Help needed: Understanding my filter.log

[Kornelius777]

Dear all,

in my network, I have a zabbix server running (at ::20) which is using a mariadb server (at ::62). Both are on the LAN interface.

Yesterday, all of a sudden, I see this in my filter.log:

Code Select Expand

<134>1 2023-08-12T20:21:59+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435528"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xc1418,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,36882,0,A,,3150097180,8110,,nop;nop;TS
<134>1 2023-08-12T20:22:09+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435604"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xade03,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,56436,0,A,,3128288619,9767,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435893"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x54772,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,47300,0,A,,2174907491,501,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435894"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xb4439,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54974,0,A,,477656593,502,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435895"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xdaa7b,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55018,0,A,,658336494,502,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435896"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x41658,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55014,0,A,,866722073,9720,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435897"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xc7706,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55002,0,A,,1813106765,817,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435898"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x9d0d0,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54992,0,A,,2791888317,9744,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435899"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x3082b,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54986,0,A,,619335935,9813,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435900"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x6cabb,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55034,0,A,,3816875453,13877,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435901"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x7a9b5,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55046,0,A,,1415215424,9755,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435902"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xddffc,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55048,0,A,,2768401767,9802,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435903"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xfbf1e,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54862,0,A,,1599404197,9790,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435904"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x824c3,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54874,0,A,,3716731802,9697,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435905"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xb82db,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54880,0,A,,1416812441,502,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435906"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xbe660,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,54984,0,A,,3363215183,5263,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435907"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0x2755e,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,43444,0,A,,2445388427,657,,nop;nop;TS
<134>1 2023-08-12T20:23:04+02:00 OPNsense.lan.xxxx.de filterlog 33664 - [meta sequenceId="435908"] 18,,,02f4bab031b57d1e30553ce08e0ec131,re0,match,block,in,6,0x00,0xe19cf,64,tcp,6,32,2a02:b30:f1f:72ff::62,2a02:b30:f1f:72ff::20,3306,55054,0,A,,4186526575,9755,,nop;nop;TS

and at the same time, crowdsec blocks the mariadb server, because it performed a PORT SCAN?!?!?

Would somebody be able (and kind enough) to explain to me what happened here?
What might have lead my opnsense to blocking this on the LAN port?

Kind regards,

[Kornelius777]

Following up on my own post:
It looks like my FritzBox (the ISP Router) received a new IPv6 Prefix at 20:23:30.
opnsense reports afterwards:
2023-08-12T20:23:34   Notice   dhcp6c   dhcp6c_script: RENEW on em0 executing

However:
How does this fit into the chronology of the filter.log?
The blocking events happened before the IPv6 Change...

Scratching my head...

[Maurice]

Just a guess: If you use "LAN net" or "Dynamic IPv6 Host" aliases in firewall rules and your prefix changes, packets which still use the old prefix won't match and will get blocked. Is 2a02:b30:f1f:72ff:: the old prefix? Not sure how this would fit the sequence of events though. Would require a deeper dive into the logs.

Cheers
Maurice