Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - BSAfH42

Pages: [1] 2 3 4

German - Deutsch / kein IPv6 auf LAN nach restore/update auf 24.1.4

« on: March 24, 2024, 07:17:44 pm »

Moin,

um Redundanz (cold standby) aufzubauen, habe ich eine neue Installation von OPNsense 23.7 auf einer Ersatzhardware installiert und die config der produktiven 23.1 Installation dort eingespielt.

Anschließend habe ich die Ersatzmaschine von der Console auf 24.1 geupdated und dann nochmal alles aktualisiert.

Geht auch alles - nur IPv6 geht nicht mehr (Telekom DSL, ich bekomme dort ein /57er delegiert, in der Fritz!Box ist die jetzt aktive Ersatzmaschine als "exposed host" für IPv4 und IPv6 eingestellt, und auch alle anderen IPv6 Einstellungen sind aktiv:

Code: [Select]

IPv6-Einstellungen
PING6 freigeben.
Firewall für delegierte IPv6-Präfixe dieses Gerätes öffnen.
Dieses Gerät komplett für den Internetzugriff über IPv6 freigeben (Exposed Host).

Es ist

Code: [Select]

DNS-Server und IPv6-Präfix (IA_PD) zuweisen

FRITZ!Box wird als DNS-Server via DHCPv6 bekannt gegeben. Teile des vom Internetanbieter zugewiesenen IPv6-Netzes werden an nachgelagerte Router weitergeben.

aktiviert.

Es werden auch Netze delegiert:

Code: [Select]

Verwendete IPv6 Präfixe:
Heimnetz 2003:ce:7710:1700::/64
Gastnetz 2003:ce:7710:1701::/64
WAN  2003:ce:77ff:108f::/64
Delegiert  2003:ce:7710:1780::/57
Delegiert  2003:ce:7710:1740::/58

Und auf der OPNsense kommt auch auf dem WAN Interface IPv6 an (allerdings aus dem "Heimnetz" Bereich, nicht aus dem delegierten /57 !!):

Code: [Select]

WAN (wan)	igb0	 	dhcp	

IPv4
192.168.178.58/24

IPv6
2003:ce:7710:1700:a236:9fff:fe5a:93b0/64
fd29:12:1960:3556:a236:9fff:fe5a:93b0/64
fe80::a236:9fff:fe5a:93b0/64

Gateway
192.168.178.1
fe80::9a9b:cbff:fe08:3ca0

Routes
default
192.168.178.0/24

WAN hat als eine gültige IPv6 Adresse bekommen

aber warum eigentlich, wenn

Code: [Select]

Only request an IPv6 prefix; do not request an IPv6 address. aktiviert ist?? Dann sollte das WAN Interface doch gar keine externe IPv6 Adresse bekommen?

Da ist doch irgendein Wurm drin?

Nur eben auf den internen Interfaces, zB LAN, gibt's kein delegiertes IPv6, sondern nur lokales:

Code: [Select]

LAN (lan)	igb1	 	static	
192.168.80.2/24
192.168.80.1/24

fe80::a236:9fff:fe5a:93b1/64

192.168.80.0/24
fe80::%igb1/64

Interface-Konfiguration:

Das sollte doch eigentlich stimmen?

Router Advertisment sind genau so eingestellt wie bei der produktiven Maschine, also so (Bild aus der neuen Maschine)

Code: [Select]

 Router Advertisements	Assisted
 Router Priority	High
 Source Address	Automatic
 Advertise Default Gateway: yes

DHCPv6 allerdings kommt nicht hoch und zeigt ganz merkwürdige Sachen an:

Code: [Select]

 Enable	YES  Enable DHCPv6 server on LAN interface
 Subnet	<leer>
 Subnet mask	<leer> bits
 Available range:	No available address range for configured interface subnet size.

Häh? fragt die OPNsense gar keine Präfix-Delegation an?
Da stimmt doch irgendwas grundsätzliches nicht?

https://forum.opnsense.org/index.php?topic=34584.0 habe ich versucht, das hilft nicht.

es sieht so aus, als ob das "follow Interface" nicht funktioniert oder aber die Anforderung der Präfix-Delegation tut nicht - aber warum? Es wird ja ein /57 delegiert ...

Die Interface Definition in /conf/config.xml sieht so aus:

Code: [Select]

  <interfaces>
    <wan>
      <if>igb0</if>
      <descr>WAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <promisc>1</promisc>
      <ipaddr>dhcp</ipaddr>
      <dhcphostname/>
      <alias-address/>
      <alias-subnet>24</alias-subnet>
      <dhcprejectfrom/>
      <adv_dhcp_pt_timeout/>
      <adv_dhcp_pt_retry/>
      <adv_dhcp_pt_select_timeout/>
      <adv_dhcp_pt_reboot/>
      <adv_dhcp_pt_backoff_cutoff/>
      <adv_dhcp_pt_initial_interval/>
      <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
      <adv_dhcp_send_options/>
      <adv_dhcp_request_options/>
      <adv_dhcp_required_options/>
      <adv_dhcp_option_modifiers/>
      <adv_dhcp_config_advanced/>
      <adv_dhcp_config_file_override/>
      <adv_dhcp_config_file_override_path/>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>7</dhcp6-ia-pd-len>
      <dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6usev4iface>1</dhcp6usev4iface>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>                                                                                                                                                                                            <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </wan>
    <lan>
      <if>igb1</if>
      <descr>LAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.80.2</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>5</track6-prefix-id>
      <dhcpd6track6allowoverride>1</dhcpd6track6allowoverride>
      <hw_settings_overwrite>1</hw_settings_overwrite>
      <disablechecksumoffloading>1</disablechecksumoffloading>
      <disablesegmentationoffloading>1</disablesegmentationoffloading>
      <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
      <disablevlanhwfilter>1</disablevlanhwfilter>
    </lan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>

24.1 Legacy Series / no DHCPv6 after Update to 24.x - no IPv6 address on LAN

« on: March 24, 2024, 05:25:18 pm »

Versions
OPNsense 24.1.4-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

I have set up a new machine (to act as a cold standby) with 23.1.x and restored the complete config from the production machine. On the production machine (still on 23.1.7) IPv6 and DHCPv6 work fine.

After that I upgraded the new machine using the "update from console" to 24.1.4

Now I don't have any IPv6 addresses on any of the local interfaces (named LAN, CONSOLE , WLAN and run0_wlan1=WLANUSB) and DHCPv6 does not start at all.

all local interfaces show: (Services --> ISC DHCPv6)

Code: [Select]

Available range No available address range for configured interface subnet size.
I followed https://forum.opnsense.org/index.php?topic=34584.0 but that did not help.

My ISP is Dt. Telekom, and I get a /57 subnet from them. The WAN Interface does get a correct IPv6 address:

Code: [Select]

	WAN (wan)	igb0	 	dhcp	
IPv4 
192.168.178.58/24

IPv6
2003:ce:7710:1700:a236:9fff:fe5a:93b0/64
fd29:12:1960:3556:a236:9fff:fe5a:93b0/64
fe80::a236:9fff:fe5a:93b0/64

Gateway
192.168.178.1
fe80::9a9b:cbff:fe08:3ca0

Routes
default
192.168.178.0/24
default
2003:ce:7710:1700::/64
2003:ce:7710:1700:9a9b:cbff:fe08:3ca0
fd29:12:1960:3556::/64
fd29:12:1960:3556:9a9b:cbff:fe08:3ca0
fe80::%igb0/64

interface definitions are as follows ( /conf/config.xml)

Code: [Select]

  <interfaces>
    <wan>
      <if>igb0</if>
      <descr>WAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <promisc>1</promisc>
      <ipaddr>dhcp</ipaddr>
      <dhcphostname/>
      <alias-address/>
      <alias-subnet>24</alias-subnet>
      <dhcprejectfrom/>
      <adv_dhcp_pt_timeout/>
      <adv_dhcp_pt_retry/>
      <adv_dhcp_pt_select_timeout/>
      <adv_dhcp_pt_reboot/>
      <adv_dhcp_pt_backoff_cutoff/>
      <adv_dhcp_pt_initial_interval/>
      <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
      <adv_dhcp_send_options/>
      <adv_dhcp_request_options/>
      <adv_dhcp_required_options/>
      <adv_dhcp_option_modifiers/>
      <adv_dhcp_config_advanced/>
      <adv_dhcp_config_file_override/>
      <adv_dhcp_config_file_override_path/>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>7</dhcp6-ia-pd-len>
      <dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6usev4iface>1</dhcp6usev4iface>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>                                                                                                                                                                                            <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </wan>
    <lan>
      <if>igb1</if>
      <descr>LAN</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.80.2</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>5</track6-prefix-id>
      <dhcpd6track6allowoverride>1</dhcpd6track6allowoverride>
      <hw_settings_overwrite>1</hw_settings_overwrite>
      <disablechecksumoffloading>1</disablechecksumoffloading>
      <disablesegmentationoffloading>1</disablesegmentationoffloading>
      <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
      <disablevlanhwfilter>1</disablevlanhwfilter>
    </lan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>

Any ideas?

German - Deutsch / IPv6 geht mal und geht mal nicht ...

« on: November 26, 2023, 04:05:59 pm »

Moin,

ich habe eine OPNsense hinter einer Fritz!Box mit Telekom/T-Onbline DSL

Konfiguriert nach dieser Anleitung:
https://docs.opnsense.org/manual/how-tos/ipv6_fb.html

Prinzipiell scheint das alles zu gehen.

Nur, was ist das???

Code: [Select]

root@homeassistant:/etc# ping www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1596 ttl=56 time=9.50 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1597 ttl=56 time=9.62 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1598 ttl=56 time=13.1 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=1599 ttl=56 time=9.24 ms
^C
--- www.heise.de ping statistics ---
2161 packets transmitted, 1599 received, 26.0065% packet loss, time 2176441ms
rtt min/avg/max/mdev = 9.075/10.228/36.781/2.420 ms
root@homeassistant:/etc# ifconfig ens3
ens3: flags=4675<UP,BROADCAST,RUNNING,ALLMULTI,MULTICAST>  mtu 1500
        inet 192.168.80.21  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2003:ce:7704:e81:229d:d67a:185a:91d4  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::8b35:a12c:e957:3332  prefixlen 64  scopeid 0x20<link>
        inet6 2003:ce:7704:e81::2000:f727  prefixlen 128  scopeid 0x0<global>
        ether 00:a0:98:02:85:96  txqueuelen 1000  (Ethernet)
        RX packets 395363619  bytes 1312399161986 (1.1 TiB)
        RX errors 0  dropped 31745609  overruns 0  frame 0
        TX packets 365170660  bytes 1426783920324 (1.2 TiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@homeassistant:/etc# ping www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes

Das ist eine VM, das gleiche habe ich aber auch gerade mit einem "normalen" PC gehabt.

Sprich: geht eine ganze Zeit, und dann plötzlich nicht mehr.

Eventuell immer dann, wenn der DHCPv6 Lease erneuert wird (mit der gleichen IP ...), kann aber auch Zufall sein.

Ich habe gleichzeitig mehrere Maschinen, VM und Hardware, bei denen es geht....

aber anscheinend auch nur temporär:

dies hier ist auf einer TrueNAS Scale (also Debian):

Code: [Select]

64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4351 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4352 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4353 ttl=56 time=10.6 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4354 ttl=56 time=10.7 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4355 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4356 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4357 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4358 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4359 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4360 ttl=56 time=10.2 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4361 ttl=56 time=10.8 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4362 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4363 ttl=56 time=10.7 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4364 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4365 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4366 ttl=56 time=10.4 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=4367 ttl=56 time=10.4 ms
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4386 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4387 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4388 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4389 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4390 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4391 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4392 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4393 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4394 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4395 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4396 Destination unreachable: No route
From OPNsense.hal9000.dedyn.io (2003:ce:7704:e81:921b:eff:fe0c:b068) icmp_seq=4397 Destination unreachable: No route

auf einem RaspberryPi gab's dies zu sehen:

Code: [Select]

64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2019 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2020 ttl=56 time=10.5 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2021 ttl=56 time=10.3 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2022 ttl=56 time=10.2 ms


64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2808 ttl=56 time=468 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2809 ttl=56 time=10.1 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2810 ttl=56 time=10.0 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2811 ttl=56 time=11.6 ms
64 bytes from www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): icmp_seq=2812 ttl=56 time=10.1 ms

auf der OPNsense passierte derweil während der Pause dies:

Code: [Select]

16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6155 hlim=57 time=9.364 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6156 hlim=57 time=9.358 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6157 hlim=57 time=9.577 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6158 hlim=57 time=9.372 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6159 hlim=57 time=9.219 ms
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote www.heise.de 16 chars, ret=-1

^C
--- www.heise.de ping6 statistics ---
6765 packets transmitted, 6159 packets received, 9.0% packet loss
round-trip min/avg/max/std-dev = 8.807/9.385/95.847/1.339 ms
root@OPNsense:/usr/local/etc/nut # ping -6 www.heise.de
PING6(56=40+8+8 bytes) 2003:ce:7728:bc00:921b:eff:fe0c:b067 --> 2a02:2e0:3fe:1001:7777:772e:2:85
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=0 hlim=57 time=10.463 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=1 hlim=57 time=10.337 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=2 hlim=57 time=10.122 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=3 hlim=57 time=10.215 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=4 hlim=57 time=10.149 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=5 hlim=57 time=10.383 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=6 hlim=57 time=10.585 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=7 hlim=57 time=10.526 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=8 hlim=57 time=10.643 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=9 hlim=57 time=11.598 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=10 hlim=57 time=10.244 ms

Die Telekom meinte offenbar, mir mal wieder neue IP-Adressen geben zu müssen :-( $:-\$

Jedenfalls steht in der Fritz!Box jetzt ein "connected since" mit einer Uhrzeit mitten in der Pause. Mit neuer IPv4 Adresse und neuem IPv6 Prefix.

Der Pi hat sich wieder gefangen, bei allen anderen Maschinen geht seit der "Pause" nix mehr.

Bei einigen ging allerdings auch schon vorher nichts mehr, die hatten schon vorher keine Verbindung mehr nach außen bekommen.

Nanu???

Offenbar bekommen die Clients nach einem Wechsel des Prefixes keine neuen IPv6 Adressen zugewiesen - und die alten gehen natürlich nicht mehr

Hier (das ist ein OpenSUSE) steht plötzlich IPv6 Adressen aus zwei verschiedenen Prefixes nebeneinander auf einem Interface:

Code: [Select]

cb-desktop:/etc/ups # ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.80.10  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2003:ce:7704:e81::2000:4c53  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::db0c:ee9c:6f2e:8c8e  prefixlen 64  scopeid 0x20<link>
        inet6 2003:ce:7704:e81:c203:d011:e523:c7f3  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7728:bc81:4c7a:7b95:9855:b531  prefixlen 64  scopeid 0x0<global>
        ether d8:cb:8a:7c:72:9b  txqueuelen 1000  (Ethernet)
        RX packets 238031070  bytes 45131723171 (42.0 GiB)
        RX errors 0  dropped 4906035  overruns 0  frame 0
        TX packets 200763160  bytes 41026533734 (38.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Code: [Select]

        inet6 2003:ce:7704:e81:c203:d011:e523:c7f3  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7728:bc81:4c7a:7b95:9855:b531  prefixlen 64  scopeid 0x0<global>

Kann man da irgendwas gegen tun?

Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: November 25, 2023, 11:27:43 am »

I was not asking YOU explicitly to help, I was asking the community. That's what forums are made for, aren't they?

And for not following the guide: this a an unmodified reloaded backup config from an OPNsense machine that broke down 2 months ago.

And thanks for the insult. I am able to follow a guide and I triple checked. Nice way to approach potential customers, really.

And I was not "threating" to switch to nginx - but I have a problem to solve. so that would be a last resort.

Paid support is fine - send me a mesage for a quote, I might take it.

Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: November 22, 2023, 04:44:27 pm »

and another victim of this error here $:-\$
both when trying to connect via

Code: [Select]

http and

Code: [Select]

https

Code: [Select]

2023-11-22T16:33:22	Informational	haproxy	134.xx.xx.xx:41647 [22/Nov/2023:16:33:22.341] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header	
2023-11-22T16:33:21	Informational	haproxy	134.xx.xx.xx:41645 [22/Nov/2023:16:33:21.262] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header	
2023-11-22T16:33:18	Informational	haproxy	134.xx.xx.xx:41642 [22/Nov/2023:16:33:18.847] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header	
2023-11-22T16:33:18	Informational	haproxy	134.xx.xx.xx:41641 [22/Nov/2023:16:33:18.795] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header

Versions:

Code: [Select]

Name	HAProxy
Version	2.6.15-446b02c
Release_date	2023/08/09

Code: [Select]

Versions	OPNsense 23.7.8_1-amd64
FreeBSD 13.2-RELEASE-p5
OpenSSL 1.1.1w 11 Sep 2023

I ran out of ideas what to try

config is:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   8192
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local1 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Resolver: opnsense
resolvers 64fcd546611ba3.78740961
    nameserver 127.0.0.1:53 127.0.0.1:53
    nameserver 192.168.178.1:53 192.168.178.1:53
    nameserver 9.9.9.9:53 9.9.9.9:53
    nameserver 192.168.80.2:53 192.168.80.2:53
    parse-resolv-conf
    resolve_retries 3
    timeout resolve 1s
    timeout retry 1s


# NOTE: Mailer alert bofh ignored: not configured in any backend

# Mailer: alert CB
mailers 64fcc379c27b34.94392037
    timeout mail 30s
    mailer blah.blubb.25


# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80,  0.0.0.0:443, )
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 
    bind 0.0.0.0:80 name 0.0.0.0:80 
    mode tcp
    default_backend SSL-backend

    # logging options

# Frontend: 1_HTTP_frontend (listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor
    http-request use-service prometheus-exporter if { path /metrics }

    # logging options
    # ACL: NoSSL_condition
    acl acl_6314a0aad6d518.84034638 ssl_fc
    # ACL: find_acme_challenge
    acl acl_6339cb3bd963e1.30823960 path_beg -i /.well-known/acme-challenge/

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6314a0aad6d518.84034638
    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6339cb3bd963e1.30823960

# Frontend: 1_HTTPS_frontend (listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6314a6a33cce38.68245567.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    http-request use-service prometheus-exporter if { path /metrics }
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6314a164535f16.33310179.txt)] 

# Backend (DISABLED): SSL-backend-old ()

# Backend: HomeAssistant_Backend (Homeassistant)
backend HomeAssistant_Backend
    # health checking is DISABLED
    email-alert mailers 64fcc379c27b34.94392037
    email-alert from a@b.c
    email-alert to a@b.c
    email-alert level alert
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server HomeAssistant 192.168.80.21:8123 resolve-prefer ipv4

# Backend: PhotoPrism (PhotoPrism App on TrueNAS)
backend PhotoPrism
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server PhotoPrism 192.168.80.30:2342 

# Backend: Syncthing (Syncthing on TRueNAS)
backend Syncthing
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server Syncthing 192.168.80.17:20910 

# Backend: Paperless (paperless-ngx DMS)
backend Paperless
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server PaperLess 192.168.80.30:8000 

# Backend: FileBrowser (filebrowser on TrueNAS)
backend FileBrowser
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server FileBrowser 192.168.80.17:10187 

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

# Backend: SSL-backend (SSL backend pool)
backend SSL-backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Libre_photos_backend (LibrePhotos in VM)
backend Libre_photos_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server LibrePhotos 192.168.80.30:3000 

# Backend: Nextcloud_Backend (Nextcloud Backend)
backend Nextcloud_Backend
    # health checking is DISABLED
    email-alert mailers 64fcc379c27b34.94392037
    email-alert from a@b.c
    email-alert to a@b.c
    email-alert level alert
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server Nextcloud 192.168.80.30:80 resolve-prefer ipv4

# Backend: Jellyfin_backend (Jellyfin in VM)
backend Jellyfin_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server Jellyfin 192.168.80.30:8096 

# Backend: PaperMerge (papermerge DMS)
backend PaperMerge
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server PaperMerge 192.168.80.17:10141 



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED

frontend prometheus_exporter
   bind *:8404
   mode http
   http-request use-service prometheus-exporter if { path /metrics }

should I switch to nginx as reverse proxy

really?

German - Deutsch / Re: Let's Encrypt mit selfhost.de und DNS-01 challenge

« on: November 20, 2023, 02:03:49 am »

What do I have to put in the input fiel in the OPNsense GUI?

Whatever I try, I get this error:
"SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID"

I did create 2 TXT records in selfhost.de and I do have the RIDs

but

Code: [Select]

_acme_challenge.mydomain.selfhost.eu:123456:54327or

Code: [Select]

_acme_challenge.mydomain.selfhost.eu:123456:54327
alias.mydomain.selfhost.eu:111445

does not work.

Is it in the wrong format?

Tutorials and FAQs / Re: HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP

« on: September 03, 2023, 04:39:08 pm »

Tutorials and FAQs / Re: HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP

« on: September 03, 2023, 02:24:01 pm »

Does this Service an OPNsense (major) release update?

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 11, 2023, 10:48:16 am »

Quote from: vpx on August 07, 2023, 11:59:31 am

Konfiguriere die WAN-Seite auf der OPNsense mal mit statischer IP anstatt DHCP und deaktiviere den DHCP-Server auf der Fritz!Box.

probiere ich am Wochende :-)

aber: fliegt mir das nicht um die Ohren, sobald die Fritzbox einen neuen Präfix von der Telekom bekommt? Dann sind doch plötzlich alle Adressen falsch im LAN?

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 06, 2023, 07:08:25 pm »

Quote from: Patrick M. Hausen on August 06, 2023, 06:44:18 pm

Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.

nochmal neu gebootet (alle drei IDS aus) (bis gestern ging's ja auch mit den drei Dingern)

jetzt geht's auf dem HP Notebook wieder - aber auf dem anderen Rechner hat sich nichts geändert, da geht es weiterhin nicht.

Auf dem Notebook:

hp8760w:~ # systemctl status NetworkManager ● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/NetworkManager.service.d └─NetworkManager-ovs.conf Active: active (running) since Sun 2023-08-06 15:09:24 CEST; 3h 56min ago Docs: man:NetworkManager( Main PID: 15884 (NetworkManager) Tasks: 7 (limit: 4915) CGroup: /system.slice/NetworkManager.service ├─ 15884 /usr/sbin/NetworkManager --no-daemon ├─ 15912 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/lib/Netwo> ├─ 15916 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/lib/Netwo> ├─ 16263 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth0.pid -lf /var/lib/NetworkManager/dhclient6-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/l> └─ 16265 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth1.pid -lf /var/lib/NetworkManager/dhclient6-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/l> Aug 06 18:58:52 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341132.8873] manager: NetworkManager state is now CONNECTED_SITE Aug 06 19:00:11 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341211.4441] policy: set 'eth0' (eth0) as default for IPv6 routing and DNS Aug 06 19:00:11 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341211.7924] policy: set 'Kabelgebundene Verbindung 2 eth1' (eth1) as default for IPv6 routing and DNS Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341259.2200] dhcp6 (eth1): valid_lft 7142 Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341259.2201] dhcp6 (eth1): preferred_lft 4442 Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341259.2201] dhcp6 (eth1): address 2003:ce:7727:38f5:dd11:3e1c:1edb:920b Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341259.2201] dhcp6 (eth1): nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9' Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341259.2201] dhcp (eth1): domain search 'hal9000.dedyn.io.' Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341259.2201] dhcp6 (eth1): state changed new lease, address=2003:ce:7727:38f5:dd11:3e1c:1edb:920b Aug 06 19:01:00 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691341260.2251] manager: NetworkManager state is now CONNECTED_GLOBAL lines 1-25/25 (END)

In dem Zustand geht's jetzt auf dem Notebook.

Auf dem anderen Rechner hat sich nichts geändert.

root@incrediblepbx:~# systemctl status dhcpcd Warning: The unit file, source configuration file or drop-ins of dhcpcd.service changed on disk. Run 'systemctl daemon-reload' to reload units. ● dhcpcd.service - dhcpcd on all interfaces Loaded: loaded (/lib/systemd/system/dhcpcd.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/dhcpcd.service.d └─wait.conf Active: active (running) since Sat 2023-08-05 23:51:42 CEST; 19h ago Process: 303 ExecStart=/usr/lib/dhcpcd5/dhcpcd -q -w (code=exited, status=0/SUCCESS) Main PID: 593 (dhcpcd) Tasks: 1 (limit: 4915) CGroup: /system.slice/dhcpcd.service └─593 /sbin/dhcpcd -q -w Aug 06 18:49:57 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 18:49:58 incrediblepbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 18:50:13 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9 Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9: no longer a default router Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: deleting default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9 Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 19:00:27 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9 root@incrediblepbx:~#

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 06, 2023, 06:52:26 pm »

Quote from: Patrick M. Hausen on August 06, 2023, 06:44:18 pm

Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.

ist beides aus, hat nichts geändert, crowdsec war schon aus.

Ich musste eben einmal rebooten, weil ich kurz den Strom ausschalten musste im Keller. Der Ping auf dem HP Notebook lief weiter.

Beim Hochfahren der Firewall gab's eine Phase von ca 1500 pings, die durchgingen, danach war Schluß.

Das sieht so aus, als ob da irgendein Service bei Hochfahren in das ipv6 rein grätscht.

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 06, 2023, 06:31:32 pm »

Quote from: vpx23 on August 06, 2023, 02:01:44 pm

Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code: [Select]
systemctl status dhcpcd

jetzt geht's auf dem einen Notebook wieder - und zwar nachdem ich auf der OPNsense Zenarmor von "blocken" auf "nur beobachten" gestellt habe (auf dem WAN Interface war es aber eh' nicht aktiv?)

Hmm, zu früh gefreut - ohne dass ich was angefasst habe, kommt jetzt wieder "address unreachable"

etwa 200 Pings sind durchgegangen, dann war wieder Schluß.

Und mein VPN Client meldet mir immer mal wieder "reconnecting" - sowohl das plötzliche "geht wieder" als auch das eben so plötzliche "geht nicht mehr" fiel mit so einem reconnect zusammen.

Werden da etwa auf der OPNsense die Interfaces regelmäßig neu gestartet bzw. fallen runter und werden restartet?
wie kann ich das feststellen?

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 06, 2023, 03:11:13 pm »

Quote from: vpx23 on August 06, 2023, 02:01:44 pm

Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code: [Select]
systemctl status dhcpcd

auf dem nicht funktionierenden PC:

root@pbx:~# systemctl status dhcpcd Warning: The unit file, source configuration file or drop-ins of dhcpcd.service changed on disk. Run 'systemctl daemon-reload' to reload units. ● dhcpcd.service - dhcpcd on all interfaces Loaded: loaded (/lib/systemd/system/dhcpcd.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/dhcpcd.service.d └─wait.conf Active: active (running) since Sat 2023-08-05 23:51:42 CEST; 14h ago Process: 303 ExecStart=/usr/lib/dhcpcd5/dhcpcd -q -w (code=exited, status=0/SUCCESS) Main PID: 593 (dhcpcd) Tasks: 1 (limit: 4915) CGroup: /system.slice/dhcpcd.service └─593 /sbin/dhcpcd -q -w Aug 06 01:19:04 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9: no longer a default router Aug 06 01:19:04 pbx dhcpcd[593]: eth0: deleting default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 01:20:51 pbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9 Aug 06 01:20:51 pbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9 Aug 06 01:20:51 pbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 01:20:52 pbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 01:21:07 pbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9 Aug 06 10:35:41 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again Aug 06 10:36:08 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again Aug 06 10:36:08 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again root@incrediblepbx:~#

auf dem PC, auf dem's geht, geht's heute nach dem Neustart des PCs plötzlich auch nicht mehr :-(

Ja, gestern hatte ich ihn auch neu gestartet, und da ging's ...

Das hatte ich allerdings auch schon früher mal - nach x Stunden ging's dann plötzlich wieder - häh?

Auf dem PC läuft aber auch kein dhcpcd
Wird mit NetworkManager gemacht auf dem Rechner und da steht "IPv6 Automatic".
Der NetworkManager ruft dann wohl dhclient und dhclient6 auf

hp8760w:~ # systemctl status NetworkManager ● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/NetworkManager.service.d └─NetworkManager-ovs.conf Active: active (running) since Sun 2023-08-06 15:09:24 CEST; 4s ago Docs: man:NetworkManager( Main PID: 15884 (NetworkManager) Tasks: 8 (limit: 4915) CGroup: /system.slice/NetworkManager.service ├─ 15884 /usr/sbin/NetworkManager --no-daemon ├─ 15912 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/lib/Netwo> ├─ 15916 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/lib/Netwo> ├─ 16263 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth0.pid -lf /var/lib/NetworkManager/dhclient6-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/l> └─ 16265 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth1.pid -lf /var/lib/NetworkManager/dhclient6-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/l> Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2793] dhcp6 (eth0): address 2003:ce:7727:38f5:380d:fa06:4bff:3d7c Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2793] dhcp6 (eth0): nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9' Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2793] dhcp (eth0): domain search 'hal9000.dedyn.io.' Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2793] dhcp6 (eth0): state changed new lease, address=2003:ce:7727:38f5:380d:fa06:4bff:3d7c Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2800] dhcp6 (eth1): valid_lft 7200 Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2800] dhcp6 (eth1): preferred_lft 4500 Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2800] dhcp6 (eth1): address 2003:ce:7727:38f5:dd11:3e1c:1edb:920b Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2800] dhcp6 (eth1): nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9' Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2800] dhcp (eth1): domain search 'hal9000.dedyn.io.' Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info> [1691327368.2801] dhcp6 (eth1): state changed new lease, address=2003:ce:7727:38f5:dd11:3e1c:1edb:920b lines 1-25/25 (END)

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 06, 2023, 02:31:06 pm »

Quote from: Maurice on August 05, 2023, 11:12:29 pm

Beim fehlgeschlagenen Traceroute kommt ja schon vom ersten Hop nichts, also von OPNsense selbst. Lässt sich OPNsense vom problematischen Rechner aus pingen? Lässt sich die problematische Adresse von OPNsense aus pingen? Findet sich die problematische Adresse in der NDP Table von OPNsense?

OpenVPN halte ich für eine falsche Fährte.

Grüße
Maurice

Doch, da kommt was. Das Ping geht vom Rechner in die OPNsense LAN, ist auf dem WAN interface rausgehend zu sehen, dann das zurückkomemnde Paket von außen ist auch auf der dem WAN Interface der OPNsense zu sehen, geht dann aber nicht weiter.

Rechner: 2001:db8:7727:38f5:d3c6:2fef:f75f:adc
Ziel im Internet: 2a02:26f0:b200:3a1::b33

Rechner ausgehend:
root@incrediblepbx:~# tcpdump -i eth0 -n | grep 2a02:26f0:e200:5b3::b33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 20:49:32.760274 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 141, length 64

OPNsense eingehend LAN Interface: da kommt das ICMP Paket an, aber es kommt kein Paket zurück

root@OPNsense:~ # tcpdump -i igb3 -n | grep 2a02:26f0:e200:5b3::b33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes 20:52:11.879675 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 294, length 64

OPNsense WAN: da geht ein ICMP raus ins Internet und es kommt auch eins zurück aus dem Internet

root@OPNsense:~ # tcpdump -i igb1 -n | grep 2a02:26f0:e200:5b3::b33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes

ausgehend:

20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64

und das Antwortpaket kommt auch zurück von außen

20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64

und dann (auch aus dem WAN Interface der OPNsense) kommt die Meldung, dass der interne Rechner nicht erreichbar ist. Das rückkehrende Paket wird also in der OPNsense nicht vom WAN ams LAN interface weitergegeben

20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112

--------------------------

Erreichbarkeit Rechner <-> OPNsense im LAN

Rechner:
root@pbx:~# ifconfig eth0 eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 192.168.80.12 netmask 255.255.255.0 broadcast 192.168.80.255 inet6 2003:ce:7727:38f5:fbda:b793:551c:ffe6 prefixlen 64 scopeid 0x0<global> inet6 2003:ce:7727:38f5:fe75:58fe:b591:b7c1 prefixlen 64 scopeid 0x0<global> inet6 fe80::253f:d661:3f12:9723 prefixlen 64 scopeid 0x20<link> inet6 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69 prefixlen 64 scopeid 0x0<global> inet6 2003:ce:7727:38f5:37be:d90:66f3:befc prefixlen 64 scopeid 0x0<global> ether dc:a6:32:2d:5d:17 txqueuelen 1000 (Ethernet) RX packets 2779584 bytes 1500531414 (1.3 GiB) RX errors 0 dropped 1 overruns 0 frame 0 TX packets 1932477 bytes 621500411 (592.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@pbx:~#

root@pbx:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2003:ce:7727:38f5::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
2003:ce:7727:38f5::/64 dev eth0 proto kernel metric 256 expires 86157sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 202 mtu 1500 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 1024 expires 1557sec hoplimit 64 pref medium
root@pbx:~#

OPNsense

WAN
root@OPNsense:~ # ifconfig igb1 igb1: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN (wan) options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP> ether 00:a8:2c:68:e3:e7 inet 192.168.178.3 netmask 0xffffff00 broadcast 192.168.178.255 inet6 fe80::2a8:2cff:fe68:e3e7%igb1 prefixlen 64 scopeid 0x2 inet6 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 prefixlen 64 autoconf media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

LAN
root@OPNsense:~ # ifconfig igb3 igb3: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: LAN (lan) options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP> ether 00:a8:2c:68:e3:e9 inet6 fe80::2a8:2cff:fe68:e3e9%igb3 prefixlen 64 scopeid 0x4 inet6 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 prefixlen 64 inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> root@OPNsense:~ #

Rechner zu OPNsense

zum LAN Interface der OPNsense:

root@pbx:~# ping -6 -n -c3 fe80::2a8:2cff:fe68:e3e9%eth0 PING fe80::2a8:2cff:fe68:e3e9%eth0(fe80::2a8:2cff:fe68:e3e9%eth0) 56 data bytes 64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=1 ttl=64 time=0.190 ms 64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=2 ttl=64 time=0.246 ms 64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=3 ttl=64 time=0.209 ms --- fe80::2a8:2cff:fe68:e3e9%eth0 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 45ms rtt min/avg/max/mdev = 0.190/0.215/0.246/0.023 ms root@pbx:~#

root@pbx:~# ping -6 -n -c3 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 PING 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9(2003:ce:7727:38f5:2a8:2cff:fe68:e3e9) 56 data bytes --- 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 105ms root@pbx:~# ^C root@pbx:~#

zum WAN Interface der OPNsense:

root@pbx:~# ping -6 -n -c3 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 PING 2003:ce:7727:3800:2a8:2cff:fe68:e3e7(2003:ce:7727:3800:2a8:2cff:fe68:e3e7) 56 data bytes ^C --- 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 64ms root@pbx:~#

root@pbx:~# ping -6 -n -c3 fe80::2a8:2cff:fe68:e3e7%eth0 PING fe80::2a8:2cff:fe68:e3e7%eth0(fe80::2a8:2cff:fe68:e3e7%eth0) 56 data bytes ^C --- fe80::2a8:2cff:fe68:e3e7%eth0 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 106ms root@pbx:~#

von der OPNsense zum Rechner:

root@OPNsense:~ # ping -c3 -n fe80::253f:d661:3f12:9723 PING6(56=40+8+8 bytes) fe80::2a8:2cff:fe68:e3e7%igb1 --> fe80::253f:d661:3f12:9723 --- fe80::253f:d661:3f12:9723 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@OPNsense:~ #

Ups - die OPNsense versucht es auf dem falschen Interface - das ist das WAN Interface igb1, das kann nicht gehen

Wenn ich das LAN Interface explizit angebe, dann geht es auch:

root@OPNsense:~ # ping -c3 -n fe80::253f:d661:3f12:9723%igb3 PING6(56=40+8+8 bytes) fe80::2a8:2cff:fe68:e3e9%igb3 --> fe80::253f:d661:3f12:9723%igb3 16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=0 hlim=64 time=0.245 ms 16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=1 hlim=64 time=0.307 ms 16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=2 hlim=64 time=0.231 ms --- fe80::253f:d661:3f12:9723%igb3 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.231/0.261/0.307/0.033 ms root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:fbda:b793:551c:ffe6 PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ^C --- 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@OPNsense:~ # ping -c3 -n -I igb3 2003:ce:7727:38f5:fbda:b793:551c:ffe6 PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ^C --- 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@OPNsense:~ # root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:fe75:58fe:b591:b7c1 PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fe75:58fe:b591:b7c1 ^C --- 2003:ce:7727:38f5:fe75:58fe:b591:b7c1 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@OPNsense:~ # root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69 PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69 ^C --- 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69 ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@OPNsense:~ # PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:37be:d90:66f3:befc ^C --- 2003:ce:7727:38f5:37be:d90:66f3:befc ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@OPNsense:~ #

NDP table

root@OPNsense:~ # ndp -a -n Neighbor Linklayer Address Netif Expire 1s 5s fe80::1814:d233:8c33:45fa%igb3 00:50:b6:d3:1a:5e igb3 23h55m48s S fe80::64f3:bb8:ee5d:b042%igb3 04:7d:7b:65:2f:95 igb3 23h59m55s S fe80::fb0c:6d33:3eea:a995%igb3 00:50:b6:c8:17:97 igb3 23h32m18s S fe80::221:62ff:fead:3c00%igb3 00:21:62:ad:3c:00 igb3 17s R 2003:ce:7727:38f5:380d:fa06:4bff:3d7c (incomplete) igb3 expired I 3 2003:ce:7727:38f5:fcb8:d097:3607:e2cb 00:50:b6:c8:17:97 igb3 23h13m40s S fe80::253f:d661:3f12:9723%igb3 dc:a6:32:2d:5d:17 igb3 23h53m22s S R 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 00:a8:2c:68:e3:e9 igb3 permanent R fe80::aee2:d3ff:febf:86bb%igb3 ac:e2:d3:bf:86:bb igb3 23h48m37s S fe80::e611:5bff:fe27:e98c%igb3 e4:11:5b:27:e9:8c igb3 12s R fe80::2a8:2cff:fe68:e3e9%igb3 00:a8:2c:68:e3:e9 igb3 permanent R 2003:ce:7727:38f5:814a:af78:2f5f:a4c9 8c:04:ba:01:65:25 igb3 23h35m4s S 2003:ce:7727:38f5:8c1:6b01:a4b1:b2fa 04:7d:7b:65:2f:95 igb3 17s R fe80::a7bf:90c6:15e3:bed6%igb3 8c:04:ba:01:65:25 igb3 23h45m20s S fe80::184a:67ce:f114:e584%igb2 6e:f4:5b:37:a8:47 igb2 22s R 2003:ce:7727:38f0:3545:1f82:f2c9:e678 6e:f4:5b:37:a8:47 igb2 15h40m3s S fe80::c72a:bdd7:591b:9059%igb2 24:18:1d:49:8c:50 igb2 23h59m4s S fe80::227:15ff:fe51:81c0%igb2 00:27:15:51:81:c0 igb2 29s R 2003:ce:7727:38f0:b443:718f:a400:9278 6e:f4:5b:37:a8:47 igb2 7s R fe80::998a:ed50:fab3:db81%igb2 64:5d:f4:14:e4:bb igb2 23h59m57s S 2003:ce:7727:38f0:52d4:f7ff:fe14:db82 50:d4:f7:14:db:82 igb2 16h19m38s S R fe80::52d4:f7ff:fe14:db82%igb2 50:d4:f7:14:db:82 igb2 23h29m40s S R 2003:ce:7727:38f0:cc80:a0b2:dab9:5d4b 6e:f4:5b:37:a8:47 igb2 20h7m53s S fe80::a62b:b0ff:fec3:58e%igb2 a4:2b:b0:c3:05:8e igb2 23h46m17s S R 2003:ce:7727:38f0:f9d0:c36c:bb9a:1543 6e:f4:5b:37:a8:47 igb2 15h55m23s S 2003:ce:7727:38f0:1ad6:c7ff:fee8:b879 18:d6:c7:e8:b8:79 igb2 16h51m26s S R fe80::1ad6:c7ff:fee8:b879%igb2 18:d6:c7:e8:b8:79 igb2 18h52m8s S R 2003:ce:7727:38f0:d461:b2b3:c7b3:bdb2 6e:f4:5b:37:a8:47 igb2 15h29m3s S 2003:ce:7727:38f0:286f:5db3:ff7a:8990 00:27:15:51:81:c0 igb2 21h11m55s S fe80::80a7:7dff:fe40:dad9%igb2 82:a7:7d:40:da:d9 igb2 23h59m31s S R 2003:ce:7727:38f0:19d3:d0f4:f349:1433 24:18:1d:49:8c:50 igb2 16h55m3s S 2003:ce:7727:38f0:2a8:2cff:fe68:e3e8 00:a8:2c:68:e3:e8 igb2 permanent R fe80::2a8:2cff:fe68:e3e8%igb2 00:a8:2c:68:e3:e8 igb2 permanent R 2003:ce:7727:38f0:61b2:2477:a04a:9a0e a4:2b:b0:c3:05:8e igb2 17h40m23s S R 2003:ce:7727:3800:9a9b:cbff:fe08:3ca0 98:9b:cb:08:3c:a0 igb1 10h55m48s S R fe80::9a9b:cbff:fe08:3ca0%igb1 98:9b:cb:08:3c:a0 igb1 17s R R 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 00:a8:2c:68:e3:e7 igb1 permanent R fe80::2a8:2cff:fe68:e3e7%igb1 00:a8:2c:68:e3:e7 igb1 permanent R root@OPNsense:~ #

und nur für das LAN Interface:

root@OPNsense:~ # ndp -a -n | grep igb3 fe80::1814:d233:8c33:45fa%igb3 00:50:b6:d3:1a:5e igb3 23h56m59s S fe80::64f3:bb8:ee5d:b042%igb3 04:7d:7b:65:2f:95 igb3 22s R fe80::fb0c:6d33:3eea:a995%igb3 00:50:b6:c8:17:97 igb3 23h28m29s S fe80::221:62ff:fead:3c00%igb3 00:21:62:ad:3c:00 igb3 17s R 2003:ce:7727:38f5:380d:fa06:4bff:3d7c (incomplete) igb3 1s I 2 2003:ce:7727:38f5:fcb8:d097:3607:e2cb 00:50:b6:c8:17:97 igb3 23h9m52s S fe80::253f:d661:3f12:9723%igb3 dc:a6:32:2d:5d:17 igb3 23h49m33s S R 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 00:a8:2c:68:e3:e9 igb3 permanent R fe80::aee2:d3ff:febf:86bb%igb3 ac:e2:d3:bf:86:bb igb3 23h59m27s S fe80::e611:5bff:fe27:e98c%igb3 e4:11:5b:27:e9:8c igb3 12s R fe80::2a8:2cff:fe68:e3e9%igb3 00:a8:2c:68:e3:e9 igb3 permanent R 2003:ce:7727:38f5:814a:af78:2f5f:a4c9 8c:04:ba:01:65:25 igb3 23h31m15s S 2003:ce:7727:38f5:8c1:6b01:a4b1:b2fa 04:7d:7b:65:2f:95 igb3 12s R fe80::a7bf:90c6:15e3:bed6%igb3 8c:04:ba:01:65:25 igb3 23h41m32s S root@OPNsense:~ #

Einstellungen:

root@OPNsense:~ # ndp -n -i igb3 linkmtu=0, maxmtu=1500, curhlim=64, basereachable=30s0ms, reachable=27s, retrans=1s0ms Flags: nud auto_linklocal root@OPNsense:~ # ndp -n -i igb1 linkmtu=1492, maxmtu=1500, curhlim=255, basereachable=30s0ms, reachable=39s, retrans=1s0ms Flags: nud accept_rtadv auto_linklocal root@OPNsense:~ #

German - Deutsch / Re: IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

« on: August 05, 2023, 10:03:31 pm »

Teil 4

So, und jetzt zum Vergleich die tcpdumps von dem Rechner, bei dem es geht:

hp8760w:~ # tcpdump -i eth1 -n | grep 2a02:26f0:e200:4b4::1e89 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes 21:35:19.957922 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 22, length 64 21:35:20.029451 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 22, length 64 21:35:20.959580 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 23, length 64 21:35:20.968216 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 23, length 64 21:35:21.961375 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 24, length 64 21:35:21.969979 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 24, length 64 21:35:22.963142 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 25, length 64 21:35:22.971996 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 25, length 64 21:35:23.964175 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 26, length 64 21:35:23.972952 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 26, length 64 ^C227 packets captured 261 packets received by filter 0 packets dropped by kernel

LAN OPNsense

root@OPNsense:/var/log/filter # tcpdump -i igb3 -n | grep 2a02:26f0:e200:4b4::1e89 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes 21:36:59.119427 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 121, length 64 21:36:59.126687 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 121, length 64 21:37:00.121326 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 122, length 64 21:37:00.128469 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 122, length 64 21:37:01.149932 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 123, length 64 21:37:01.157226 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 123, length 64 21:37:02.124897 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 124, length 64 21:37:02.131931 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 124, length 64 21:37:03.126572 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 125, length 64 21:37:03.133653 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 125, length 64 ^C3398 packets captured 3522 packets received by filter 0 packets dropped by kernel

WAN

root@OPNsense:/var/log/filter # tcpdump -i igb1 -n | grep 2a02:26f0:e200:4b4::1e89 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes #21:38:01.217903 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 183, length 64 21:38:01.224961 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 183, length 64 21:38:02.219703 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 184, length 64 21:38:02.226946 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 184, length 64 21:38:03.221636 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 185, length 64 21:38:03.228769 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 185, length 64 ^C1013 packets captured 1180 packets received by filter 0 packets dropped by kernel root@OPNsense:/var/log/filter # root@OPNsense:/var/log/filter # grep 2001:db8:7727:38f5:dd11:3e1c:1edb:920 latest.log <134>1 2023-08-05T19:23:12+02:00 OPNsense.hal9000.dedyn.io filterlog 62922 - [meta sequenceId="17607465"] 106,,,ba70dc1769980afe65cbac8576cee233,igb1,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,16,2001:db8:7727:3800:2a8:2cff:fe68:e3e7,2a02:26f0:e200:4b4::1e89,datalength=16 <134>1 2023-08-05T21:31:39+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19851254"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64 <134>1 2023-08-05T21:31:53+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19854824"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64 <134>1 2023-08-05T21:34:59+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19905025"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64 root@OPNsense:/var/log/filter # root@OPNsense:/var/log/filter # grep 2a02:26f0:e200:4b4::1e89 latest.log <134>1 2023-08-05T21:36:27+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19927532"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x587d1,63,tcp,6,40,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:67c:2178:8::16,48810,80,0,S,966549707,,64800,,mss;sackOK;TS;nop;wscale <134>1 2023-08-05T21:36:47+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19935829"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32 <134>1 2023-08-05T21:36:47+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19935867"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 <134>1 2023-08-05T21:37:16+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19944912"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 <134>1 2023-08-05T21:37:45+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19950043"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32 <134>1 2023-08-05T21:37:45+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19950044"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 <134>1 2023-08-05T21:38:14+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19959159"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32 <134>1 2023-08-05T21:38:43+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19968898"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32 <134>1 2023-08-05T21:38:43+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19968900"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 <134>1 2023-08-05T21:39:12+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19976898"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32 <134>1 2023-08-05T21:39:12+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19976899"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 <134>1 2023-08-05T21:39:41+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19981994"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32 <134>1 2023-08-05T21:39:41+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19981995"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 <134>1 2023-08-05T21:39:44+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19982414"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3c1ae,63,udp,17,56,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2606:4700:f1::1,38143,123,56 <134>1 2023-08-05T21:40:10+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19987814"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24 root@OPNsense:/var/log/filter #
--------------------------

Also: spannende Frage:

warum kann die eine Adresse zurück geroutet werden, die anderen nicht, obwohl sie dasselbe Prefix haben?

Adresse geht:
2001:db8:7727:38f5:dd11:3e1c:1edb:920b

Adresse geht nicht:
2001:db8:7727:38f5:d3c6:2fef:f75f:adc

Route
2001:db8:7727:38f5::/64 link#4 U igb3 2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4 UHS lo0

default fe80::9a9b:cbff:fe08:3ca0%igb1 UG igb1 ::1 link#8 UHS lo0 2a01:4f8:161:83d1::/64 link#20 US ovpnc4 .. fdcb:7d25:175e:d794::/64 link#20 U ovpnc4 .. fe80::%ovpnc4/64 link#20 U ovpnc4 fe80::2a8:2cff:fe68:e3e6%ovpnc4 link#20 UHS lo0

Wieso kommt bei der Adresse, bei der es nicht geht, plötztlich das Openvpn Interface ins Spiel?

Wie kann ich finden, wo die Fehlkonfiguration liegt?

Wo kann der Hund begraben liegen? Wo kann ich noch suchen?

Pages: [1] 2 3 4