023, 09:59:54 pm »
Teil 3
Und nun ein Rechner, bei dem es nicht geht:
Das ist ein Raspberry Pi mit Rasbian (Debian 10)
root@pbx:~# ifconfig
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.80.12 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc prefixlen 64 scopeid 0x0<global>
inet6 2001:db8:7727:38f5:1b7c:c265:3822:8740 prefixlen 64 scopeid 0x0<global>
inet6 2001:db8:7727:38f5:fe75:58fe:b591:b7c1 prefixlen 64 scopeid 0x0<global>
inet6 fe80::253f:d661:3f12:9723 prefixlen 64 scopeid 0x20<link>
inet6 2001:db8:7727:38f5:7d8d:9f4:5a7:3f69 prefixlen 64 scopeid 0x0<global>
ether dc:a6:32:2d:5d:17 txqueuelen 1000 (Ethernet)
RX packets 6999888 bytes 1642979660 (1.5 GiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 8277352 bytes 1726115340 (1.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4971580 bytes 7368566971 (6.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4971580 bytes 7368566971 (6.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@pbx:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto kernel metric 256 expires 86027sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 202 mtu 1500 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 1024 expires 1427sec hoplimit 64 pref medium
root@pbx:~#
root@incrediblepbx:~# ping www.cisco.com
PING www.cisco.com(g2a02-26f0-b200-03a1-0000-0000-0000-0b33.deploy.static.akamaitechnologies.com (2a02:26f0:b200:3a1::b33)) 56 data bytes
(und nix weiter)
root@pbx:~# traceroute 2a02:26f0:e200:5b3::b33
traceroute to 2a02:26f0:e200:5b3::b33 (2a02:26f0:e200:5b3::b33), 30 hops max, 80 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
…...
auf dem ausgehenden Interface sieht man die Pakete auch noch, es kommt nur nichts zurück:
root@incrediblepbx:~# tcpdump -i eth0 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:49:32.760274 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 141, length 64
20:49:33.800286 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 142, length 64
20:49:34.840261 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 143, length 64
20:49:35.880293 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 144, length 64
20:49:36.920217 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 145, length 64
20:49:37.960225 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 146, length 64
20:49:39.000238 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 147, length 64
20:49:40.040245 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 148, length 64
20:49:41.080262 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 149, length 64
20:49:42.120248 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 150, length 64
20:49:43.160247 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 151, length 64
^C2242 packets captured
2251 packets received by filter
0 packets dropped by kernel
schauen wir doch mal auf der OPNsense nach:
root@OPNsense:~ # tcpdump -i igb3 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:11.879675 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 294, length 64
20:52:12.919669 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 295, length 64
20:52:13.959655 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 296, length 64
20:52:14.999703 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 297, length 64
20:52:16.039667 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 298, length 64
20:52:17.079807 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 299, length 64
20:52:18.129694 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 300, length 64
20:52:19.159689 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 301, length 64
20:52:20.199690 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 302, length 64
^C6708 packets captured
7004 packets received by filter
0 packets dropped by kernel
root@OPNsense:~ #
Also, auf dem LAN Interface auf der OPNsense (igb3) kommen sie auch an.
Aber auf dem WAN Interface (igb1), da geht’s schief:
root@OPNsense:~ # tcpdump -i igb1 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64
20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64
20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:22.599677 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 362, length 64
20:53:22.607570 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 362, length 64
20:53:23.639718 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 363, length 64
20:53:23.647838 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 363, length 64
20:53:24.680005 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 364, length 64
20:53:24.687829 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 364, length 64
20:53:25.607527 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:25.719657 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 365, length 64
20:53:25.727847 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 365, length 64
20:53:26.759682 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 366, length 64
20:53:26.767564 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 366, length 64
20:53:27.799640 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 367, length 64
20:53:27.807580 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 367, length 64
20:53:28.727963 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:28.839669 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 368, length 64
20:53:28.847553 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 368, length 64
20:53:29.879696 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 369, length 64
20:53:29.887581 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 369, length 64
^C2132 packets captured
2186 packets received by filter
0 packets dropped by kernel
root@OPNsense:~ #
Zunächst kommt ein Paket vom igb3 (LAN) weitergereicht an igb1 (LAN):
20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64
und dann kommt auch ein Paket zurück von außen (es hat also den Weg über die Fritzbox, das Internet und zurück zur Fritzbox und dann weiter zur OPNsense heil hinter sich gebracht:
20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64
Aber dann geht’s schief:
20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
Das heißt, die OPNsense weiß plötzlich nicht mehr, wie sie das Paket von igb1 auf igb3 und weiter an den Rechner im Inneren weitergeben soll – oder es wird irgendwo geblockt
Schauen wir doch mal ins Filter.Log:
root@OPNsense:~ # cd /var/log/filter
root@OPNsense:/var/log/filter # grep 2a02:26f0:e200:5b3::b33 latest.log
<134>1 2023-08-05T19:43:54+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="17957656"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T20:47:07+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19068942"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072970"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7b041,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,44542,33438,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072971"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xf6521,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,52717,33437,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072972"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x4731f,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,39526,33439,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072973"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x6a364,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,50042,33440,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072974"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x8f1c3,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,47439,33442,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072975"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x381dc,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,60727,33441,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072976"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x024df,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,56854,33443,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072977"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xcf01c,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,42155,33444,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072978"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x58f99,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,58840,33445,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072979"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x87a4c,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,51923,33446,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072980"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3ec4e,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,56534,33447,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072981"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xa070f,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,48754,33448,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072982"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xbff46,5,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,54365,33449,40
<134>1 2023-08-05T20:47:29+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19074001"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xeb2e7,5,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,60271,33450,40
Nichts zu sehen für die externe Adresse ….
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077987"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1e685,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,49150,33518,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077988"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x71d57,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,51062,33519,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077989"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3762a,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,53859,33520,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077990"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x4f031,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,52882,33521,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077991"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x404de,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,54430,33522,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077992"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xbb1ad,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,33638,33523,40
<134>1 2023-08-05T20:48:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19080676"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xbdf35,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50658,443,0,S,1841255940,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:49:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19091471"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x66f4b,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,52784,443,0,S,2853589939,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:50:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19104487"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xa8b7e,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,54894,443,0,S,2581542073,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:51:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19129037"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x342ec,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,57084,443,0,S,1577274385,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:53:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19166475"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xbd23a,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,33200,443,0,S,3056206735,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:54:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19180361"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x4502e,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,35304,443,0,S,4283752138,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:55:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19205038"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x888f3,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,37472,443,0,S,4159183514,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:56:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19219179"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7fba5,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,39656,443,0,S,2570745485,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:57:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19243844"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x33b04,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,41758,443,0,S,87836187,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:58:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19258170"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x19a97,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,43930,443,0,S,67084035,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:59:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19281466"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x34e85,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,46040,443,0,S,2890758823,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:00:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19295129"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7f22d,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,48176,443,0,S,1961371223,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:01:25+02:00 OPNsense.hal9000.dedyn.io filterlog 85008 - [meta sequenceId="19315131"] 96,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T21:02:04+02:00 OPNsense.hal9000.dedyn.io filterlog 71039 - [meta sequenceId="19331763"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x5d837,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50600,443,0,S,3365462030,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:02:07+02:00 OPNsense.hal9000.dedyn.io filterlog 85046 - [meta sequenceId="19332436"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7558a,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50600,443,0,S,3365462030,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:03:04+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19342150"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x036d5,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,52732,443,0,S,864467775,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:04:04+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19356292"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x98868,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,54844,443,0,S,1813926795,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:05:03+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19379848"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x6fa80,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,56986,443,0,S,1506129879,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:06:03+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19392327"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x1c3a7,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,59084,443,0,S,2418880545,,64800,,mss;sackOK;TS;nop;wscale
root@OPNsense:/var/log/filter #
Das sieht merkwürdig aus – wieso steht da plötzlich ein OpenVPN Client Interface drin, das hat doch ein ganz anderes Netz???
root@OPNsense:/var/log/filter # ifconfig ovpnc4
ovpnc4: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::2a8:2cff:fe68:e3e6%ovpnc4 prefixlen 64 scopeid 0x14
inet6 fdcb:7d25:175e:d794::2 prefixlen 64
inet 10.8.0.4 netmask 0xffffff00 broadcast 10.8.0.255
groups: tun openvpn
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Opened by PID 71634
root@OPNsense:/var/log/filter #
root@OPNsense:/var/log/filter # netstat -6 -n -r
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
default fe80::9a9b:cbff:fe08:3ca0%igb1 UG igb1
::1 link#8 UHS lo0
2a01:4f8:161:83d1::/64 link#20 US ovpnc4
..
fdcb:7d25:175e:d794::/64 link#20 U ovpnc4
..
fe80::%ovpnc4/64 link#20 U ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4 link#20 UHS lo0
und die interne Zieladresse liegt soll eindeutig nicht über ovpnc4 geroutet werden, sondern über igb3
Zieladresse intern
2001:db8:7727:38f5:d3c6:2fef:f75f:adc
Route
2001:db8:7727:38f5::/64 link#4 U igb3
2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4 UHS lo0
Und nun ein Rechner, bei dem es nicht geht:
Das ist ein Raspberry Pi mit Rasbian (Debian 10)
root@pbx:~# ifconfig
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.80.12 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc prefixlen 64 scopeid 0x0<global>
inet6 2001:db8:7727:38f5:1b7c:c265:3822:8740 prefixlen 64 scopeid 0x0<global>
inet6 2001:db8:7727:38f5:fe75:58fe:b591:b7c1 prefixlen 64 scopeid 0x0<global>
inet6 fe80::253f:d661:3f12:9723 prefixlen 64 scopeid 0x20<link>
inet6 2001:db8:7727:38f5:7d8d:9f4:5a7:3f69 prefixlen 64 scopeid 0x0<global>
ether dc:a6:32:2d:5d:17 txqueuelen 1000 (Ethernet)
RX packets 6999888 bytes 1642979660 (1.5 GiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 8277352 bytes 1726115340 (1.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4971580 bytes 7368566971 (6.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4971580 bytes 7368566971 (6.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@pbx:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto kernel metric 256 expires 86027sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 202 mtu 1500 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 1024 expires 1427sec hoplimit 64 pref medium
root@pbx:~#
root@incrediblepbx:~# ping www.cisco.com
PING www.cisco.com(g2a02-26f0-b200-03a1-0000-0000-0000-0b33.deploy.static.akamaitechnologies.com (2a02:26f0:b200:3a1::b33)) 56 data bytes
(und nix weiter)
root@pbx:~# traceroute 2a02:26f0:e200:5b3::b33
traceroute to 2a02:26f0:e200:5b3::b33 (2a02:26f0:e200:5b3::b33), 30 hops max, 80 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
…...
auf dem ausgehenden Interface sieht man die Pakete auch noch, es kommt nur nichts zurück:
root@incrediblepbx:~# tcpdump -i eth0 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:49:32.760274 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 141, length 64
20:49:33.800286 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 142, length 64
20:49:34.840261 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 143, length 64
20:49:35.880293 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 144, length 64
20:49:36.920217 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 145, length 64
20:49:37.960225 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 146, length 64
20:49:39.000238 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 147, length 64
20:49:40.040245 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 148, length 64
20:49:41.080262 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 149, length 64
20:49:42.120248 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 150, length 64
20:49:43.160247 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 151, length 64
^C2242 packets captured
2251 packets received by filter
0 packets dropped by kernel
schauen wir doch mal auf der OPNsense nach:
root@OPNsense:~ # tcpdump -i igb3 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:11.879675 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 294, length 64
20:52:12.919669 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 295, length 64
20:52:13.959655 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 296, length 64
20:52:14.999703 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 297, length 64
20:52:16.039667 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 298, length 64
20:52:17.079807 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 299, length 64
20:52:18.129694 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 300, length 64
20:52:19.159689 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 301, length 64
20:52:20.199690 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 302, length 64
^C6708 packets captured
7004 packets received by filter
0 packets dropped by kernel
root@OPNsense:~ #
Also, auf dem LAN Interface auf der OPNsense (igb3) kommen sie auch an.
Aber auf dem WAN Interface (igb1), da geht’s schief:
root@OPNsense:~ # tcpdump -i igb1 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64
20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64
20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:22.599677 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 362, length 64
20:53:22.607570 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 362, length 64
20:53:23.639718 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 363, length 64
20:53:23.647838 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 363, length 64
20:53:24.680005 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 364, length 64
20:53:24.687829 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 364, length 64
20:53:25.607527 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:25.719657 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 365, length 64
20:53:25.727847 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 365, length 64
20:53:26.759682 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 366, length 64
20:53:26.767564 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 366, length 64
20:53:27.799640 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 367, length 64
20:53:27.807580 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 367, length 64
20:53:28.727963 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:28.839669 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 368, length 64
20:53:28.847553 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 368, length 64
20:53:29.879696 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 369, length 64
20:53:29.887581 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 369, length 64
^C2132 packets captured
2186 packets received by filter
0 packets dropped by kernel
root@OPNsense:~ #
Zunächst kommt ein Paket vom igb3 (LAN) weitergereicht an igb1 (LAN):
20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64
und dann kommt auch ein Paket zurück von außen (es hat also den Weg über die Fritzbox, das Internet und zurück zur Fritzbox und dann weiter zur OPNsense heil hinter sich gebracht:
20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64
Aber dann geht’s schief:
20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
Das heißt, die OPNsense weiß plötzlich nicht mehr, wie sie das Paket von igb1 auf igb3 und weiter an den Rechner im Inneren weitergeben soll – oder es wird irgendwo geblockt
Schauen wir doch mal ins Filter.Log:
root@OPNsense:~ # cd /var/log/filter
root@OPNsense:/var/log/filter # grep 2a02:26f0:e200:5b3::b33 latest.log
<134>1 2023-08-05T19:43:54+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="17957656"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T20:47:07+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19068942"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072970"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7b041,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,44542,33438,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072971"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xf6521,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,52717,33437,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072972"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x4731f,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,39526,33439,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072973"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x6a364,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,50042,33440,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072974"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x8f1c3,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,47439,33442,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072975"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x381dc,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,60727,33441,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072976"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x024df,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,56854,33443,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072977"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xcf01c,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,42155,33444,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072978"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x58f99,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,58840,33445,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072979"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x87a4c,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,51923,33446,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072980"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3ec4e,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,56534,33447,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072981"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xa070f,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,48754,33448,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072982"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xbff46,5,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,54365,33449,40
<134>1 2023-08-05T20:47:29+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19074001"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xeb2e7,5,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,60271,33450,40
Nichts zu sehen für die externe Adresse ….
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077987"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1e685,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,49150,33518,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077988"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x71d57,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,51062,33519,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077989"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3762a,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,53859,33520,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077990"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x4f031,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,52882,33521,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077991"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x404de,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,54430,33522,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077992"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xbb1ad,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,33638,33523,40
<134>1 2023-08-05T20:48:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19080676"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xbdf35,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50658,443,0,S,1841255940,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:49:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19091471"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x66f4b,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,52784,443,0,S,2853589939,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:50:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19104487"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xa8b7e,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,54894,443,0,S,2581542073,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:51:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19129037"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x342ec,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,57084,443,0,S,1577274385,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:53:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19166475"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xbd23a,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,33200,443,0,S,3056206735,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:54:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19180361"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x4502e,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,35304,443,0,S,4283752138,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:55:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19205038"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x888f3,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,37472,443,0,S,4159183514,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:56:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19219179"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7fba5,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,39656,443,0,S,2570745485,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:57:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19243844"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x33b04,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,41758,443,0,S,87836187,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:58:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19258170"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x19a97,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,43930,443,0,S,67084035,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:59:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19281466"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x34e85,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,46040,443,0,S,2890758823,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:00:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19295129"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7f22d,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,48176,443,0,S,1961371223,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:01:25+02:00 OPNsense.hal9000.dedyn.io filterlog 85008 - [meta sequenceId="19315131"] 96,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T21:02:04+02:00 OPNsense.hal9000.dedyn.io filterlog 71039 - [meta sequenceId="19331763"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x5d837,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50600,443,0,S,3365462030,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:02:07+02:00 OPNsense.hal9000.dedyn.io filterlog 85046 - [meta sequenceId="19332436"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7558a,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50600,443,0,S,3365462030,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:03:04+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19342150"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x036d5,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,52732,443,0,S,864467775,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:04:04+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19356292"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x98868,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,54844,443,0,S,1813926795,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:05:03+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19379848"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x6fa80,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,56986,443,0,S,1506129879,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:06:03+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19392327"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x1c3a7,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,59084,443,0,S,2418880545,,64800,,mss;sackOK;TS;nop;wscale
root@OPNsense:/var/log/filter #
Das sieht merkwürdig aus – wieso steht da plötzlich ein OpenVPN Client Interface drin, das hat doch ein ganz anderes Netz???
root@OPNsense:/var/log/filter # ifconfig ovpnc4
ovpnc4: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::2a8:2cff:fe68:e3e6%ovpnc4 prefixlen 64 scopeid 0x14
inet6 fdcb:7d25:175e:d794::2 prefixlen 64
inet 10.8.0.4 netmask 0xffffff00 broadcast 10.8.0.255
groups: tun openvpn
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Opened by PID 71634
root@OPNsense:/var/log/filter #
root@OPNsense:/var/log/filter # netstat -6 -n -r
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
default fe80::9a9b:cbff:fe08:3ca0%igb1 UG igb1
::1 link#8 UHS lo0
2a01:4f8:161:83d1::/64 link#20 US ovpnc4
..
fdcb:7d25:175e:d794::/64 link#20 U ovpnc4
..
fe80::%ovpnc4/64 link#20 U ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4 link#20 UHS lo0
und die interne Zieladresse liegt soll eindeutig nicht über ovpnc4 geroutet werden, sondern über igb3
Zieladresse intern
2001:db8:7727:38f5:d3c6:2fef:f75f:adc
Route
2001:db8:7727:38f5::/64 link#4 U igb3
2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4 UHS lo0