Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - BSAfH42

Pages1 2 3 4
#1
German - Deutsch / kein IPv6 auf LAN nach restore/update auf 24.1.4
March 24, 2024, 07:17:44 PM
Moin,

um Redundanz (cold standby) aufzubauen, habe ich eine neue Installation von OPNsense 23.7 auf einer Ersatzhardware installiert und die config der produktiven 23.1 Installation dort eingespielt.

Anschließend habe ich die Ersatzmaschine von der Console auf 24.1 geupdated und dann nochmal alles aktualisiert.

Geht auch alles - nur IPv6 geht nicht mehr (Telekom DSL, ich bekomme dort ein /57er delegiert, in der Fritz!Box ist die jetzt aktive Ersatzmaschine als "exposed host" für IPv4 und IPv6 eingestellt, und auch alle anderen IPv6 Einstellungen sind aktiv:

Code Select
IPv6-Einstellungen
PING6 freigeben.
Firewall für delegierte IPv6-Präfixe dieses Gerätes öffnen.
Dieses Gerät komplett für den Internetzugriff über IPv6 freigeben (Exposed Host).

Es ist
Code Select
DNS-Server und IPv6-Präfix (IA_PD) zuweisen

FRITZ!Box wird als DNS-Server via DHCPv6 bekannt gegeben. Teile des vom Internetanbieter zugewiesenen IPv6-Netzes werden an nachgelagerte Router weitergeben. aktiviert.

Es werden auch Netze delegiert:
Code Select
Verwendete IPv6 Präfixe:
Heimnetz 2003:ce:7710:1700::/64
Gastnetz 2003:ce:7710:1701::/64
WAN  2003:ce:77ff:108f::/64
Delegiert  2003:ce:7710:1780::/57
Delegiert  2003:ce:7710:1740::/58

Und auf der OPNsense kommt auch auf dem WAN Interface IPv6 an (allerdings aus dem "Heimnetz" Bereich, nicht aus dem delegierten /57 !!):

Code Select
WAN (wan) igb0 dhcp

IPv4
192.168.178.58/24

IPv6
2003:ce:7710:1700:a236:9fff:fe5a:93b0/64
fd29:12:1960:3556:a236:9fff:fe5a:93b0/64
fe80::a236:9fff:fe5a:93b0/64

Gateway
192.168.178.1
fe80::9a9b:cbff:fe08:3ca0

Routes
default
192.168.178.0/24


WAN hat als eine gültige IPv6 Adresse bekommen


aber warum eigentlich, wenn
Code Select
Only request an IPv6 prefix; do not request an IPv6 address. aktiviert ist?? Dann sollte das WAN Interface doch gar keine externe IPv6 Adresse bekommen?

Da ist doch irgendein Wurm drin?

Nur eben auf den internen Interfaces, zB LAN, gibt's kein delegiertes IPv6, sondern nur lokales:

Code Select
LAN (lan) igb1 static
192.168.80.2/24
192.168.80.1/24

fe80::a236:9fff:fe5a:93b1/64

192.168.80.0/24
fe80::%igb1/64

Interface-Konfiguration:





Das sollte doch eigentlich stimmen?

Router Advertisment sind genau so eingestellt wie bei der produktiven Maschine, also so (Bild aus der neuen Maschine)

Code Select
Router Advertisements Assisted
Router Priority High
Source Address Automatic
Advertise Default Gateway: yes

DHCPv6 allerdings kommt nicht hoch und zeigt ganz merkwürdige Sachen an:

Code Select
Enable YES  Enable DHCPv6 server on LAN interface
Subnet <leer>
Subnet mask <leer> bits
Available range: No available address range for configured interface subnet size.




Häh? fragt die OPNsense gar keine Präfix-Delegation an?
Da stimmt doch irgendwas grundsätzliches nicht?

https://forum.opnsense.org/index.php?topic=34584.0 habe ich versucht, das hilft nicht.

es sieht so aus, als ob das "follow Interface" nicht funktioniert oder aber die Anforderung der Präfix-Delegation tut nicht - aber warum? Es wird ja ein /57 delegiert ... ???



Die Interface Definition in /conf/config.xml sieht so aus:

Code Select
  <interfaces>
    <wan>
      <if>igb0</if>
      <descr>WAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <promisc>1</promisc>
      <ipaddr>dhcp</ipaddr>
      <dhcphostname/>
      <alias-address/>
      <alias-subnet>24</alias-subnet>
      <dhcprejectfrom/>
      <adv_dhcp_pt_timeout/>
      <adv_dhcp_pt_retry/>
      <adv_dhcp_pt_select_timeout/>
      <adv_dhcp_pt_reboot/>
      <adv_dhcp_pt_backoff_cutoff/>
      <adv_dhcp_pt_initial_interval/>
      <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
      <adv_dhcp_send_options/>
      <adv_dhcp_request_options/>
      <adv_dhcp_required_options/>
      <adv_dhcp_option_modifiers/>
      <adv_dhcp_config_advanced/>
      <adv_dhcp_config_file_override/>
      <adv_dhcp_config_file_override_path/>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>7</dhcp6-ia-pd-len>
      <dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6usev4iface>1</dhcp6usev4iface>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>                                                                                                                                                                                            <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </wan>
    <lan>
      <if>igb1</if>
      <descr>LAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.80.2</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>5</track6-prefix-id>
      <dhcpd6track6allowoverride>1</dhcpd6track6allowoverride>
      <hw_settings_overwrite>1</hw_settings_overwrite>
      <disablechecksumoffloading>1</disablechecksumoffloading>
      <disablesegmentationoffloading>1</disablesegmentationoffloading>
      <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
      <disablevlanhwfilter>1</disablevlanhwfilter>
    </lan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>
#2
24.1, 24.4 Legacy Series / no DHCPv6 after Update to 24.x - no IPv6 address on LAN
March 24, 2024, 05:25:18 PM
Versions   
OPNsense 24.1.4-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

I have set up a new machine (to act as a cold standby) with 23.1.x and restored the complete config from the production machine. On the production machine (still on 23.1.7) IPv6 and DHCPv6 work fine.

After that I upgraded the new machine using the "update from console" to 24.1.4

Now I don't have any IPv6 addresses on any of the local interfaces (named LAN, CONSOLE , WLAN and run0_wlan1=WLANUSB) and DHCPv6 does not start at all.

all local interfaces show: (Services --> ISC DHCPv6)
Code Select
Available range No available address range for configured interface subnet size.

I followed https://forum.opnsense.org/index.php?topic=34584.0 but that did not help.







My ISP is Dt. Telekom, and I get a /57 subnet from them. The WAN Interface does get a correct IPv6 address:



Code Select
WAN (wan) igb0 dhcp
IPv4
192.168.178.58/24

IPv6
2003:ce:7710:1700:a236:9fff:fe5a:93b0/64
fd29:12:1960:3556:a236:9fff:fe5a:93b0/64
fe80::a236:9fff:fe5a:93b0/64

Gateway
192.168.178.1
fe80::9a9b:cbff:fe08:3ca0

Routes
default
192.168.178.0/24
default
2003:ce:7710:1700::/64
2003:ce:7710:1700:9a9b:cbff:fe08:3ca0
fd29:12:1960:3556::/64
fd29:12:1960:3556:9a9b:cbff:fe08:3ca0
fe80::%igb0/64


interface definitions are as follows ( /conf/config.xml)

Code Select

  <interfaces>
    <wan>
      <if>igb0</if>
      <descr>WAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <promisc>1</promisc>
      <ipaddr>dhcp</ipaddr>
      <dhcphostname/>
      <alias-address/>
      <alias-subnet>24</alias-subnet>
      <dhcprejectfrom/>
      <adv_dhcp_pt_timeout/>
      <adv_dhcp_pt_retry/>
      <adv_dhcp_pt_select_timeout/>
      <adv_dhcp_pt_reboot/>
      <adv_dhcp_pt_backoff_cutoff/>
      <adv_dhcp_pt_initial_interval/>
      <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
      <adv_dhcp_send_options/>
      <adv_dhcp_request_options/>
      <adv_dhcp_required_options/>
      <adv_dhcp_option_modifiers/>
      <adv_dhcp_config_advanced/>
      <adv_dhcp_config_file_override/>
      <adv_dhcp_config_file_override_path/>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>7</dhcp6-ia-pd-len>
      <dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6usev4iface>1</dhcp6usev4iface>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>                                                                                                                                                                                            <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </wan>
    <lan>
      <if>igb1</if>
      <descr>LAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.80.2</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>5</track6-prefix-id>
      <dhcpd6track6allowoverride>1</dhcpd6track6allowoverride>
      <hw_settings_overwrite>1</hw_settings_overwrite>
      <disablechecksumoffloading>1</disablechecksumoffloading>
      <disablesegmentationoffloading>1</disablesegmentationoffloading>
      <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
      <disablevlanhwfilter>1</disablevlanhwfilter>
    </lan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>


Any ideas?

#3
German - Deutsch / IPv6 geht mal und geht mal nicht ...
November 26, 2023, 04:05:59 PM
Moin,

ich habe eine OPNsense hinter einer Fritz!Box mit Telekom/T-Onbline DSL

Konfiguriert nach dieser Anleitung:
https://docs.opnsense.org/manual/how-tos/ipv6_fb.html

Prinzipiell scheint das alles zu gehen.

Nur, was ist das???

Code Select
root@homeassistant:/etc# ping www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1596 ttl=56 time=9.50 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1597 ttl=56 time=9.62 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1598 ttl=56 time=13.1 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1599 ttl=56 time=9.24 ms
^C
--- www.heise.de ping statistics ---
2161 packets transmitted, 1599 received, 26.0065% packet loss, time 2176441ms
rtt min/avg/max/mdev = 9.075/10.228/36.781/2.420 ms
root@homeassistant:/etc# ifconfig ens3
ens3: flags=4675<UP,BROADCAST,RUNNING,ALLMULTI,MULTICAST>  mtu 1500
        inet 192.168.80.21  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2003:ce:7704:e81:229d:d67a:185a:91d4  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::8b35:a12c:e957:3332  prefixlen 64  scopeid 0x20<link>
        inet6 2003:ce:7704:e81::2000:f727  prefixlen 128  scopeid 0x0<global>
        ether 00:a0:98:02:85:96  txqueuelen 1000  (Ethernet)
        RX packets 395363619  bytes 1312399161986 (1.1 TiB)
        RX errors 0  dropped 31745609  overruns 0  frame 0
        TX packets 365170660  bytes 1426783920324 (1.2 TiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@homeassistant:/etc# ping www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes



Das ist eine VM, das gleiche habe ich aber auch gerade mit einem "normalen" PC gehabt.

Sprich: geht eine ganze Zeit, und dann plötzlich nicht mehr.

Eventuell immer dann, wenn der DHCPv6 Lease erneuert wird (mit der gleichen IP ...), kann aber auch Zufall sein.

Ich habe gleichzeitig mehrere Maschinen, VM und Hardware, bei denen es geht....

aber anscheinend auch nur temporär:

dies hier ist auf einer TrueNAS Scale (also Debian):

Code Select
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4351 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4352 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4353 ttl=56 time=10.6 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4354 ttl=56 time=10.7 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4355 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4356 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4357 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4358 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4359 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4360 ttl=56 time=10.2 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4361 ttl=56 time=10.8 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4362 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4363 ttl=56 time=10.7 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4364 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4365 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4366 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4367 ttl=56 time=10.4 ms
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4386 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4387 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4388 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4389 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4390 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4391 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4392 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4393 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4394 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4395 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4396 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4397 Destination unreachable: No route


auf einem RaspberryPi gab's dies zu sehen:

Code Select
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2019 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2020 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2021 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2022 ttl=56 time=10.2 ms


64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2808 ttl=56 time=468 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2809 ttl=56 time=10.1 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2810 ttl=56 time=10.0 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2811 ttl=56 time=11.6 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2812 ttl=56 time=10.1 ms


auf der OPNsense passierte derweil während der Pause dies:

Code Select
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6155 hlim=57 time=9.364 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6156 hlim=57 time=9.358 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6157 hlim=57 time=9.577 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6158 hlim=57 time=9.372 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6159 hlim=57 time=9.219 ms
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1

^C
--- www.heise.de ping6 statistics ---
6765 packets transmitted, 6159 packets received, 9.0% packet loss
round-trip min/avg/max/std-dev = 8.807/9.385/95.847/1.339 ms
root@OPNsense:/usr/local/etc/nut # ping -6 www.heise.de
PING6(56=40+8+8 bytes) 2003:ce:7728:bc00:921b:eff:fe0c:b067 --> 2a02:2e0:3fe:1001:7777:772e:2:85
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=0 hlim=57 time=10.463 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=1 hlim=57 time=10.337 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=2 hlim=57 time=10.122 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=3 hlim=57 time=10.215 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=4 hlim=57 time=10.149 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=5 hlim=57 time=10.383 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6 hlim=57 time=10.585 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=7 hlim=57 time=10.526 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=8 hlim=57 time=10.643 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=9 hlim=57 time=11.598 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=10 hlim=57 time=10.244 ms


Die Telekom meinte offenbar, mir mal wieder neue IP-Adressen geben zu müssen :-(  :-\ :o
Jedenfalls steht in der Fritz!Box jetzt ein "connected since" mit einer Uhrzeit mitten in der Pause. Mit neuer IPv4 Adresse und neuem IPv6 Prefix.

Der Pi hat sich wieder gefangen, bei allen anderen Maschinen geht seit der "Pause" nix mehr.

Bei einigen ging allerdings auch schon vorher nichts mehr, die hatten schon vorher keine Verbindung mehr nach außen bekommen.

Nanu???

Offenbar bekommen die Clients nach einem Wechsel des Prefixes keine neuen IPv6 Adressen zugewiesen - und die alten gehen natürlich nicht mehr

Hier (das ist ein OpenSUSE) steht plötzlich IPv6 Adressen aus zwei verschiedenen Prefixes nebeneinander auf einem Interface:

Code Select
cb-desktop:/etc/ups # ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.80.10  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2003:ce:7704:e81::2000:4c53  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::db0c:ee9c:6f2e:8c8e  prefixlen 64  scopeid 0x20<link>
        inet6 2003:ce:7704:e81:c203:d011:e523:c7f3  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7728:bc81:4c7a:7b95:9855:b531  prefixlen 64  scopeid 0x0<global>
        ether d8:cb:8a:7c:72:9b  txqueuelen 1000  (Ethernet)
        RX packets 238031070  bytes 45131723171 (42.0 GiB)
        RX errors 0  dropped 4906035  overruns 0  frame 0
        TX packets 200763160  bytes 41026533734 (38.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Code Select

        inet6 2003:ce:7704:e81:c203:d011:e523:c7f3  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7728:bc81:4c7a:7b95:9855:b531  prefixlen 64  scopeid 0x0<global>

Kann man da irgendwas gegen tun?
#4
Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
November 25, 2023, 11:27:43 AM
I was not asking YOU explicitly to help, I was asking the community. That's what forums are made for, aren't they?

And for not following the guide: this a an unmodified reloaded backup config from an OPNsense machine that broke down 2 months ago.

And thanks for the insult. I am able to follow a guide and I triple checked. Nice way to approach potential customers, really.  :(

And I was not "threating" to switch to nginx - but I have a problem to solve. so that would be a last resort.

Paid support is fine - send me a mesage for a quote, I might take it.

#5
Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
November 22, 2023, 04:44:27 PM
and another victim of this error here  :-\
both when trying to connect via
Code Select
http and
Code Select
https

Code Select
2023-11-22T16:33:22 Informational haproxy 134.xx.xx.xx:41647 [22/Nov/2023:16:33:22.341] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:21 Informational haproxy 134.xx.xx.xx:41645 [22/Nov/2023:16:33:21.262] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:18 Informational haproxy 134.xx.xx.xx:41642 [22/Nov/2023:16:33:18.847] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:18 Informational haproxy 134.xx.xx.xx:41641 [22/Nov/2023:16:33:18.795] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header

Versions:

Code Select
Name HAProxy
Version 2.6.15-446b02c
Release_date 2023/08/09

Code Select
Versions OPNsense 23.7.8_1-amd64
FreeBSD 13.2-RELEASE-p5
OpenSSL 1.1.1w 11 Sep 2023

I ran out of ideas what to try  ???

config is:
Code Select

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   8192
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local1 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Resolver: opnsense
resolvers 64fcd546611ba3.78740961
    nameserver 127.0.0.1:53 127.0.0.1:53
    nameserver 192.168.178.1:53 192.168.178.1:53
    nameserver 9.9.9.9:53 9.9.9.9:53
    nameserver 192.168.80.2:53 192.168.80.2:53
    parse-resolv-conf
    resolve_retries 3
    timeout resolve 1s
    timeout retry 1s


# NOTE: Mailer alert bofh ignored: not configured in any backend

# Mailer: alert CB
mailers 64fcc379c27b34.94392037
    timeout mail 30s
    mailer blah.blubb.25


# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80,  0.0.0.0:443, )
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL-backend

    # logging options

# Frontend: 1_HTTP_frontend (listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    http-request use-service prometheus-exporter if { path /metrics }

    # logging options
    # ACL: NoSSL_condition
    acl acl_6314a0aad6d518.84034638 ssl_fc
    # ACL: find_acme_challenge
    acl acl_6339cb3bd963e1.30823960 path_beg -i /.well-known/acme-challenge/

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6314a0aad6d518.84034638
    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6339cb3bd963e1.30823960

# Frontend: 1_HTTPS_frontend (listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6314a6a33cce38.68245567.certlist
    mode http
    option http-keep-alive
    option forwardfor
    http-request use-service prometheus-exporter if { path /metrics }
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6314a164535f16.33310179.txt)]

# Backend (DISABLED): SSL-backend-old ()

# Backend: HomeAssistant_Backend (Homeassistant)
backend HomeAssistant_Backend
    # health checking is DISABLED
    email-alert mailers 64fcc379c27b34.94392037
    email-alert from a@b.c
    email-alert to a@b.c
    email-alert level alert
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server HomeAssistant 192.168.80.21:8123 resolve-prefer ipv4

# Backend: PhotoPrism (PhotoPrism App on TrueNAS)
backend PhotoPrism
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PhotoPrism 192.168.80.30:2342

# Backend: Syncthing (Syncthing on TRueNAS)
backend Syncthing
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Syncthing 192.168.80.17:20910

# Backend: Paperless (paperless-ngx DMS)
backend Paperless
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PaperLess 192.168.80.30:8000

# Backend: FileBrowser (filebrowser on TrueNAS)
backend FileBrowser
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server FileBrowser 192.168.80.17:10187

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: SSL-backend (SSL backend pool)
backend SSL-backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Libre_photos_backend (LibrePhotos in VM)
backend Libre_photos_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server LibrePhotos 192.168.80.30:3000

# Backend: Nextcloud_Backend (Nextcloud Backend)
backend Nextcloud_Backend
    # health checking is DISABLED
    email-alert mailers 64fcc379c27b34.94392037
    email-alert from a@b.c
    email-alert to a@b.c
    email-alert level alert
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nextcloud 192.168.80.30:80 resolve-prefer ipv4

# Backend: Jellyfin_backend (Jellyfin in VM)
backend Jellyfin_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jellyfin 192.168.80.30:8096

# Backend: PaperMerge (papermerge DMS)
backend PaperMerge
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PaperMerge 192.168.80.17:10141



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED

frontend prometheus_exporter
   bind *:8404
   mode http
   http-request use-service prometheus-exporter if { path /metrics }


should I switch to nginx as reverse proxy ???

really?
#6
German - Deutsch / Re: Let's Encrypt mit selfhost.de und DNS-01 challenge
November 20, 2023, 02:03:49 AM
What do I have to put in the input fiel in the OPNsense GUI?

Whatever I try, I get this error:
"SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID"

I did create 2 TXT records in selfhost.de and I do have the RIDs

but
Code Select
_acme_challenge.mydomain.selfhost.eu:123456:54327
or

Code Select
_acme_challenge.mydomain.selfhost.eu:123456:54327
alias.mydomain.selfhost.eu:111445

does not work.

Is it in the wrong format?
#7
Tutorials and FAQs / Re: HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP
September 03, 2023, 04:39:08 PM
.
#8
Tutorials and FAQs / Re: HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP
September 03, 2023, 02:24:01 PM
Does this Service an OPNsense (major) release update?
#9
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 11, 2023, 10:48:16 AM
Quote from: vpx on August 07, 2023, 11:59:31 AM
Konfiguriere die WAN-Seite auf der OPNsense mal mit statischer IP anstatt DHCP und deaktiviere den DHCP-Server auf der Fritz!Box.

probiere ich am Wochende :-)

aber: fliegt mir das nicht um die Ohren, sobald die Fritzbox einen neuen Präfix von der Telekom bekommt? Dann sind doch plötzlich alle Adressen falsch im LAN?
#10
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 06, 2023, 07:08:25 PM
Quote from: Patrick M. Hausen on August 06, 2023, 06:44:18 PM
Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.

nochmal neu gebootet (alle drei IDS aus) (bis gestern ging's ja auch mit den drei Dingern)

jetzt geht's auf dem HP Notebook wieder - aber auf dem anderen Rechner hat sich nichts geändert, da geht es weiterhin nicht.

Auf dem Notebook:

hp8760w:~ # systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/NetworkManager.service.d
             └─NetworkManager-ovs.conf
     Active: active (running) since Sun 2023-08-06 15:09:24 CEST; 3h 56min ago
       Docs: man:NetworkManager(8)
   Main PID: 15884 (NetworkManager)
      Tasks: 7 (limit: 4915)
     CGroup: /system.slice/NetworkManager.service
             ├─ 15884 /usr/sbin/NetworkManager --no-daemon
             ├─ 15912 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/lib/Netwo>
             ├─ 15916 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/lib/Netwo>
             ├─ 16263 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth0.pid -lf /var/lib/NetworkManager/dhclient6-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/l>
             └─ 16265 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth1.pid -lf /var/lib/NetworkManager/dhclient6-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/l>
Aug 06 18:58:52 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341132.8873] manager: NetworkManager state is now CONNECTED_SITE
Aug 06 19:00:11 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341211.4441] policy: set 'eth0' (eth0) as default for IPv6 routing and DNS
Aug 06 19:00:11 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341211.7924] policy: set 'Kabelgebundene Verbindung 2 eth1' (eth1) as default for IPv6 routing and DNS
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2200] dhcp6 (eth1):   valid_lft 7142
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1):   preferred_lft 4442
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1):   address 2003:ce:7727:38f5:dd11:3e1c:1edb:920b
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1):   nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9'
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp (eth1):   domain search 'hal9000.dedyn.io.'
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1): state changed new lease, address=2003:ce:7727:38f5:dd11:3e1c:1edb:920b
Aug 06 19:01:00 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341260.2251] manager: NetworkManager state is now CONNECTED_GLOBAL
lines 1-25/25 (END)


In dem Zustand geht's jetzt auf dem Notebook.

Auf dem anderen Rechner hat sich nichts geändert.

root@incrediblepbx:~# systemctl status dhcpcd
Warning: The unit file, source configuration file or drop-ins of dhcpcd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● dhcpcd.service - dhcpcd on all interfaces
   Loaded: loaded (/lib/systemd/system/dhcpcd.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dhcpcd.service.d
           └─wait.conf
   Active: active (running) since Sat 2023-08-05 23:51:42 CEST; 19h ago
  Process: 303 ExecStart=/usr/lib/dhcpcd5/dhcpcd -q -w (code=exited, status=0/SUCCESS)
Main PID: 593 (dhcpcd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/dhcpcd.service
           └─593 /sbin/dhcpcd -q -w

Aug 06 18:49:57 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 18:49:58 incrediblepbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 18:50:13 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9: no longer a default router
Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: deleting default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:27 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
root@incrediblepbx:~#

#11
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 06, 2023, 06:52:26 PM
Quote from: Patrick M. Hausen on August 06, 2023, 06:44:18 PM
Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.

ist beides aus, hat nichts geändert, crowdsec war schon aus.

Ich musste eben einmal rebooten, weil ich kurz den Strom ausschalten musste im Keller. Der Ping auf dem HP Notebook lief weiter.

Beim Hochfahren der Firewall gab's eine Phase von ca 1500 pings, die durchgingen, danach war Schluß.

Das sieht so aus, als ob da irgendein Service bei  Hochfahren in das ipv6 rein grätscht.



#12
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 06, 2023, 06:31:32 PM
Quote from: vpx23 on August 06, 2023, 02:01:44 PM
Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code Select
systemctl status dhcpcd

jetzt geht's auf dem einen Notebook wieder - und zwar nachdem ich auf der OPNsense Zenarmor von "blocken" auf "nur beobachten" gestellt habe (auf dem WAN Interface war es aber eh' nicht aktiv?)

Hmm, zu früh gefreut - ohne dass ich was angefasst habe, kommt jetzt wieder "address unreachable"

etwa 200 Pings sind durchgegangen, dann war wieder Schluß.

Und mein VPN Client meldet mir immer mal wieder "reconnecting" - sowohl das plötzliche "geht wieder" als auch das eben so plötzliche "geht nicht mehr" fiel mit so einem reconnect zusammen.

Werden da etwa auf der OPNsense die Interfaces regelmäßig neu gestartet bzw. fallen runter und werden restartet?
wie kann ich das feststellen?
#13
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 06, 2023, 03:11:13 PM
Quote from: vpx23 on August 06, 2023, 02:01:44 PM
Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code Select
systemctl status dhcpcd

auf dem nicht funktionierenden PC:

root@pbx:~# systemctl status dhcpcd
Warning: The unit file, source configuration file or drop-ins of dhcpcd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● dhcpcd.service - dhcpcd on all interfaces
   Loaded: loaded (/lib/systemd/system/dhcpcd.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dhcpcd.service.d
           └─wait.conf
   Active: active (running) since Sat 2023-08-05 23:51:42 CEST; 14h ago
  Process: 303 ExecStart=/usr/lib/dhcpcd5/dhcpcd -q -w (code=exited, status=0/SUCCESS)
Main PID: 593 (dhcpcd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/dhcpcd.service
           └─593 /sbin/dhcpcd -q -w

Aug 06 01:19:04 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9: no longer a default router
Aug 06 01:19:04 pbx dhcpcd[593]: eth0: deleting default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:51 pbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:51 pbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:51 pbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:52 pbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 01:21:07 pbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 10:35:41 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again
Aug 06 10:36:08 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again
Aug 06 10:36:08 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again
root@incrediblepbx:~#

auf dem PC, auf dem's geht, geht's heute nach dem Neustart des PCs plötzlich auch nicht mehr :-(

Ja, gestern hatte ich ihn auch neu gestartet, und da ging's ...

Das hatte ich allerdings auch schon früher mal - nach x Stunden ging's dann plötzlich wieder - häh?

Auf dem PC läuft aber auch kein dhcpcd
Wird mit NetworkManager gemacht auf dem Rechner und da steht "IPv6 Automatic".
Der NetworkManager ruft dann wohl dhclient und dhclient6 auf

hp8760w:~ # systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/NetworkManager.service.d
             └─NetworkManager-ovs.conf
     Active: active (running) since Sun 2023-08-06 15:09:24 CEST; 4s ago
       Docs: man:NetworkManager(8)
   Main PID: 15884 (NetworkManager)
      Tasks: 8 (limit: 4915)
     CGroup: /system.slice/NetworkManager.service
             ├─ 15884 /usr/sbin/NetworkManager --no-daemon
             ├─ 15912 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/lib/Netwo>
             ├─ 15916 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/lib/Netwo>
             ├─ 16263 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth0.pid -lf /var/lib/NetworkManager/dhclient6-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/l>
             └─ 16265 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth1.pid -lf /var/lib/NetworkManager/dhclient6-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/l>

Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp6 (eth0):   address 2003:ce:7727:38f5:380d:fa06:4bff:3d7c
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp6 (eth0):   nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp (eth0):   domain search 'hal9000.dedyn.io.'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp6 (eth0): state changed new lease, address=2003:ce:7727:38f5:380d:fa06:4bff:3d7c
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   valid_lft 7200
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   preferred_lft 4500
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   address 2003:ce:7727:38f5:dd11:3e1c:1edb:920b
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp (eth1):   domain search 'hal9000.dedyn.io.'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2801] dhcp6 (eth1): state changed new lease, address=2003:ce:7727:38f5:dd11:3e1c:1edb:920b
lines 1-25/25 (END)



#14
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 06, 2023, 02:31:06 PM
Quote from: Maurice on August 05, 2023, 11:12:29 PM
Beim fehlgeschlagenen Traceroute kommt ja schon vom ersten Hop nichts, also von OPNsense selbst. Lässt sich OPNsense vom problematischen Rechner aus pingen? Lässt sich die problematische Adresse von OPNsense aus pingen? Findet sich die problematische Adresse in der NDP Table von OPNsense?

OpenVPN halte ich für eine falsche Fährte.

Grüße
Maurice

Doch, da kommt was. Das Ping geht vom Rechner in die OPNsense LAN, ist auf dem WAN interface rausgehend zu sehen, dann das zurückkomemnde Paket von außen ist auch auf der dem WAN Interface der OPNsense zu sehen, geht dann aber nicht weiter.

Rechner:  2001:db8:7727:38f5:d3c6:2fef:f75f:adc
Ziel im Internet: 2a02:26f0:b200:3a1::b33

Rechner ausgehend:
root@incrediblepbx:~# tcpdump -i eth0 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:49:32.760274 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 141, length 64

OPNsense eingehend LAN Interface: da kommt das ICMP Paket an, aber es kommt kein Paket zurück

root@OPNsense:~ # tcpdump -i igb3 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:11.879675 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 294, length 64

OPNsense WAN: da geht ein ICMP raus ins Internet und es kommt auch eins zurück aus dem Internet

root@OPNsense:~ # tcpdump -i igb1 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes


ausgehend:

20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64

und das Antwortpaket kommt auch zurück von außen

20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64


und dann (auch aus dem WAN Interface der OPNsense) kommt die Meldung, dass der interne Rechner nicht erreichbar ist. Das rückkehrende Paket wird also in der OPNsense nicht vom WAN ams LAN interface weitergegeben

20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112

--------------------------

Erreichbarkeit Rechner <-> OPNsense im LAN

Rechner:
root@pbx:~# ifconfig eth0
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.80.12  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2003:ce:7727:38f5:fbda:b793:551c:ffe6  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7727:38f5:fe75:58fe:b591:b7c1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::253f:d661:3f12:9723  prefixlen 64  scopeid 0x20<link>
        inet6 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7727:38f5:37be:d90:66f3:befc  prefixlen 64  scopeid 0x0<global>
        ether dc:a6:32:2d:5d:17  txqueuelen 1000  (Ethernet)
        RX packets 2779584  bytes 1500531414 (1.3 GiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 1932477  bytes 621500411 (592.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@pbx:~#

root@pbx:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2003:ce:7727:38f5::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
2003:ce:7727:38f5::/64 dev eth0 proto kernel metric 256 expires 86157sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 202 mtu 1500 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 1024 expires 1557sec hoplimit 64 pref medium
root@pbx:~#

OPNsense

WAN
root@OPNsense:~ # ifconfig igb1
igb1: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:a8:2c:68:e3:e7
        inet 192.168.178.3 netmask 0xffffff00 broadcast 192.168.178.255
        inet6 fe80::2a8:2cff:fe68:e3e7%igb1 prefixlen 64 scopeid 0x2
        inet6 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 prefixlen 64 autoconf
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

LAN
root@OPNsense:~ # ifconfig igb3
igb3: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e9
        inet6 fe80::2a8:2cff:fe68:e3e9%igb3 prefixlen 64 scopeid 0x4
        inet6 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 prefixlen 64
        inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@OPNsense:~ #

Rechner zu OPNsense

zum LAN Interface der OPNsense:

root@pbx:~# ping -6 -n -c3 fe80::2a8:2cff:fe68:e3e9%eth0
PING fe80::2a8:2cff:fe68:e3e9%eth0(fe80::2a8:2cff:fe68:e3e9%eth0) 56 data bytes
64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=1 ttl=64 time=0.190 ms
64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=2 ttl=64 time=0.246 ms
64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=3 ttl=64 time=0.209 ms

--- fe80::2a8:2cff:fe68:e3e9%eth0 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 45ms
rtt min/avg/max/mdev = 0.190/0.215/0.246/0.023 ms
root@pbx:~#

root@pbx:~# ping -6 -n -c3 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9
PING 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9(2003:ce:7727:38f5:2a8:2cff:fe68:e3e9) 56 data bytes

--- 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 105ms

root@pbx:~# ^C
root@pbx:~#

zum WAN Interface der OPNsense:

root@pbx:~# ping -6 -n -c3 2003:ce:7727:3800:2a8:2cff:fe68:e3e7
PING 2003:ce:7727:3800:2a8:2cff:fe68:e3e7(2003:ce:7727:3800:2a8:2cff:fe68:e3e7) 56 data bytes
^C
--- 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 64ms

root@pbx:~#

root@pbx:~# ping -6 -n -c3 fe80::2a8:2cff:fe68:e3e7%eth0
PING fe80::2a8:2cff:fe68:e3e7%eth0(fe80::2a8:2cff:fe68:e3e7%eth0) 56 data bytes
^C
--- fe80::2a8:2cff:fe68:e3e7%eth0 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 106ms

root@pbx:~#


von der OPNsense zum Rechner:

root@OPNsense:~ # ping -c3 -n fe80::253f:d661:3f12:9723
PING6(56=40+8+8 bytes) fe80::2a8:2cff:fe68:e3e7%igb1 --> fe80::253f:d661:3f12:9723

--- fe80::253f:d661:3f12:9723 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

Ups - die OPNsense versucht es auf dem falschen Interface - das ist das WAN Interface igb1, das kann nicht gehen

Wenn ich das LAN Interface explizit angebe, dann geht es auch:

root@OPNsense:~ # ping -c3 -n fe80::253f:d661:3f12:9723%igb3
PING6(56=40+8+8 bytes) fe80::2a8:2cff:fe68:e3e9%igb3 --> fe80::253f:d661:3f12:9723%igb3
16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=0 hlim=64 time=0.245 ms
16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=1 hlim=64 time=0.307 ms
16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=2 hlim=64 time=0.231 ms

--- fe80::253f:d661:3f12:9723%igb3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.231/0.261/0.307/0.033 ms
root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:fbda:b793:551c:ffe6
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fbda:b793:551c:ffe6
^C
--- 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ # ping -c3 -n -I igb3 2003:ce:7727:38f5:fbda:b793:551c:ffe6
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fbda:b793:551c:ffe6
^C
--- 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:fe75:58fe:b591:b7c1
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fe75:58fe:b591:b7c1
^C
--- 2003:ce:7727:38f5:fe75:58fe:b591:b7c1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69
^C
--- 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:37be:d90:66f3:befc
^C
--- 2003:ce:7727:38f5:37be:d90:66f3:befc ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

NDP table

root@OPNsense:~ # ndp -a -n
Neighbor                             Linklayer Address  Netif Expire    1s 5s
fe80::1814:d233:8c33:45fa%igb3       00:50:b6:d3:1a:5e   igb3 23h55m48s S
fe80::64f3:bb8:ee5d:b042%igb3        04:7d:7b:65:2f:95   igb3 23h59m55s S
fe80::fb0c:6d33:3eea:a995%igb3       00:50:b6:c8:17:97   igb3 23h32m18s S
fe80::221:62ff:fead:3c00%igb3        00:21:62:ad:3c:00   igb3 17s       R
2003:ce:7727:38f5:380d:fa06:4bff:3d7c (incomplete)       igb3 expired   I  3
2003:ce:7727:38f5:fcb8:d097:3607:e2cb 00:50:b6:c8:17:97  igb3 23h13m40s S
fe80::253f:d661:3f12:9723%igb3       dc:a6:32:2d:5d:17   igb3 23h53m22s S R
2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 00:a8:2c:68:e3:e9   igb3 permanent R
fe80::aee2:d3ff:febf:86bb%igb3       ac:e2:d3:bf:86:bb   igb3 23h48m37s S
fe80::e611:5bff:fe27:e98c%igb3       e4:11:5b:27:e9:8c   igb3 12s       R
fe80::2a8:2cff:fe68:e3e9%igb3        00:a8:2c:68:e3:e9   igb3 permanent R
2003:ce:7727:38f5:814a:af78:2f5f:a4c9 8c:04:ba:01:65:25  igb3 23h35m4s  S
2003:ce:7727:38f5:8c1:6b01:a4b1:b2fa 04:7d:7b:65:2f:95   igb3 17s       R
fe80::a7bf:90c6:15e3:bed6%igb3       8c:04:ba:01:65:25   igb3 23h45m20s S
fe80::184a:67ce:f114:e584%igb2       6e:f4:5b:37:a8:47   igb2 22s       R
2003:ce:7727:38f0:3545:1f82:f2c9:e678 6e:f4:5b:37:a8:47  igb2 15h40m3s  S
fe80::c72a:bdd7:591b:9059%igb2       24:18:1d:49:8c:50   igb2 23h59m4s  S
fe80::227:15ff:fe51:81c0%igb2        00:27:15:51:81:c0   igb2 29s       R
2003:ce:7727:38f0:b443:718f:a400:9278 6e:f4:5b:37:a8:47  igb2 7s        R
fe80::998a:ed50:fab3:db81%igb2       64:5d:f4:14:e4:bb   igb2 23h59m57s S
2003:ce:7727:38f0:52d4:f7ff:fe14:db82 50:d4:f7:14:db:82  igb2 16h19m38s S R
fe80::52d4:f7ff:fe14:db82%igb2       50:d4:f7:14:db:82   igb2 23h29m40s S R
2003:ce:7727:38f0:cc80:a0b2:dab9:5d4b 6e:f4:5b:37:a8:47  igb2 20h7m53s  S
fe80::a62b:b0ff:fec3:58e%igb2        a4:2b:b0:c3:05:8e   igb2 23h46m17s S R
2003:ce:7727:38f0:f9d0:c36c:bb9a:1543 6e:f4:5b:37:a8:47  igb2 15h55m23s S
2003:ce:7727:38f0:1ad6:c7ff:fee8:b879 18:d6:c7:e8:b8:79  igb2 16h51m26s S R
fe80::1ad6:c7ff:fee8:b879%igb2       18:d6:c7:e8:b8:79   igb2 18h52m8s  S R
2003:ce:7727:38f0:d461:b2b3:c7b3:bdb2 6e:f4:5b:37:a8:47  igb2 15h29m3s  S
2003:ce:7727:38f0:286f:5db3:ff7a:8990 00:27:15:51:81:c0  igb2 21h11m55s S
fe80::80a7:7dff:fe40:dad9%igb2       82:a7:7d:40:da:d9   igb2 23h59m31s S R
2003:ce:7727:38f0:19d3:d0f4:f349:1433 24:18:1d:49:8c:50  igb2 16h55m3s  S
2003:ce:7727:38f0:2a8:2cff:fe68:e3e8 00:a8:2c:68:e3:e8   igb2 permanent R
fe80::2a8:2cff:fe68:e3e8%igb2        00:a8:2c:68:e3:e8   igb2 permanent R
2003:ce:7727:38f0:61b2:2477:a04a:9a0e a4:2b:b0:c3:05:8e  igb2 17h40m23s S R
2003:ce:7727:3800:9a9b:cbff:fe08:3ca0 98:9b:cb:08:3c:a0  igb1 10h55m48s S R
fe80::9a9b:cbff:fe08:3ca0%igb1       98:9b:cb:08:3c:a0   igb1 17s       R R
2003:ce:7727:3800:2a8:2cff:fe68:e3e7 00:a8:2c:68:e3:e7   igb1 permanent R
fe80::2a8:2cff:fe68:e3e7%igb1        00:a8:2c:68:e3:e7   igb1 permanent R
root@OPNsense:~ #

und nur für das LAN Interface:

root@OPNsense:~ # ndp -a -n | grep igb3
fe80::1814:d233:8c33:45fa%igb3       00:50:b6:d3:1a:5e   igb3 23h56m59s S
fe80::64f3:bb8:ee5d:b042%igb3        04:7d:7b:65:2f:95   igb3 22s       R
fe80::fb0c:6d33:3eea:a995%igb3       00:50:b6:c8:17:97   igb3 23h28m29s S
fe80::221:62ff:fead:3c00%igb3        00:21:62:ad:3c:00   igb3 17s       R
2003:ce:7727:38f5:380d:fa06:4bff:3d7c (incomplete)       igb3 1s        I  2
2003:ce:7727:38f5:fcb8:d097:3607:e2cb 00:50:b6:c8:17:97  igb3 23h9m52s  S
fe80::253f:d661:3f12:9723%igb3       dc:a6:32:2d:5d:17   igb3 23h49m33s S R
2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 00:a8:2c:68:e3:e9   igb3 permanent R
fe80::aee2:d3ff:febf:86bb%igb3       ac:e2:d3:bf:86:bb   igb3 23h59m27s S
fe80::e611:5bff:fe27:e98c%igb3       e4:11:5b:27:e9:8c   igb3 12s       R
fe80::2a8:2cff:fe68:e3e9%igb3        00:a8:2c:68:e3:e9   igb3 permanent R
2003:ce:7727:38f5:814a:af78:2f5f:a4c9 8c:04:ba:01:65:25  igb3 23h31m15s S
2003:ce:7727:38f5:8c1:6b01:a4b1:b2fa 04:7d:7b:65:2f:95   igb3 12s       R
fe80::a7bf:90c6:15e3:bed6%igb3       8c:04:ba:01:65:25   igb3 23h41m32s S
root@OPNsense:~ #

Einstellungen:

root@OPNsense:~ # ndp -n -i igb3
linkmtu=0, maxmtu=1500, curhlim=64, basereachable=30s0ms, reachable=27s, retrans=1s0ms
Flags: nud auto_linklocal
root@OPNsense:~ # ndp -n -i igb1
linkmtu=1492, maxmtu=1500, curhlim=255, basereachable=30s0ms, reachable=39s, retrans=1s0ms
Flags: nud accept_rtadv auto_linklocal
root@OPNsense:~ #
#15
German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus
August 05, 2023, 10:03:31 PM
Teil 4

So, und jetzt zum Vergleich die tcpdumps von dem Rechner, bei dem es geht:


hp8760w:~ # tcpdump -i eth1 -n | grep 2a02:26f0:e200:4b4::1e89
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:35:19.957922 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 22, length 64
21:35:20.029451 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 22, length 64
21:35:20.959580 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 23, length 64
21:35:20.968216 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 23, length 64
21:35:21.961375 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 24, length 64
21:35:21.969979 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 24, length 64
21:35:22.963142 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 25, length 64
21:35:22.971996 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 25, length 64
21:35:23.964175 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 26, length 64
21:35:23.972952 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 26, length 64
^C227 packets captured
261 packets received by filter
0 packets dropped by kernel


LAN OPNsense

root@OPNsense:/var/log/filter # tcpdump -i igb3 -n | grep 2a02:26f0:e200:4b4::1e89
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
21:36:59.119427 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 121, length 64
21:36:59.126687 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 121, length 64
21:37:00.121326 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 122, length 64
21:37:00.128469 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 122, length 64
21:37:01.149932 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 123, length 64
21:37:01.157226 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 123, length 64
21:37:02.124897 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 124, length 64
21:37:02.131931 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 124, length 64
21:37:03.126572 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 125, length 64
21:37:03.133653 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 125, length 64
^C3398 packets captured
3522 packets received by filter
0 packets dropped by kernel


WAN


root@OPNsense:/var/log/filter # tcpdump -i igb1 -n | grep 2a02:26f0:e200:4b4::1e89
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
#21:38:01.217903 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 183, length 64
21:38:01.224961 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 183, length 64
21:38:02.219703 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 184, length 64
21:38:02.226946 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 184, length 64
21:38:03.221636 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 185, length 64
21:38:03.228769 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 185, length 64
^C1013 packets captured
1180 packets received by filter
0 packets dropped by kernel

root@OPNsense:/var/log/filter #

root@OPNsense:/var/log/filter # grep 2001:db8:7727:38f5:dd11:3e1c:1edb:920 latest.log
<134>1 2023-08-05T19:23:12+02:00 OPNsense.hal9000.dedyn.io filterlog 62922 - [meta sequenceId="17607465"] 106,,,ba70dc1769980afe65cbac8576cee233,igb1,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,16,2001:db8:7727:3800:2a8:2cff:fe68:e3e7,2a02:26f0:e200:4b4::1e89,datalength=16
<134>1 2023-08-05T21:31:39+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19851254"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64
<134>1 2023-08-05T21:31:53+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19854824"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64
<134>1 2023-08-05T21:34:59+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19905025"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64
root@OPNsense:/var/log/filter #


root@OPNsense:/var/log/filter # grep 2a02:26f0:e200:4b4::1e89 latest.log
<134>1 2023-08-05T21:36:27+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19927532"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x587d1,63,tcp,6,40,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:67c:2178:8::16,48810,80,0,S,966549707,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:36:47+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19935829"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:36:47+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19935867"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:37:16+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19944912"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:37:45+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19950043"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:37:45+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19950044"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:38:14+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19959159"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:38:43+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19968898"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:38:43+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19968900"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:39:12+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19976898"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:39:12+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19976899"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:39:41+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19981994"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:39:41+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19981995"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:39:44+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19982414"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3c1ae,63,udp,17,56,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2606:4700:f1::1,38143,123,56
<134>1 2023-08-05T21:40:10+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19987814"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
root@OPNsense:/var/log/filter #

--------------------------

Also: spannende Frage:

warum kann die eine Adresse zurück geroutet werden, die anderen nicht, obwohl sie dasselbe Prefix haben?

Adresse geht:
2001:db8:7727:38f5:dd11:3e1c:1edb:920b

Adresse geht nicht:
2001:db8:7727:38f5:d3c6:2fef:f75f:adc

Route
2001:db8:7727:38f5::/64            link#4                        U          igb3
2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4                     UHS         lo0

default                           fe80::9a9b:cbff:fe08:3ca0%igb1 UG        igb1
::1                               link#8                        UHS         lo0
2a01:4f8:161:83d1::/64            link#20                       US       ovpnc4
..
fdcb:7d25:175e:d794::/64          link#20                       U        ovpnc4
..
fe80::%ovpnc4/64                  link#20                       U        ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4   link#20                       UHS         lo0


Wieso kommt bei der Adresse, bei der es nicht geht, plötztlich das Openvpn Interface ins Spiel?

Wie kann ich finden, wo die Fehlkonfiguration liegt?

Wo kann der Hund begraben liegen? Wo kann ich noch suchen?
Pages1 2 3 4