SOLVED: IPv6 Made some weird VLAN Changes

Started by eminent, May 08, 2023, 06:40:42 PM

Previous topic - Next topic
May 08, 2023, 06:40:42 PM Last Edit: May 09, 2023, 03:38:41 PM by eminent
Good afternoon,

Thank you in advance, I enabled IPv6, however my ISP does not provide IPv6.   Once I realized it, I disabled it.  However I have 4 VLANS.

LAN VLAN1
MANG VLAN3
SERV VLAN5
WORK VLAN7

Since disabling IPv6. I cannot RDP or ping any of my Windows Devices on VLAN7. I attached a Linux Device to VLAN7, I can ping the device, ssh to the device, but cannot ping the any of the windows machines.  But when I attach a VM to VLAN7, I can ping the Windows Devices.  All my Windows devices have access to the internet and after removing all Rules for segmentation, they can ping any device on the network.

In Example 1, I performed a Layer 4 Traceroute with lft to 3389, it shows that the port is open.
In Example 2, I performed NC to 3389, it shows that the port is open as well.
In Example 3, is the Packet Capture on LAN to 172.18.7.23, it shows the packet going out.
In Example 4, this is where I think its weird is it is showing the LAN Address of the Firewall which is 172.18.1.1, I did check this with a server on my management VLAN, and it doesn't do this it shows the respected IPs of 172.18.1.21 and 172.18.3.11
In Example 5, It shows my Ping to the VM successful.
In Example 6, shows I can ping the Windows Devices from the Linux VM
Example 1

╰─ lft -VV 172.18.7.23:3389                                                                                                                                           ─╯
Layer Four Traceroute (LFT) version 3.91 ... (verbosity level 2)
Receiving on enp0s20f0u2u3c2, type 1 (EN10MB), transmitting on enp0s20f0u2u3c2 as eminent.localdomain (172.18.1.21):53
Receive link type is EN10MB (1), skipping 14 bytes
Transmit Initial Sequence Number (ISN) will be 1921528470
SENT TCP  TTL=1 SEQ=1921528470 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=1921528470 SRC=172.18.1.1 PTTL=1 PSEQ=1921528470
SENT TCP  TTL=2 SEQ=1921528471 FLAGS=0x2 ( SYN )
SENT TCP  TTL=3 SEQ=1921528472 FLAGS=0x2 ( SYN )
RCVD TCP  FLAGS=0x12 ( SYN ACK ) SEQ=894040146 ACK=1921528472 SRC=172.18.7.23 PTTL=2 PSEQ=1921528471
Port 3389/tcp open; target attempted handshake.
RCVD TCP  FLAGS=0x12 ( SYN ACK ) SEQ=894057261 ACK=1921528473 SRC=172.18.7.23 PTTL=3 PSEQ=1921528472
TTL LFT trace to DESKTOP-7HBT260.localdomain (172.18.7.23):3389/tcp
1  OPNsense.localdomain (172.18.1.1) 1.4ms
2  [target open] DESKTOP-7HBT260.localdomain (172.18.7.23):3389 2.7ms


Example 2

╰─ nc -vz 172.18.7.23 3389                                                                                                                                            ─╯
Connection to 172.18.7.23 3389 port [tcp/ms-wbt-server] succeeded!


Example 3

LAN
lagg0 2023-05-08
11:59:58.949452 60:be:b4:05:23:ef 50:a0:30:07:b4:ab
***
ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 59658, offset 0, flags [none], proto ICMP (1), length 60)
    172.18.7.23 > 172.18.1.21: ICMP echo request, id 1, seq 9, length 40
LAN
lagg0 2023-05-08
11:59:58.951171 50:a0:30:07:b4:ab 60:be:b4:05:23:ef ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 60151, offset 0, flags [none], proto ICMP (1), length 60)
    172.18.1.21 > 172.18.7.23: ICMP echo reply, id 1, seq 9, length 40
LAN
lagg0 2023-05-08
11:59:59.962160 60:be:b4:05:23:ef 50:a0:30:07:b4:ab ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 59659, offset 0, flags [none], proto ICMP (1), length 60)
    172.18.7.23 > 172.18.1.21: ICMP echo request, id 1, seq 10, length 40
LAN
lagg0 2023-05-08
11:59:59.963772 50:a0:30:07:b4:ab 60:be:b4:05:23:ef ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 60160, offset 0, flags [none], proto ICMP (1), length 60)
    172.18.1.21 > 172.18.7.23: ICMP echo reply, id 1, seq 10, length 40
LAN
lagg0 2023-05-08
12:00:00.972129 60:be:b4:05:23:ef 50:a0:30:07:b4:ab ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 59660, offset 0, flags [none], proto ICMP (1), length 60)
    172.18.7.23 > 172.18.1.21: ICMP echo request, id 1, seq 11, length 40


Example 4


lagg0_vlan7 2023-05-08
11:59:29.475533 60:be:b4:05:23:ef b0:5c:da:2c:07:3c ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 27667, offset 0, flags [none], proto ICMP (1), length 84)
    172.18.1.1 > 172.18.7.23: ICMP echo request, id 4953, seq 6782, length 64
WORK
lagg0_vlan7 2023-05-08
11:59:30.476676 60:be:b4:05:23:ef b0:5c:da:2c:07:3c ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 47712, offset 0, flags [none], proto ICMP (1), length 84)
    172.18.1.1 > 172.18.7.23: ICMP echo request, id 4953, seq 6783, length 64
WORK
lagg0_vlan7 2023-05-08
11:59:31.487238 60:be:b4:05:23:ef b0:5c:da:2c:07:3c
HP Inc.
ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 7795, offset 0, flags [none], proto ICMP (1), length 84)
    172.18.1.1 > 172.18.7.23: ICMP echo request, id 4953, seq 6784, length 64
WORK
lagg0_vlan7 2023-05-08
11:59:32.487569 60:be:b4:05:23:ef b0:5c:da:2c:07:3c ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 35971, offset 0, flags [none], proto ICMP (1), length 84)
    172.18.1.1 > 172.18.7.23: ICMP echo request, id 4953, seq 6785, length 64
WORK
lagg0_vlan7 2023-05-08
11:59:33.499053 60:be:b4:05:23:ef b0:5c:da:2c:07:3c ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 33168, offset 0, flags [none], proto ICMP (1), length 84)
    172.18.1.1 > 172.18.7.23: ICMP echo request, id 4953, seq 6786, length 64

Example 5

╰─ ping 172.18.7.20                                                                                                                                                   ─╯
PING 172.18.7.20 (172.18.7.20) 56(84) bytes of data.
64 bytes from 172.18.7.20: icmp_seq=1 ttl=63 time=2.09 ms
64 bytes from 172.18.7.20: icmp_seq=2 ttl=63 time=1.98 ms
64 bytes from 172.18.7.20: icmp_seq=3 ttl=63 time=1.74 ms
64 bytes from 172.18.7.20: icmp_seq=4 ttl=63 time=1.74 ms
64 bytes from 172.18.7.20: icmp_seq=5 ttl=63 time=1.76 ms


Example 6

root@handy-boxer ~ # ping 172.18.7.23
PING 172.18.7.23 (172.18.7.23) 56(84) bytes of data.
64 bytes from 172.18.7.23: icmp_seq=1 ttl=128 time=1.50 ms
64 bytes from 172.18.7.23: icmp_seq=2 ttl=128 time=0.762 ms
64 bytes from 172.18.7.23: icmp_seq=3 ttl=128 time=1.13 ms
64 bytes from 172.18.7.23: icmp_seq=4 ttl=128 time=0.754 ms
^C
--- 172.18.7.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3021ms
rtt min/avg/max/mdev = 0.754/1.037/1.502/0.308 ms

Stood up a Windows VM,  on that VM.  Same Issue.  Appears to only be Windows Devices

I am not sure why turning IPv6 on and back off would have any effect on IPv4 traffic. I am going to take a guess that this isn't a OPNsense issue considering it appears to be OS specific. I would first make sure that IPv6 is disabled on all firewall interfaces, not just the WAN interface. If connecting by hostname, make sure there is no chance of an IPv6 address resolution.

You can verify packets are passing the firewall by looking at the Live View under Firewall, you will want to create filter rules otherwise they will fly past faster than you can read them.

On the Windows side, my best guess is that the Windows firewall might be incorrectly classifying traffic crossing VLANs as edge transversal traffic, which it nearly always blocks by default. Verify this by turning the Windows firewall off on one host and seeing if that corrects the issue. If so, then you know that is where to focus.

If all else fails, reboot the switch and firewall...you shouldn't have to do that, but depending on how your trunk port is being negotiated, maybe something went wrong there (seems unlikely considering the Linux traffic is working). A switch reboot also forces all the hosts to reinitiate their IP stack, which isn't a bad thing given the odd Windows behavior.

Thank you.  And you are correct, it shouldn't change it.  I have resolved the issue, windows by default doesnt accept ICMP so I do not know why that linux box could ping it.  However, I updated my Linux Box and it updated Remmina, which broke my RDP.