IPv6 - sehr seltsames Firewall Problem - nur manche Rechner können raus

Started by BSAfH42, August 05, 2023, 09:54:20 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 05, 2023, 09:54:20 PM Last Edit: August 05, 2023, 10:00:30 PM by BSAfH42
IPv6 – seltsames Problem

Teil 1

OPNsense

Code Select
Versions
OPNsense 23.7-amd64
FreeBSD 13.2-RELEASE-p1
OpenSSL 1.1.1u 30 May 2023
CPU type
Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz (4 cores, 8 threads)

Ich betreibe eine OPNsense Firewall/Router hinter einem Telekom VDSL250 Anscluß, der mir IPv4 und IPv6 liefert. Dabei ist nicht die OPNsense direkt am DSL, sondern hinter einer Fritz!Box 7530, die OPNsense ist dort als ,,exposed host" für sowohl v4 und v6 konfiguriert, DHCP6 ist auf der Fritzbox aktiviert.

Auf dem WAN Interface ist IPv6 als DHCP6 Client eingerichtet (IPv4 mit statischer Adresse zur Fritzbox hin), die internen Interfaces LAN und OPT1 sind für IPv6 auf ,,follow WAN Interface" eingestellt, für DHCP4 spielt die OPNsense selbst DHCP-Server.

Soweit, so gut.

Alles Rechner im LAN-Netz und im OPT1-Netz bekommen auch brav IPv6 Adressen mit den jeweils richtigen IPv6 Prefixen und auch alle die richtige Default-Route zur OPNsense hin.

Ziel ist natürlich, aus dem LAN Netz (OPT1 lassen wir erstmal der Einfachheit halber weg) und von der OPNsense aus beliebige IPv6 Ziele im Internet erreichen zu können.

Problem:

Nur von der OPNsense selber aus und von einigen Rechnern im LAN kann man IPv6 Rechner im Internet erreichen, von manchen anderen Rechnern aus nicht.
Und es wechselt ab und an mal, von welchen Rechnern aus es geht und von welchen nicht – manchmal mitten in einem laufen Ping: tagelang geht's, plötzlich kommt ,,address unreachable" und dabei bleibt es dann.

OPNsense:

root@OPNsense:~ # ifconfig
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e6
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:a8:2c:68:e3:e7
        inet 192.168.178.3 netmask 0xffffff00 broadcast 192.168.178.255
        inet6 fe80::2a8:2cff:fe68:e3e7%igb1 prefixlen 64 scopeid 0x2
        inet6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 prefixlen 64 autoconf
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
igb2: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WLAN (opt1)
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e8
        inet6 fe80::2a8:2cff:fe68:e3e8%igb2 prefixlen 64 scopeid 0x3
        inet6 2001:db8:7727:38f0:2a8:2cff:fe68:e3e8 prefixlen 64
        inet 192.168.81.2 netmask 0xffffff00 broadcast 192.168.81.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb3: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e9
        inet6 fe80::2a8:2cff:fe68:e3e9%igb3 prefixlen 64 scopeid 0x4
        inet6 2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 prefixlen 64
        inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

root@OPNsense:~ # netstat -rn -6
Routing tables

Internet6:
Destination                       Gateway                       Flags     Netif Expire
default                           fe80::9a9b:cbff:fe08:3ca0%igb1 UG        igb1
::1                               link#8                        UHS         lo0
2001:db8:7727:3800::/64            link#2                        U          igb1
2001:db8:7727:3800:2a8:2cff:fe68:e3e7 link#2                     UHS         lo0
2001:db8:7727:3800:9a9b:cbff:fe08:3ca0 fe80::9a9b:cbff:fe08:3ca0%igb1 UGHS     igb1
2001:db8:7727:38f0::/64            link#3                        U          igb2
2001:db8:7727:38f0::/60            ::1                           USB         lo0
2001:db8:7727:38f0:2a8:2cff:fe68:e3e8 link#3                     UHS         lo0
2001:db8:7727:38f5::/64            link#4                        U          igb3
2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4                     UHS         lo0
2a01:4f8:161:83d1::/64            link#20                       US       ovpnc4
fd00::9a9b:cbff:fe08:3ca0         fe80::9a9b:cbff:fe08:3ca0%igb1 UGHS      igb1
fd10::/64                         link#17                       U        ovpns2
fd10::1                           link#17                       UHS         lo0
fd11::/64                         link#18                       U        ovpns3
fd11::1                           link#18                       UHS         lo0
fdcb:7d25:175e:d794::/64          link#20                       U        ovpnc4
fdcb:7d25:175e:d794::2            link#20                       UHS         lo0
fe80::%igb1/64                    link#2                        U          igb1
fe80::2a8:2cff:fe68:e3e7%igb1     link#2                        UHS         lo0
fe80::%igb2/64                    link#3                        U          igb2
fe80::2a8:2cff:fe68:e3e8%igb2     link#3                        UHS         lo0
fe80::%igb3/64                    link#4                        U          igb3
fe80::2a8:2cff:fe68:e3e9%igb3     link#4                        UHS         lo0
fe80::%lo0/64                     link#8                        U           lo0
fe80::1%lo0                       link#8                        UHS         lo0
fe80::%ovpns2/64                  link#17                       U        ovpns2
fe80::2a8:2cff:fe68:e3e6%ovpns2   link#17                       UHS         lo0
fe80::%ovpns3/64                  link#18                       U        ovpns3
fe80::2a8:2cff:fe68:e3e6%ovpns3   link#18                       UHS         lo0
fe80::%ovpnc4/64                  link#20                       U        ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4   link#20                       UHS         lo0
root@OPNsense:~ #


root@OPNsense:~ # ping -c2 -6 www.hp.com
PING6(56=40+8+8 bytes) 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 --> 2a02:26f0:e200::213:5053
16 bytes from 2a02:26f0:e200::213:5053, icmp_seq=0 hlim=60 time=7.978 ms
16 bytes from 2a02:26f0:e200::213:5053, icmp_seq=1 hlim=60 time=7.240 ms

--- e40715.dsca.akamaiedge.net ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 7.240/7.609/7.978/0.369 ms
root@OPNsense:~ #

root@OPNsense:~ # traceroute6  www.hp.com
traceroute6: Warning: e40715.dsca.akamaiedge.net has multiple addresses; using 2a02:26f0:e200::213:5053
traceroute6 to e40715.dsca.akamaiedge.net (2a02:26f0:e200::213:5053) from 2001:db8:7727:3800:2a8:2cff:fe68:e3e7, 64 hops max, 28 byte packets
1  p200300ce772738009a9bcbfffe083ca0.dip0.t-ipconnect.de  0.421 ms  0.430 ms  0.305 ms
2  2003:0:8501:5000::1  4.033 ms  4.067 ms  3.928 ms
3  2003:0:1407:8000::1  8.523 ms *  8.805 ms
4  2003:0:1407:8001::2  158.957 ms  8.820 ms  8.278 ms
5  g2a02-26f0-e200-0000-0000-0000-0213-5053.deploy.static.akamaitechnologies.com  8.229 ms  8.132 ms  7.673 ms
root@OPNsense:~ #

root@OPNsense:~ # traceroute6 -n www.hp.com
traceroute6: Warning: e40715.dsca.akamaiedge.net has multiple addresses; using 2a02:26f0:e200::213:5081
traceroute6 to e40715.dsca.akamaiedge.net (2a02:26f0:e200::213:5081) from 2001:db8:7727:3800:2a8:2cff:fe68:e3e7, 64 hops max, 28 byte packets
1  2001:db8:7727:3800:9a9b:cbff:fe08:3ca0  0.380 ms  0.275 ms  0.207 ms
2  2003:0:8501:5000::1  4.431 ms  3.920 ms  4.001 ms
3  2003:0:1407:8000::1  9.261 ms * *
4  2003:0:1407:8001::2  434.408 ms  216.898 ms  36.418 ms
5  2a02:26f0:e200::213:5081  8.380 ms  7.868 ms  7.748 ms
root@OPNsense:~ #

sieht also alles gut aus

August 05, 2023, 09:55:38 PM #1 Last Edit: August 05, 2023, 10:00:55 PM by BSAfH42
Teil 2

Nun einer der Rechner, bei dem es geht:

(das ist an Opensuse)

hp8760w:~ # ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.80.7  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2001:db8:7727:38f5:e611:5bff:fe27:e98c  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:380d:fa06:4bff:3d7c  prefixlen 128  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:16be:35:1ca1:a808  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::e611:5bff:fe27:e98c  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:7727:38f5:6001:c32a:b54b:746c  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:98da:be69:983b:73d0  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:1b0f:31df:40ac:b3dc  prefixlen 64  scopeid 0x0<global>
        ether e4:11:5b:27:e9:8c  txqueuelen 1000  (Ethernet)
        RX packets 17249876  bytes 1664411237 (1.5 GiB)
        RX errors 7  dropped 12284438  overruns 0  frame 7
        TX packets 45101  bytes 9767443 (9.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xd2500000-d2520000

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.80.16  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 fe80::1814:d233:8c33:45fa  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:7727:38f5:81da:97fa:beb2:1eeb  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:58cd:3d2b:d331:e735  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:f455:220:9e89:ac6f  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:9c55:11b7:da4c:c92a  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:4adb:4fec:cde9:32de  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b  prefixlen 128  scopeid 0x0<global>
        ether 00:50:b6:d3:1a:5e  txqueuelen 1000  (Ethernet)
        RX packets 26829842  bytes 3327856140 (3.0 GiB)
        RX errors 0  dropped 14842575  overruns 0  frame 0
        TX packets 917228  bytes 109209920 (104.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 16409  bytes 1253055 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16409  bytes 1253055 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

hp8760w:~ #

hp8760w:~ # ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2001:db8:7727:38f5:380d:fa06:4bff:3d7c dev eth0 proto kernel metric 101 pref medium
2001:db8:7727:38f5:dd11:3e1c:1edb:920b dev eth1 proto kernel metric 100 pref medium
2001:db8:7727:38f5::/64 dev eth1 proto ra metric 100 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto ra metric 101 pref medium
fe80::/64 dev eth1 proto kernel metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 1024 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth1 proto ra metric 100 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 20101 pref medium
hp8760w:~ #

hp8760w:~ # ping -6 -c3 -n www.ibm.com
PING www.ibm.com(2a02:26f0:e200:4b4::1e89) 56 data bytes
64 bytes from 2a02:26f0:e200:4b4::1e89: icmp_seq=1 ttl=59 time=9.20 ms
64 bytes from 2a02:26f0:e200:4b4::1e89: icmp_seq=2 ttl=59 time=8.69 ms
64 bytes from 2a02:26f0:e200:4b4::1e89: icmp_seq=3 ttl=59 time=8.62 ms

--- www.ibm.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 8.619/8.834/9.195/0.256 ms
hp8760w:~ #

hp8760w:~ # traceroute -6 -n www.hp.com
traceroute to www.hp.com (2a02:26f0:e200::213:5081), 30 hops max, 80 byte packets
1  2001:db8:7727:38f5:2a8:2cff:fe68:e3e9  3.927 ms  5.632 ms  3.865 ms
2  2001:db8:7727:3800:9a9b:cbff:fe08:3ca0  8.355 ms  8.337 ms  8.317 ms
3  2003:0:8501:5000::1  8.364 ms  12.862 ms  9.895 ms
4  2003:0:1407:8000::1  15.856 ms *  15.820 ms
5  2003:0:1407:8001::2  2700.154 ms  2700.363 ms  2700.228 ms
6  2a02:26f0:e200::213:5081  12.913 ms  14.564 ms  11.956 ms
hp8760w:~ ##
August 05, 2023, 09:59:54 PM #2
Teil 3

Und nun ein Rechner, bei dem es nicht geht:

Das ist ein Raspberry Pi mit Rasbian (Debian 10)

root@pbx:~# ifconfig
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.80.12  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:1b7c:c265:3822:8740  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:7727:38f5:fe75:58fe:b591:b7c1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::253f:d661:3f12:9723  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:7727:38f5:7d8d:9f4:5a7:3f69  prefixlen 64  scopeid 0x0<global>
        ether dc:a6:32:2d:5d:17  txqueuelen 1000  (Ethernet)
        RX packets 6999888  bytes 1642979660 (1.5 GiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 8277352  bytes 1726115340 (1.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4971580  bytes 7368566971 (6.8 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4971580  bytes 7368566971 (6.8 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@pbx:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
2001:db8:7727:38f5::/64 dev eth0 proto kernel metric 256 expires 86027sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 202 mtu 1500 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 1024 expires 1427sec hoplimit 64 pref medium
root@pbx:~#

root@incrediblepbx:~# ping www.cisco.com
PING www.cisco.com(g2a02-26f0-b200-03a1-0000-0000-0000-0b33.deploy.static.akamaitechnologies.com (2a02:26f0:b200:3a1::b33)) 56 data bytes

(und nix weiter)

root@pbx:~# traceroute 2a02:26f0:e200:5b3::b33
traceroute to 2a02:26f0:e200:5b3::b33 (2a02:26f0:e200:5b3::b33), 30 hops max, 80 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
......


auf dem ausgehenden Interface sieht man die Pakete auch noch, es kommt nur nichts zurück:

root@incrediblepbx:~# tcpdump -i eth0 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:49:32.760274 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 141, length 64
20:49:33.800286 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 142, length 64
20:49:34.840261 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 143, length 64
20:49:35.880293 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 144, length 64
20:49:36.920217 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 145, length 64
20:49:37.960225 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 146, length 64
20:49:39.000238 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 147, length 64
20:49:40.040245 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 148, length 64
20:49:41.080262 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 149, length 64
20:49:42.120248 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 150, length 64
20:49:43.160247 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 151, length 64
^C2242 packets captured
2251 packets received by filter
0 packets dropped by kernel


schauen wir doch mal auf der OPNsense nach:


root@OPNsense:~ # tcpdump -i igb3 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:11.879675 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 294, length 64
20:52:12.919669 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 295, length 64
20:52:13.959655 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 296, length 64
20:52:14.999703 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 297, length 64
20:52:16.039667 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 298, length 64
20:52:17.079807 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 299, length 64
20:52:18.129694 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 300, length 64
20:52:19.159689 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 301, length 64
20:52:20.199690 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 302, length 64
^C6708 packets captured
7004 packets received by filter
0 packets dropped by kernel

root@OPNsense:~ #


Also, auf dem LAN Interface auf der OPNsense (igb3) kommen sie auch an.

Aber auf dem WAN Interface (igb1), da geht's schief:


root@OPNsense:~ # tcpdump -i igb1 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64
20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64
20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:22.599677 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 362, length 64
20:53:22.607570 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 362, length 64
20:53:23.639718 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 363, length 64
20:53:23.647838 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 363, length 64
20:53:24.680005 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 364, length 64
20:53:24.687829 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 364, length 64
20:53:25.607527 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:25.719657 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 365, length 64
20:53:25.727847 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 365, length 64
20:53:26.759682 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 366, length 64
20:53:26.767564 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 366, length 64
20:53:27.799640 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 367, length 64
20:53:27.807580 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 367, length 64
20:53:28.727963 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112
20:53:28.839669 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 368, length 64
20:53:28.847553 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 368, length 64
20:53:29.879696 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 369, length 64
20:53:29.887581 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 369, length 64
^C2132 packets captured
2186 packets received by filter
0 packets dropped by kernel

root@OPNsense:~ #


Zunächst kommt ein Paket vom igb3 (LAN) weitergereicht an igb1 (LAN):

20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64

und dann kommt auch ein Paket zurück von außen (es hat also den Weg über die Fritzbox, das Internet und zurück zur Fritzbox und dann weiter zur OPNsense heil hinter sich gebracht:

20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64

Aber dann geht's schief:

20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112


Das heißt, die OPNsense weiß plötzlich nicht mehr, wie sie das Paket von igb1 auf igb3 und weiter an den Rechner im Inneren weitergeben soll – oder es wird irgendwo geblockt

Schauen wir doch mal ins Filter.Log:

root@OPNsense:~ # cd /var/log/filter
root@OPNsense:/var/log/filter # grep 2a02:26f0:e200:5b3::b33 latest.log

<134>1 2023-08-05T19:43:54+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="17957656"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T20:47:07+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19068942"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072970"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7b041,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,44542,33438,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072971"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xf6521,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,52717,33437,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072972"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x4731f,1,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,39526,33439,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072973"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x6a364,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,50042,33440,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072974"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x8f1c3,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,47439,33442,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072975"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x381dc,2,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,60727,33441,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072976"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x024df,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,56854,33443,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072977"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xcf01c,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,42155,33444,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072978"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x58f99,3,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,58840,33445,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072979"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x87a4c,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,51923,33446,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072980"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3ec4e,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,56534,33447,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072981"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xa070f,4,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,48754,33448,40
<134>1 2023-08-05T20:47:23+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19072982"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xbff46,5,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,54365,33449,40
<134>1 2023-08-05T20:47:29+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19074001"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xeb2e7,5,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,60271,33450,40


Nichts zu sehen für die externe Adresse ....

<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077987"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1e685,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,49150,33518,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077988"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x71d57,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,51062,33519,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077989"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3762a,28,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,53859,33520,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077990"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x4f031,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,52882,33521,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077991"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x404de,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,54430,33522,40
<134>1 2023-08-05T20:47:48+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19077992"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0xbb1ad,29,udp,17,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,33638,33523,40
<134>1 2023-08-05T20:48:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19080676"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xbdf35,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50658,443,0,S,1841255940,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:49:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19091471"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x66f4b,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,52784,443,0,S,2853589939,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:50:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19104487"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xa8b7e,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,54894,443,0,S,2581542073,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:51:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19129037"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x342ec,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,57084,443,0,S,1577274385,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:53:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19166475"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0xbd23a,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,33200,443,0,S,3056206735,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:54:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19180361"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x4502e,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,35304,443,0,S,4283752138,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:55:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19205038"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x888f3,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,37472,443,0,S,4159183514,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:56:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19219179"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7fba5,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,39656,443,0,S,2570745485,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:57:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19243844"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x33b04,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,41758,443,0,S,87836187,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:58:04+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19258170"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x19a97,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,43930,443,0,S,67084035,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T20:59:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19281466"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x34e85,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,46040,443,0,S,2890758823,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:00:03+02:00 OPNsense.hal9000.dedyn.io filterlog 49342 - [meta sequenceId="19295129"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7f22d,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,48176,443,0,S,1961371223,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:01:25+02:00 OPNsense.hal9000.dedyn.io filterlog 85008 - [meta sequenceId="19315131"] 96,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x7051e,63,ipv6-icmp,58,64,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a02:26f0:e200:5b3::b33,datalength=64
<134>1 2023-08-05T21:02:04+02:00 OPNsense.hal9000.dedyn.io filterlog 71039 - [meta sequenceId="19331763"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x5d837,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50600,443,0,S,3365462030,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:02:07+02:00 OPNsense.hal9000.dedyn.io filterlog 85046 - [meta sequenceId="19332436"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x7558a,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,50600,443,0,S,3365462030,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:03:04+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19342150"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x036d5,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,52732,443,0,S,864467775,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:04:04+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19356292"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x98868,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,54844,443,0,S,1813926795,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:05:03+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19379848"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x6fa80,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,56986,443,0,S,1506129879,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:06:03+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19392327"] 100,,,fae559338f65e11c53669fc3642c93c2,ovpnc4,match,pass,out,6,0x00,0x1c3a7,63,tcp,6,40,2001:db8:7727:38f5:d3c6:2fef:f75f:adc,2a01:4f8:161:83d1::36f6,59084,443,0,S,2418880545,,64800,,mss;sackOK;TS;nop;wscale
root@OPNsense:/var/log/filter #



Das sieht merkwürdig aus – wieso steht da plötzlich ein OpenVPN Client Interface drin, das hat doch ein ganz anderes Netz???


root@OPNsense:/var/log/filter # ifconfig ovpnc4
ovpnc4: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::2a8:2cff:fe68:e3e6%ovpnc4 prefixlen 64 scopeid 0x14
        inet6 fdcb:7d25:175e:d794::2 prefixlen 64
        inet 10.8.0.4 netmask 0xffffff00 broadcast 10.8.0.255
        groups: tun openvpn
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        Opened by PID 71634
root@OPNsense:/var/log/filter #

root@OPNsense:/var/log/filter # netstat -6 -n -r
Routing tables

Internet6:
Destination                       Gateway                       Flags     Netif Expire
default                           fe80::9a9b:cbff:fe08:3ca0%igb1 UG        igb1
::1                               link#8                        UHS         lo0
2a01:4f8:161:83d1::/64            link#20                       US       ovpnc4
..
fdcb:7d25:175e:d794::/64          link#20                       U        ovpnc4
..
fe80::%ovpnc4/64                  link#20                       U        ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4   link#20                       UHS         lo0


und die interne Zieladresse liegt soll eindeutig nicht über ovpnc4 geroutet werden, sondern über igb3

Zieladresse intern
2001:db8:7727:38f5:d3c6:2fef:f75f:adc

Route
2001:db8:7727:38f5::/64            link#4                        U          igb3
2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4                     UHS         lo0
August 05, 2023, 10:03:31 PM #3
Teil 4

So, und jetzt zum Vergleich die tcpdumps von dem Rechner, bei dem es geht:


hp8760w:~ # tcpdump -i eth1 -n | grep 2a02:26f0:e200:4b4::1e89
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:35:19.957922 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 22, length 64
21:35:20.029451 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 22, length 64
21:35:20.959580 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 23, length 64
21:35:20.968216 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 23, length 64
21:35:21.961375 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 24, length 64
21:35:21.969979 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 24, length 64
21:35:22.963142 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 25, length 64
21:35:22.971996 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 25, length 64
21:35:23.964175 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, id 78, seq 26, length 64
21:35:23.972952 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, id 78, seq 26, length 64
^C227 packets captured
261 packets received by filter
0 packets dropped by kernel


LAN OPNsense

root@OPNsense:/var/log/filter # tcpdump -i igb3 -n | grep 2a02:26f0:e200:4b4::1e89
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
21:36:59.119427 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 121, length 64
21:36:59.126687 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 121, length 64
21:37:00.121326 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 122, length 64
21:37:00.128469 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 122, length 64
21:37:01.149932 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 123, length 64
21:37:01.157226 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 123, length 64
21:37:02.124897 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 124, length 64
21:37:02.131931 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 124, length 64
21:37:03.126572 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 125, length 64
21:37:03.133653 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 125, length 64
^C3398 packets captured
3522 packets received by filter
0 packets dropped by kernel


WAN


root@OPNsense:/var/log/filter # tcpdump -i igb1 -n | grep 2a02:26f0:e200:4b4::1e89
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
#21:38:01.217903 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 183, length 64
21:38:01.224961 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 183, length 64
21:38:02.219703 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 184, length 64
21:38:02.226946 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 184, length 64
21:38:03.221636 IP6 2001:db8:7727:38f5:dd11:3e1c:1edb:920b > 2a02:26f0:e200:4b4::1e89: ICMP6, echo request, seq 185, length 64
21:38:03.228769 IP6 2a02:26f0:e200:4b4::1e89 > 2001:db8:7727:38f5:dd11:3e1c:1edb:920b: ICMP6, echo reply, seq 185, length 64
^C1013 packets captured
1180 packets received by filter
0 packets dropped by kernel

root@OPNsense:/var/log/filter #

root@OPNsense:/var/log/filter # grep 2001:db8:7727:38f5:dd11:3e1c:1edb:920 latest.log
<134>1 2023-08-05T19:23:12+02:00 OPNsense.hal9000.dedyn.io filterlog 62922 - [meta sequenceId="17607465"] 106,,,ba70dc1769980afe65cbac8576cee233,igb1,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,16,2001:db8:7727:3800:2a8:2cff:fe68:e3e7,2a02:26f0:e200:4b4::1e89,datalength=16
<134>1 2023-08-05T21:31:39+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19851254"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64
<134>1 2023-08-05T21:31:53+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19854824"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64
<134>1 2023-08-05T21:34:59+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19905025"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x1fcbc,63,ipv6-icmp,58,64,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2a02:26f0:e200:4b4::1e89,datalength=64
root@OPNsense:/var/log/filter #


root@OPNsense:/var/log/filter # grep 2a02:26f0:e200:4b4::1e89 latest.log
<134>1 2023-08-05T21:36:27+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19927532"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x587d1,63,tcp,6,40,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:67c:2178:8::16,48810,80,0,S,966549707,,64800,,mss;sackOK;TS;nop;wscale
<134>1 2023-08-05T21:36:47+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19935829"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:36:47+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19935867"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:37:16+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19944912"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:37:45+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19950043"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:37:45+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19950044"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:38:14+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19959159"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:38:43+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19968898"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:38:43+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19968900"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:39:12+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19976898"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:39:12+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19976899"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:39:41+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19981994"] 100,,,fae559338f65e11c53669fc3642c93c2,igb3,match,pass,out,6,0x00,0x00000,255,ipv6-icmp,58,32,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,datalength=32
<134>1 2023-08-05T21:39:41+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19981995"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
<134>1 2023-08-05T21:39:44+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19982414"] 100,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,6,0x00,0x3c1ae,63,udp,17,56,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2606:4700:f1::1,38143,123,56
<134>1 2023-08-05T21:40:10+02:00 OPNsense.hal9000.dedyn.io filterlog 33469 - [meta sequenceId="19987814"] 20,,,1d245529367b2e34eeaff16086aeafe9,igb3,match,pass,in,6,0x00,0x00000,255,ipv6-icmp,58,24,2001:db8:7727:38f5:dd11:3e1c:1edb:920b,2001:db8:7727:38f5:2a8:2cff:fe68:e3e9,datalength=24
root@OPNsense:/var/log/filter #

--------------------------

Also: spannende Frage:

warum kann die eine Adresse zurück geroutet werden, die anderen nicht, obwohl sie dasselbe Prefix haben?

Adresse geht:
2001:db8:7727:38f5:dd11:3e1c:1edb:920b

Adresse geht nicht:
2001:db8:7727:38f5:d3c6:2fef:f75f:adc

Route
2001:db8:7727:38f5::/64            link#4                        U          igb3
2001:db8:7727:38f5:2a8:2cff:fe68:e3e9 link#4                     UHS         lo0

default                           fe80::9a9b:cbff:fe08:3ca0%igb1 UG        igb1
::1                               link#8                        UHS         lo0
2a01:4f8:161:83d1::/64            link#20                       US       ovpnc4
..
fdcb:7d25:175e:d794::/64          link#20                       U        ovpnc4
..
fe80::%ovpnc4/64                  link#20                       U        ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4   link#20                       UHS         lo0


Wieso kommt bei der Adresse, bei der es nicht geht, plötztlich das Openvpn Interface ins Spiel?

Wie kann ich finden, wo die Fehlkonfiguration liegt?

Wo kann der Hund begraben liegen? Wo kann ich noch suchen?
August 05, 2023, 11:12:29 PM #4
Beim fehlgeschlagenen Traceroute kommt ja schon vom ersten Hop nichts, also von OPNsense selbst. Lässt sich OPNsense vom problematischen Rechner aus pingen? Lässt sich die problematische Adresse von OPNsense aus pingen? Findet sich die problematische Adresse in der NDP Table von OPNsense?

OpenVPN halte ich für eine falsche Fährte.

Grüße
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 06, 2023, 02:01:44 PM #5 Last Edit: August 06, 2023, 02:06:56 PM by vpx23
Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code Select
systemctl status dhcpcd
August 06, 2023, 02:31:06 PM #6 Last Edit: August 06, 2023, 03:12:04 PM by BSAfH42
Quote from: Maurice on August 05, 2023, 11:12:29 PM
Beim fehlgeschlagenen Traceroute kommt ja schon vom ersten Hop nichts, also von OPNsense selbst. Lässt sich OPNsense vom problematischen Rechner aus pingen? Lässt sich die problematische Adresse von OPNsense aus pingen? Findet sich die problematische Adresse in der NDP Table von OPNsense?

OpenVPN halte ich für eine falsche Fährte.

Grüße
Maurice

Doch, da kommt was. Das Ping geht vom Rechner in die OPNsense LAN, ist auf dem WAN interface rausgehend zu sehen, dann das zurückkomemnde Paket von außen ist auch auf der dem WAN Interface der OPNsense zu sehen, geht dann aber nicht weiter.

Rechner:  2001:db8:7727:38f5:d3c6:2fef:f75f:adc
Ziel im Internet: 2a02:26f0:b200:3a1::b33

Rechner ausgehend:
root@incrediblepbx:~# tcpdump -i eth0 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:49:32.760274 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 141, length 64

OPNsense eingehend LAN Interface: da kommt das ICMP Paket an, aber es kommt kein Paket zurück

root@OPNsense:~ # tcpdump -i igb3 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:11.879675 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 294, length 64

OPNsense WAN: da geht ein ICMP raus ins Internet und es kommt auch eins zurück aus dem Internet

root@OPNsense:~ # tcpdump -i igb1 -n | grep 2a02:26f0:e200:5b3::b33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes


ausgehend:

20:53:21.559708 IP6 2001:db8:7727:38f5:d3c6:2fef:f75f:adc > 2a02:26f0:e200:5b3::b33: ICMP6, echo request, seq 361, length 64

und das Antwortpaket kommt auch zurück von außen

20:53:21.567598 IP6 2a02:26f0:e200:5b3::b33 > 2001:db8:7727:38f5:d3c6:2fef:f75f:adc: ICMP6, echo reply, seq 361, length 64


und dann (auch aus dem WAN Interface der OPNsense) kommt die Meldung, dass der interne Rechner nicht erreichbar ist. Das rückkehrende Paket wird also in der OPNsense nicht vom WAN ams LAN interface weitergegeben

20:53:22.487554 IP6 2001:db8:7727:3800:2a8:2cff:fe68:e3e7 > 2a02:26f0:e200:5b3::b33: ICMP6, destination unreachable, unreachable address 2001:db8:7727:38f5:d3c6:2fef:f75f:adc, length 112

--------------------------

Erreichbarkeit Rechner <-> OPNsense im LAN

Rechner:
root@pbx:~# ifconfig eth0
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.80.12  netmask 255.255.255.0  broadcast 192.168.80.255
        inet6 2003:ce:7727:38f5:fbda:b793:551c:ffe6  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7727:38f5:fe75:58fe:b591:b7c1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::253f:d661:3f12:9723  prefixlen 64  scopeid 0x20<link>
        inet6 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69  prefixlen 64  scopeid 0x0<global>
        inet6 2003:ce:7727:38f5:37be:d90:66f3:befc  prefixlen 64  scopeid 0x0<global>
        ether dc:a6:32:2d:5d:17  txqueuelen 1000  (Ethernet)
        RX packets 2779584  bytes 1500531414 (1.3 GiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 1932477  bytes 621500411 (592.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@pbx:~#

root@pbx:~# ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2003:ce:7727:38f5::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
2003:ce:7727:38f5::/64 dev eth0 proto kernel metric 256 expires 86157sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 202 mtu 1500 pref medium
default via fe80::2a8:2cff:fe68:e3e9 dev eth0 proto ra metric 1024 expires 1557sec hoplimit 64 pref medium
root@pbx:~#

OPNsense

WAN
root@OPNsense:~ # ifconfig igb1
igb1: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:a8:2c:68:e3:e7
        inet 192.168.178.3 netmask 0xffffff00 broadcast 192.168.178.255
        inet6 fe80::2a8:2cff:fe68:e3e7%igb1 prefixlen 64 scopeid 0x2
        inet6 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 prefixlen 64 autoconf
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

LAN
root@OPNsense:~ # ifconfig igb3
igb3: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e9
        inet6 fe80::2a8:2cff:fe68:e3e9%igb3 prefixlen 64 scopeid 0x4
        inet6 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 prefixlen 64
        inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@OPNsense:~ #

Rechner zu OPNsense

zum LAN Interface der OPNsense:

root@pbx:~# ping -6 -n -c3 fe80::2a8:2cff:fe68:e3e9%eth0
PING fe80::2a8:2cff:fe68:e3e9%eth0(fe80::2a8:2cff:fe68:e3e9%eth0) 56 data bytes
64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=1 ttl=64 time=0.190 ms
64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=2 ttl=64 time=0.246 ms
64 bytes from fe80::2a8:2cff:fe68:e3e9%eth0: icmp_seq=3 ttl=64 time=0.209 ms

--- fe80::2a8:2cff:fe68:e3e9%eth0 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 45ms
rtt min/avg/max/mdev = 0.190/0.215/0.246/0.023 ms
root@pbx:~#

root@pbx:~# ping -6 -n -c3 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9
PING 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9(2003:ce:7727:38f5:2a8:2cff:fe68:e3e9) 56 data bytes

--- 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 105ms

root@pbx:~# ^C
root@pbx:~#

zum WAN Interface der OPNsense:

root@pbx:~# ping -6 -n -c3 2003:ce:7727:3800:2a8:2cff:fe68:e3e7
PING 2003:ce:7727:3800:2a8:2cff:fe68:e3e7(2003:ce:7727:3800:2a8:2cff:fe68:e3e7) 56 data bytes
^C
--- 2003:ce:7727:3800:2a8:2cff:fe68:e3e7 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 64ms

root@pbx:~#

root@pbx:~# ping -6 -n -c3 fe80::2a8:2cff:fe68:e3e7%eth0
PING fe80::2a8:2cff:fe68:e3e7%eth0(fe80::2a8:2cff:fe68:e3e7%eth0) 56 data bytes
^C
--- fe80::2a8:2cff:fe68:e3e7%eth0 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 106ms

root@pbx:~#


von der OPNsense zum Rechner:

root@OPNsense:~ # ping -c3 -n fe80::253f:d661:3f12:9723
PING6(56=40+8+8 bytes) fe80::2a8:2cff:fe68:e3e7%igb1 --> fe80::253f:d661:3f12:9723

--- fe80::253f:d661:3f12:9723 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

Ups - die OPNsense versucht es auf dem falschen Interface - das ist das WAN Interface igb1, das kann nicht gehen

Wenn ich das LAN Interface explizit angebe, dann geht es auch:

root@OPNsense:~ # ping -c3 -n fe80::253f:d661:3f12:9723%igb3
PING6(56=40+8+8 bytes) fe80::2a8:2cff:fe68:e3e9%igb3 --> fe80::253f:d661:3f12:9723%igb3
16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=0 hlim=64 time=0.245 ms
16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=1 hlim=64 time=0.307 ms
16 bytes from fe80::253f:d661:3f12:9723%igb3, icmp_seq=2 hlim=64 time=0.231 ms

--- fe80::253f:d661:3f12:9723%igb3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.231/0.261/0.307/0.033 ms
root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:fbda:b793:551c:ffe6
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fbda:b793:551c:ffe6
^C
--- 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ # ping -c3 -n -I igb3 2003:ce:7727:38f5:fbda:b793:551c:ffe6
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fbda:b793:551c:ffe6
^C
--- 2003:ce:7727:38f5:fbda:b793:551c:ffe6 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:fe75:58fe:b591:b7c1
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:fe75:58fe:b591:b7c1
^C
--- 2003:ce:7727:38f5:fe75:58fe:b591:b7c1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

root@OPNsense:~ # ping -c3 -n 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69
PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69
^C
--- 2003:ce:7727:38f5:7d8d:9f4:5a7:3f69 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

PING6(56=40+8+8 bytes) 2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 --> 2003:ce:7727:38f5:37be:d90:66f3:befc
^C
--- 2003:ce:7727:38f5:37be:d90:66f3:befc ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ #

NDP table

root@OPNsense:~ # ndp -a -n
Neighbor                             Linklayer Address  Netif Expire    1s 5s
fe80::1814:d233:8c33:45fa%igb3       00:50:b6:d3:1a:5e   igb3 23h55m48s S
fe80::64f3:bb8:ee5d:b042%igb3        04:7d:7b:65:2f:95   igb3 23h59m55s S
fe80::fb0c:6d33:3eea:a995%igb3       00:50:b6:c8:17:97   igb3 23h32m18s S
fe80::221:62ff:fead:3c00%igb3        00:21:62:ad:3c:00   igb3 17s       R
2003:ce:7727:38f5:380d:fa06:4bff:3d7c (incomplete)       igb3 expired   I  3
2003:ce:7727:38f5:fcb8:d097:3607:e2cb 00:50:b6:c8:17:97  igb3 23h13m40s S
fe80::253f:d661:3f12:9723%igb3       dc:a6:32:2d:5d:17   igb3 23h53m22s S R
2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 00:a8:2c:68:e3:e9   igb3 permanent R
fe80::aee2:d3ff:febf:86bb%igb3       ac:e2:d3:bf:86:bb   igb3 23h48m37s S
fe80::e611:5bff:fe27:e98c%igb3       e4:11:5b:27:e9:8c   igb3 12s       R
fe80::2a8:2cff:fe68:e3e9%igb3        00:a8:2c:68:e3:e9   igb3 permanent R
2003:ce:7727:38f5:814a:af78:2f5f:a4c9 8c:04:ba:01:65:25  igb3 23h35m4s  S
2003:ce:7727:38f5:8c1:6b01:a4b1:b2fa 04:7d:7b:65:2f:95   igb3 17s       R
fe80::a7bf:90c6:15e3:bed6%igb3       8c:04:ba:01:65:25   igb3 23h45m20s S
fe80::184a:67ce:f114:e584%igb2       6e:f4:5b:37:a8:47   igb2 22s       R
2003:ce:7727:38f0:3545:1f82:f2c9:e678 6e:f4:5b:37:a8:47  igb2 15h40m3s  S
fe80::c72a:bdd7:591b:9059%igb2       24:18:1d:49:8c:50   igb2 23h59m4s  S
fe80::227:15ff:fe51:81c0%igb2        00:27:15:51:81:c0   igb2 29s       R
2003:ce:7727:38f0:b443:718f:a400:9278 6e:f4:5b:37:a8:47  igb2 7s        R
fe80::998a:ed50:fab3:db81%igb2       64:5d:f4:14:e4:bb   igb2 23h59m57s S
2003:ce:7727:38f0:52d4:f7ff:fe14:db82 50:d4:f7:14:db:82  igb2 16h19m38s S R
fe80::52d4:f7ff:fe14:db82%igb2       50:d4:f7:14:db:82   igb2 23h29m40s S R
2003:ce:7727:38f0:cc80:a0b2:dab9:5d4b 6e:f4:5b:37:a8:47  igb2 20h7m53s  S
fe80::a62b:b0ff:fec3:58e%igb2        a4:2b:b0:c3:05:8e   igb2 23h46m17s S R
2003:ce:7727:38f0:f9d0:c36c:bb9a:1543 6e:f4:5b:37:a8:47  igb2 15h55m23s S
2003:ce:7727:38f0:1ad6:c7ff:fee8:b879 18:d6:c7:e8:b8:79  igb2 16h51m26s S R
fe80::1ad6:c7ff:fee8:b879%igb2       18:d6:c7:e8:b8:79   igb2 18h52m8s  S R
2003:ce:7727:38f0:d461:b2b3:c7b3:bdb2 6e:f4:5b:37:a8:47  igb2 15h29m3s  S
2003:ce:7727:38f0:286f:5db3:ff7a:8990 00:27:15:51:81:c0  igb2 21h11m55s S
fe80::80a7:7dff:fe40:dad9%igb2       82:a7:7d:40:da:d9   igb2 23h59m31s S R
2003:ce:7727:38f0:19d3:d0f4:f349:1433 24:18:1d:49:8c:50  igb2 16h55m3s  S
2003:ce:7727:38f0:2a8:2cff:fe68:e3e8 00:a8:2c:68:e3:e8   igb2 permanent R
fe80::2a8:2cff:fe68:e3e8%igb2        00:a8:2c:68:e3:e8   igb2 permanent R
2003:ce:7727:38f0:61b2:2477:a04a:9a0e a4:2b:b0:c3:05:8e  igb2 17h40m23s S R
2003:ce:7727:3800:9a9b:cbff:fe08:3ca0 98:9b:cb:08:3c:a0  igb1 10h55m48s S R
fe80::9a9b:cbff:fe08:3ca0%igb1       98:9b:cb:08:3c:a0   igb1 17s       R R
2003:ce:7727:3800:2a8:2cff:fe68:e3e7 00:a8:2c:68:e3:e7   igb1 permanent R
fe80::2a8:2cff:fe68:e3e7%igb1        00:a8:2c:68:e3:e7   igb1 permanent R
root@OPNsense:~ #

und nur für das LAN Interface:

root@OPNsense:~ # ndp -a -n | grep igb3
fe80::1814:d233:8c33:45fa%igb3       00:50:b6:d3:1a:5e   igb3 23h56m59s S
fe80::64f3:bb8:ee5d:b042%igb3        04:7d:7b:65:2f:95   igb3 22s       R
fe80::fb0c:6d33:3eea:a995%igb3       00:50:b6:c8:17:97   igb3 23h28m29s S
fe80::221:62ff:fead:3c00%igb3        00:21:62:ad:3c:00   igb3 17s       R
2003:ce:7727:38f5:380d:fa06:4bff:3d7c (incomplete)       igb3 1s        I  2
2003:ce:7727:38f5:fcb8:d097:3607:e2cb 00:50:b6:c8:17:97  igb3 23h9m52s  S
fe80::253f:d661:3f12:9723%igb3       dc:a6:32:2d:5d:17   igb3 23h49m33s S R
2003:ce:7727:38f5:2a8:2cff:fe68:e3e9 00:a8:2c:68:e3:e9   igb3 permanent R
fe80::aee2:d3ff:febf:86bb%igb3       ac:e2:d3:bf:86:bb   igb3 23h59m27s S
fe80::e611:5bff:fe27:e98c%igb3       e4:11:5b:27:e9:8c   igb3 12s       R
fe80::2a8:2cff:fe68:e3e9%igb3        00:a8:2c:68:e3:e9   igb3 permanent R
2003:ce:7727:38f5:814a:af78:2f5f:a4c9 8c:04:ba:01:65:25  igb3 23h31m15s S
2003:ce:7727:38f5:8c1:6b01:a4b1:b2fa 04:7d:7b:65:2f:95   igb3 12s       R
fe80::a7bf:90c6:15e3:bed6%igb3       8c:04:ba:01:65:25   igb3 23h41m32s S
root@OPNsense:~ #

Einstellungen:

root@OPNsense:~ # ndp -n -i igb3
linkmtu=0, maxmtu=1500, curhlim=64, basereachable=30s0ms, reachable=27s, retrans=1s0ms
Flags: nud auto_linklocal
root@OPNsense:~ # ndp -n -i igb1
linkmtu=1492, maxmtu=1500, curhlim=255, basereachable=30s0ms, reachable=39s, retrans=1s0ms
Flags: nud accept_rtadv auto_linklocal
root@OPNsense:~ #
August 06, 2023, 03:11:13 PM #7
Quote from: vpx23 on August 06, 2023, 02:01:44 PM
Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code Select
systemctl status dhcpcd

auf dem nicht funktionierenden PC:

root@pbx:~# systemctl status dhcpcd
Warning: The unit file, source configuration file or drop-ins of dhcpcd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● dhcpcd.service - dhcpcd on all interfaces
   Loaded: loaded (/lib/systemd/system/dhcpcd.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dhcpcd.service.d
           └─wait.conf
   Active: active (running) since Sat 2023-08-05 23:51:42 CEST; 14h ago
  Process: 303 ExecStart=/usr/lib/dhcpcd5/dhcpcd -q -w (code=exited, status=0/SUCCESS)
Main PID: 593 (dhcpcd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/dhcpcd.service
           └─593 /sbin/dhcpcd -q -w

Aug 06 01:19:04 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9: no longer a default router
Aug 06 01:19:04 pbx dhcpcd[593]: eth0: deleting default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:51 pbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:51 pbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:51 pbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 01:20:52 pbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 01:21:07 pbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 10:35:41 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again
Aug 06 10:36:08 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again
Aug 06 10:36:08 pbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9 is reachable again
root@incrediblepbx:~#

auf dem PC, auf dem's geht, geht's heute nach dem Neustart des PCs plötzlich auch nicht mehr :-(

Ja, gestern hatte ich ihn auch neu gestartet, und da ging's ...

Das hatte ich allerdings auch schon früher mal - nach x Stunden ging's dann plötzlich wieder - häh?

Auf dem PC läuft aber auch kein dhcpcd
Wird mit NetworkManager gemacht auf dem Rechner und da steht "IPv6 Automatic".
Der NetworkManager ruft dann wohl dhclient und dhclient6 auf

hp8760w:~ # systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/NetworkManager.service.d
             └─NetworkManager-ovs.conf
     Active: active (running) since Sun 2023-08-06 15:09:24 CEST; 4s ago
       Docs: man:NetworkManager(8)
   Main PID: 15884 (NetworkManager)
      Tasks: 8 (limit: 4915)
     CGroup: /system.slice/NetworkManager.service
             ├─ 15884 /usr/sbin/NetworkManager --no-daemon
             ├─ 15912 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/lib/Netwo>
             ├─ 15916 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/lib/Netwo>
             ├─ 16263 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth0.pid -lf /var/lib/NetworkManager/dhclient6-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/l>
             └─ 16265 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth1.pid -lf /var/lib/NetworkManager/dhclient6-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/l>

Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp6 (eth0):   address 2003:ce:7727:38f5:380d:fa06:4bff:3d7c
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp6 (eth0):   nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp (eth0):   domain search 'hal9000.dedyn.io.'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2793] dhcp6 (eth0): state changed new lease, address=2003:ce:7727:38f5:380d:fa06:4bff:3d7c
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   valid_lft 7200
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   preferred_lft 4500
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   address 2003:ce:7727:38f5:dd11:3e1c:1edb:920b
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp6 (eth1):   nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2800] dhcp (eth1):   domain search 'hal9000.dedyn.io.'
Aug 06 15:09:28 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691327368.2801] dhcp6 (eth1): state changed new lease, address=2003:ce:7727:38f5:dd11:3e1c:1edb:920b
lines 1-25/25 (END)



August 06, 2023, 05:20:20 PM #8
Fassen wir zusammen: Ping zwischen OPNsense LAN-Interface und pbx funktioniert bei Verwendung von Link Local-Adressen in beide Richtungen, bei Verwendung von GUAs in keine Richtung.

Keine der GUAs von pbx taucht in der NDP-Table von OPNsense auf.

Du hast wahrscheinlich ein Problem mit Neighbor Discovery im LAN. Kann verschiedene Ursachen haben, z. B. ein marodierender Switch oder AP. Was hängt denn zwischen OPNsense und problematischen Geräten? Managed Switch?

Nächster Schritt: Packet Captures auf OPNsense LAN-Interface sowie direkt auf dem betroffenen Rechner. Darin gezielt nach Neighbor Solicitations und Neighbor Advertisements schauen. Gehen da irgendwo welche verloren (werden gesendet, kommen aber nicht an)?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 06, 2023, 06:31:32 PM #9
Quote from: vpx23 on August 06, 2023, 02:01:44 PM
Wie ist die Ausgabe von folgendem Befehl auf dem funktionierenden und nicht funktionierenden PC?

Code Select
systemctl status dhcpcd

jetzt geht's auf dem einen Notebook wieder - und zwar nachdem ich auf der OPNsense Zenarmor von "blocken" auf "nur beobachten" gestellt habe (auf dem WAN Interface war es aber eh' nicht aktiv?)

Hmm, zu früh gefreut - ohne dass ich was angefasst habe, kommt jetzt wieder "address unreachable"

etwa 200 Pings sind durchgegangen, dann war wieder Schluß.

Und mein VPN Client meldet mir immer mal wieder "reconnecting" - sowohl das plötzliche "geht wieder" als auch das eben so plötzliche "geht nicht mehr" fiel mit so einem reconnect zusammen.

Werden da etwa auf der OPNsense die Interfaces regelmäßig neu gestartet bzw. fallen runter und werden restartet?
wie kann ich das feststellen?
August 06, 2023, 06:44:18 PM #10
Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 06, 2023, 06:52:26 PM #11
Quote from: Patrick M. Hausen on August 06, 2023, 06:44:18 PM
Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.

ist beides aus, hat nichts geändert, crowdsec war schon aus.

Ich musste eben einmal rebooten, weil ich kurz den Strom ausschalten musste im Keller. Der Ping auf dem HP Notebook lief weiter.

Beim Hochfahren der Firewall gab's eine Phase von ca 1500 pings, die durchgingen, danach war Schluß.

Das sieht so aus, als ob da irgendein Service bei  Hochfahren in das ipv6 rein grätscht.



August 06, 2023, 07:08:25 PM #12
Quote from: Patrick M. Hausen on August 06, 2023, 06:44:18 PM
Von Zenarmor stand in deinem Eingangspost nichts - oder hab ich was übersehen? Mach das doch mal aus. Und Suricata auch, solltest du das auch aktiviert haben.

nochmal neu gebootet (alle drei IDS aus) (bis gestern ging's ja auch mit den drei Dingern)

jetzt geht's auf dem HP Notebook wieder - aber auf dem anderen Rechner hat sich nichts geändert, da geht es weiterhin nicht.

Auf dem Notebook:

hp8760w:~ # systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/NetworkManager.service.d
             └─NetworkManager-ovs.conf
     Active: active (running) since Sun 2023-08-06 15:09:24 CEST; 3h 56min ago
       Docs: man:NetworkManager(8)
   Main PID: 15884 (NetworkManager)
      Tasks: 7 (limit: 4915)
     CGroup: /system.slice/NetworkManager.service
             ├─ 15884 /usr/sbin/NetworkManager --no-daemon
             ├─ 15912 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth0.pid -lf /var/lib/NetworkManager/dhclient-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/lib/Netwo>
             ├─ 15916 /sbin/dhclient -d -q -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/lib/Netwo>
             ├─ 16263 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth0.pid -lf /var/lib/NetworkManager/dhclient6-7ba00b1d-8cdd-30da-91ad-bb83ed4f7474-eth0.lease -cf /var/l>
             └─ 16265 /sbin/dhclient -d -q -6 -N -sf /usr/lib/nm-dhcp-helper -pf /var/run/NetworkManager/dhclient6-eth1.pid -lf /var/lib/NetworkManager/dhclient6-a2c38991-a7a1-3ca8-9e6c-e22bf075de5c-eth1.lease -cf /var/l>
Aug 06 18:58:52 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341132.8873] manager: NetworkManager state is now CONNECTED_SITE
Aug 06 19:00:11 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341211.4441] policy: set 'eth0' (eth0) as default for IPv6 routing and DNS
Aug 06 19:00:11 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341211.7924] policy: set 'Kabelgebundene Verbindung 2 eth1' (eth1) as default for IPv6 routing and DNS
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2200] dhcp6 (eth1):   valid_lft 7142
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1):   preferred_lft 4442
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1):   address 2003:ce:7727:38f5:dd11:3e1c:1edb:920b
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1):   nameserver '2003:ce:7727:38f5:2a8:2cff:fe68:e3e9'
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp (eth1):   domain search 'hal9000.dedyn.io.'
Aug 06 19:00:59 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341259.2201] dhcp6 (eth1): state changed new lease, address=2003:ce:7727:38f5:dd11:3e1c:1edb:920b
Aug 06 19:01:00 hp8760w.hal9000.dedyn.io NetworkManager[15884]: <info>  [1691341260.2251] manager: NetworkManager state is now CONNECTED_GLOBAL
lines 1-25/25 (END)


In dem Zustand geht's jetzt auf dem Notebook.

Auf dem anderen Rechner hat sich nichts geändert.

root@incrediblepbx:~# systemctl status dhcpcd
Warning: The unit file, source configuration file or drop-ins of dhcpcd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● dhcpcd.service - dhcpcd on all interfaces
   Loaded: loaded (/lib/systemd/system/dhcpcd.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dhcpcd.service.d
           └─wait.conf
   Active: active (running) since Sat 2023-08-05 23:51:42 CEST; 19h ago
  Process: 303 ExecStart=/usr/lib/dhcpcd5/dhcpcd -q -w (code=exited, status=0/SUCCESS)
Main PID: 593 (dhcpcd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/dhcpcd.service
           └─593 /sbin/dhcpcd -q -w

Aug 06 18:49:57 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 18:49:58 incrediblepbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 18:50:13 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: fe80::2a8:2cff:fe68:e3e9: no longer a default router
Aug 06 18:58:19 incrediblepbx dhcpcd[593]: eth0: deleting default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: Router Advertisement from fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:11 incrediblepbx dhcpcd[593]: eth0: pid 593 deleted default route via fe80::2a8:2cff:fe68:e3e9
Aug 06 19:00:27 incrediblepbx dhcpcd[593]: eth0: adding default route via fe80::2a8:2cff:fe68:e3e9
root@incrediblepbx:~#

August 07, 2023, 11:59:31 AM #13
Konfiguriere die WAN-Seite auf der OPNsense mal mit statischer IP anstatt DHCP und deaktiviere den DHCP-Server auf der Fritz!Box.
August 11, 2023, 10:48:16 AM #14
Quote from: vpx on August 07, 2023, 11:59:31 AM
Konfiguriere die WAN-Seite auf der OPNsense mal mit statischer IP anstatt DHCP und deaktiviere den DHCP-Server auf der Fritz!Box.

probiere ich am Wochende :-)

aber: fliegt mir das nicht um die Ohren, sobald die Fritzbox einen neuen Präfix von der Telekom bekommt? Dann sind doch plötzlich alle Adressen falsch im LAN?
Print
Go Up Pages1 2
User actions