Closed Bytechanger closed 3 years ago
Hello,
I´m testing, it seems, that it is not a problem of haproxy. It seems to be an problem with opnsense/pppoe, not haproxy.
On InternetServer I can reach ipv6
[b]dig AAAA +short www.heise.de[/b]
2a02:2e0:3fe:1001:7777:772e:2:85
[b]wget --no-check-certificate https://[2a02:2e0:3fe:1001:7777:772e:2:85][/b]
--2020-05-27 05:48:12-- https://[2a02:2e0:3fe:1001:7777:772e:2:85]/
Connecting to [2a02:2e0:3fe:1001:7777:772e:2:85]:443... connected.
WARNING: certificate common name ‘www.heise.de’ doesn't match requested host name ‘2a02:2e0:3fe:1001:7777:772e:2:85’.
HTTP request sent, awaiting response... 200 OK
Length: 76 [text/plain]
Saving to: ‘index.html.6’
index.html.6 100%[===============================================>] 76 --.-KB/s in 0s
2020-05-27 05:48:13 (10.8 MB/s) - ‘index.html.6’ saved [76/76]
[b]works fine[/b]
SSH to OPNSense over PPPOE works over ipv4 but also not over ipv6:
ssh -i /home/blabla/.ssh/homekey -p 56561 -vvv testuser@2003:(WAN address)
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "2003:(WAN address)" port 56561
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 2003:c:8583 [2003:(WAN address)] port 56561.
nothing....
on client, try to connect
Code: [Select]
sudo tcpdump -ni ens192 'tcp port 56561'
[sudo] password for blabla:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
05:54:19.387975 IP6 2001:(IP Client).54516 > 2003:(WAN Firewall).56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackOK,TS val 2362155641 ecr 0,nop,wscale 6], length 0
05:54:20.396577 IP6 2001:(IP Client).54516 > 2003:(WAN Firewall).56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackOK,TS val 2362156649 ecr 0,nop,wscale 6], length 0
05:54:22.412581 IP6 2001:(IP Client).54516 > 2003:(WAN Firewall).56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackOK,TS val 2362158665 ecr 0,nop,wscale 6], length 0
05:54:26.604603 IP6 2001:(IP Client).54516 > 2003:(WAN Firewall).56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackOK,TS val 2362162857 ecr 0,nop,wscale 6], length 0
05:54:34.796572 IP6 2001:(IP Client).54516 > 2003:(WAN Firewall).56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackOK,TS val 2362171049 ecr 0,nop,wscale 6], length 0
------------
sudo tcpdump -vv -ni ens192 'tcp port 56561'
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
06:27:20.701131 IP6 (flowlabel 0xd3867, hlim 64, next-header TCP (6) payload length: 40) 2001:xxx.54520 > 2003:xxx.56561: Flags [S], cksum 0xcbfd (incorrect -> 0xc709), seq 1683830560, win 64800, options [mss 1440,sackOK,TS val 2364136905 ecr 0,nop,wscale 6], length 0
06:27:21.708591 IP6 (flowlabel 0xf0fdf, hlim 64, next-header TCP (6) payload length: 40) 2001:xxx.54520 > 2003:xxx.56561: Flags [S], cksum 0xcbfd (incorrect -> 0xc31a), seq 1683830560, win 64800, options [mss 1440,sackOK,TS val 2364137912 ecr 0,nop,wscale 6], length 0
on OPNSense-Firewall
sudo tcpdump -ni pppoe0 'tcp port 56561'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
07:54:19.396907 IP6 2003:(IP Client).54516 > 2003:(FIRST PART of IP OPNSense WAN) e92:8583.56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackO K,TS val 2362155641 ecr 0,nop,wscale 6], length 0
07:54:19.396972 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362155641], length 0
07:54:20.405540 IP6 2003:(IP Client).54516 > 2003:(FIRST PART of IP OPNSense WAN) e92:8583.56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackO K,TS val 2362156649 ecr 0,nop,wscale 6], length 0
07:54:20.405579 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362156649], length 0
07:54:22.421526 IP6 2003:(IP Client).54516 > 2003:(FIRST PART of IP OPNSense WAN) e92:8583.56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackO K,TS val 2362158665 ecr 0,nop,wscale 6], length 0
07:54:22.421564 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362158665], length 0
07:54:25.427714 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362158665], length 0
07:54:26.613695 IP6 2003:(IP Client).54516 > 2003:(FIRST PART of IP OPNSense WAN) e92:8583.56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackO K,TS val 2362162857 ecr 0,nop,wscale 6], length 0
07:54:26.613735 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362162857], length 0
07:54:29.613738 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362162857], length 0
07:54:32.867815 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362162857], length 0
07:54:34.805559 IP6 2003:(IP Client).54516 > 2003:(FIRST PART of IP OPNSense WAN) e92:8583.56561: Flags [S], seq 1051216040, win 64800, options [mss 1440,sackO K,TS val 2362171049 ecr 0,nop,wscale 6], length 0
07:54:34.805592 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362171049], length 0
07:54:37.805475 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362171049], length 0
07:54:41.006098 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362171049], length 0
07:54:44.205453 IP6 2003:(IP OPNSense WAN).56561 > 2001:(FIRST PART of IP Client) :803c::1.54516: Flags [S.], seq 1796056796, ack 1051216041, win 65228, option s [mss 1432,nop,wscale 9,sackOK,TS val 1751506195 ecr 2362171049], length 0
------------------
sudo tcpdump -vv -ni pppoe0 'tcp port 56561'
tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
08:27:20.709034 IP6 (flowlabel 0xd3867, hlim 57, next-header TCP (6) payload length: 40) 2001:xxx.54520 > 2003:xxx.56561: Flags [S], cksum 0xc709 (correct), seq 1683830560, win 64800, options [mss 1440,sackOK,TS val 2364136905 ecr 0,nop,wscale 6], length 0
08:27:20.709120 IP6 (flowlabel 0x3245d, hlim 63, next-header TCP (6) payload length: 40) 2003:xxx.56561 > 2001:xxx.54520: Flags [S.], cksum 0xcbfd (incorrect -> 0xf118), seq 3931317341, ack 1683830561, win 65228, options [mss 1432,nop,wscale 9,sackOK,TS val 472230242 ecr 2364136905], length 0
08:27:21.739742 IP6 (flowlabel 0xf0fdf, hlim 57, next-header TCP (6) payload length: 40) 2001:xxx.54520 > 2003:xxx.56561: Flags [S], cksum 0xc31a (correct), seq 1683830560, win 64800, options [mss 1440,sackOK,TS val 2364137912 ecr 0,nop,wscale 6], length 0
08:27:21.739780 IP6 (flowlabel 0x3245d, hlim 63, next-header TCP (6) payload length: 40) 2003:xxx.56561 > 2001:xxx.54520: Flags [S.], cksum 0xcbfd (incorrect -> 0xed29), seq 3931317341, ack 1683830561, win 65228, options [mss 1432,nop,wscale 9,sackOK,TS val 472230242 ecr 2364137912], length 0
So, I don´t know what´s my problem.... It seems, ipv6 doesn´t work from Internet to WAN (over pppoe), but otherwhise from LAN to Internet works fine.
In dumps there is somthing like checksum incorrect?!
Greets
Byte
Hi,
now, when I deactivate the automatic generated Gateway in Gateway->Single->WAN_DHCP6 WAN_DHCP6 WAN IPv6 254 fe80::f6b5:2fff:fef0:a2eb suddenly it seems to works. Access from outside is working. Crazy. So I think, there is a OPNSense problem with routes?
Incomming traffic doesn´t find its way out to the sender?
Greets
Byte
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
I get soon an new ISP. He has only DSLite. So I decide to get an vserver (IONOS) with ipv4 and ipv6. I want to recieve ipv4 on my vserver and forward it over ipv6 to my home opnsense haproxy.
OPNsense 20.1.7-amd64 FreeBSD 11.2-RELEASE-p20-HBSD OpenSSL 1.1.1g 21 Apr 2020
So I configured haproxy to get ipv6 0.0.0.0:56573 and [::]:56573
ssh in OPNSense seems to work: sudo sockstat -6 | grep haproxy www haproxy 42268 22 tcp6 :56573 :*
When I access from LAN to ipv6 LAN-Interface or WAN-Interface it works fine. But when I access from extern (vserver) to WAN ipv6 it didn´t work.
wget --no-check-certificate https://[2003:xx:xxx:xxxx:xxx:xxxx:xxxx:8583]:56573 --2020-05-22 13:46:55-- https://[2003:xx:xxx:xxxx:xxx:xxxx:xxxx:8583]:56573/ Connecting to 2003:xx:xxx:xxxx:xxx:xxxx:xxxx:8583]:56573... ends there.....
Firewall seems to pass filterlog 134,,,0,pppoe0,match,pass,in,6,0x00,0xb70a5,58,tcp,6,40,2001:XX(IP from my IONOS Server),2003:(IP from my WAN),44608,56573,0,S,3312441647,,64800,,mss;sackOK;TS;nop;wscale
Try it on different ports, so 56571 same issue. Here is a tcpdump from OPNSense machine. Traffic seems to go in...
IPv6 Access:
Working IPv4 Access from extern:
I need haproxy to work from ipv6 vserver. Is this a issue or a config problem?
Greets
Byte