The MAC Addresses on the right in the firewall logs are not the MAC Address from the IPs that trying to get in my network, it is the MAC Address from the ISP Gateway which is connected with my RED Interface and in all of my firewall entries which where Dropped from the internet always the same.
I think you have a different connection type with the Internet
I misunderstood.
That the logs Where for the IPS system.
Not the firewall logs
In the logs of IPS there are no MAC Addresses given also.
Only if the entries in the firewall are from the intern network then the MAC Addresses where shown in the log.
Also with
ip neigh
I get all MAC Addresses in my network
AFAIK in geographical networks, MAC is far less relevant.
Mac addresses are not routed and are not interesting outside your own network.
At the moment i collect the specific IPs and at these as saved hosts in a group which is blocked with reject in the firewall, log off. I hope this helps.
Not totally true.
Tell me how I can extract the MAC-Addresses from this extern IPs and I will at this too to my special list
If you had the packet.
It is interesting that the IPS only logs the IP.
And the firewall logs the IP and the MAC.
As in picture posted at 17.
Same MAC different IP addresses.
How can I catch such a packet for you?
Not sure
How does wire-shark work?
Looks like there is a Addon called tshark. That may do the trick.
The only let down the blocking these people is random IP addresses,
ever changing MAC addresses. They will probably age out.
Hack at you all day with a VM. Then hack it you tomorrow with a new VM. different MAC every time. 
wire shark can only work on the network interfaces on the machine running, but ipfire is running on his own machine
Edit: tshark is installed, so what i must do now to catch the packet…
So then my hackers are very stupid thy use every day the same IP Addresses so i recognize them above weeks
Routing works on networks. Networks are defined by IPs ( even with IPv6 ).
MACs are the unique addresses of a device inside a network. Uniqueness is necessary for unambiquous addition of a device ( no other device has its MAC ).
The MAC is the address of the routing device. On red, for example, all packets are sent by you internet access device ( modem, router, … ). Therefore the level 2 address ( MAC ) is the address of this device.
Yes that MAC is not my red MAC address.
So my interpretation is that is the source MAC address. From which the packet originated.
That is incorrect. The MAC address is updated in the packet for every hop to the MAC Address for the next interface that it needs to send the packet to.
So every hop the MAC Address is replaced in the packet and you finally see the packet with a MAC Address for the Gateway that you use (ie, your ISP).
So that would be my ISP MAC address!?
It’s a miracle I did not block the whole internet!
I would say that this is no longer the case, as random MAC addresses can be used and are even recommended.
If you can tell how L2 transport can be done in this case, I agree. 
My smartphone is using everytime a different MAC address when it connects with the WLAN access points, so you can’t say “uniquie” hardware adress in the network.
I can change Hardware MAC addresses from every network device, so it is not possible to identify this network card (or PC/maschine/device) after a reconnect, if I change the MAC in the time between.
Edit: And if every hob means a change of the MAC address in the packet header, why is this not the case using switches? And if so, how finds the paket his way back of the hunderts of network devices the paket go through on his way?