Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  


Welcome to Hurricane Electric's forums!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - divad27182

Pages: [1] 2 3 4
Sounds like you need to assign an address to that bond0 network interface, and run a radvd on that machine.

From what I see, the assigned address should be in 2603:xxxx:xxxx:8700::/56 but not in 2603:xxxx:xxxx:8700::/64

Questions & Answers / Re: Cloudflare Blocked on Free Tunnels now?
« on: December 06, 2017, 08:23:01 AM »
My main experience with cloudflare is when somebody usurped my projects DNS and put cloudflare in front of my machine.  This: compromised security, compromised performance, compromised security, and made me unable to SSH to my machine.  Cloudflare filled in dummy wildcard records based on an internet draft.  At one point, a DNS lookup on a name got an A record and a CNAME record (but a cache might have been involved).

We are no longer using cloudflare.

(I then tried Amazon's DNS.  They don't do SOA serial numbers.)

IPv6 Basics & Questions & General Chatter / Re: How or Where to tell?
« on: December 02, 2017, 06:27:44 PM »
I think the problem may be more complicated than you think.  If person B got one of your certificates, and person C is talking to person B's machine, you could be seeing verification attempts from C when B is where the issue is at.  In any case, the following might give you a starting point:

$ host 2001:470:1f07:224:8570:356e:2715:7be6
Host not found: 3(NXDOMAIN)
$ host 2001:470:1f07:224::1         domain name pointer
$ host 2001:470:1f06:224::1 domain name pointer

Alternatively, you could try firewall blocking his address.  Or, more likely to get a reaction, putting a rate limiter on the request.  A one byte per 10 second limit might slow some application he's running down enough that he notices it.

1) I suggest avoiding /etc/iproute2/rt_tables and ip rule altogether.  These are for when you want grossly different routing based on some conditions.  On the other hand, you do actually have such a condition configured in this case. but...

2) If you actually want to split things over two tunnels, what you should actually be doing is getting your own AS, two BGP tunnels, and a full routing daemon to manage them.

3) With the rule setup, I think it is not sufficient to specify "-I he02" on ping.  Specify "-I 2001:470:1f1c:da5::2" or "-I 2001:470:6c:f4::2".  The problem is that the source address gets chosen in the table, which is after the rule.

4) Showing "ip -6 ro" isn't enough.  You need "ip -6 rule" and "ip -6 route list table he1", etc... 

Questions & Answers / Re: Problems with initial setup on Debian
« on: November 13, 2017, 11:51:39 AM »
I think I've got to the bottom of it. It appears to be the 'local' line that causes this.

If I remove that, then it seems to bring up the interface correctly.

Will monitor to make sure, but fingers crossed that's it sorted.


Well, I think the "local" line picks the IP address that the tunnel sends from.  It isn't needed, but should be slightly faster than letting the kernel pick for you based on the routing tables.  It is also more flexible not to use it, in that a change in your IP address won't require reconfiguration.

As for why that makes a default route fail: It probably doesn't, and probably didn't.  Configuration errors often leave some pieces behind, particularly if the configuration is changed between an ifup and an ifdown.  Sometimes, you just have to go through and remove everything that isn't right by hand, before trying again.  Frankly, this is one reason Microsoft Windows wants you to reboot so often. 

Other things that could be making the default route:  well, SLAAC based on your ISP's multicasts could do it.  Other entries in /etc/network/interfaces could do it.  Something in /etc/rc.local or similar could do it.  DHCP6 could do it.

Have fun with your IPv6.

Questions & Answers / Re: Problems with initial setup on Debian
« on: November 10, 2017, 08:55:22 PM »
/bin/ip route add ::/0 via 2001:470:1f1c:da2::1  dev he-ipv6 onlink
RTNETLINK answers: File exists
ifup: failed to bring up he-ipv6
I don't know why I didn't see it before, but the text "RTNETLINK answers: File exists" is an error from the ip command.  In particular, in this case it means it is trying to add a route to somewhere there is already a route to.   It can't add an IPv6 default route because you already have one.  Remove the preexisting default route and try again.

Questions & Answers / Re: Problems with initial setup on Debian
« on: November 09, 2017, 12:41:29 PM »
I'm not sure what "onlink" is doing.  My older Debian's program does not include it.  The line with that is an attempt to assign a default gateway.

Once you've brought up your links, you first test should be to ping the other end.  In your case, "2001:470:1f1c:da2::1".  If that works, try something else.  Actually, your link is up now as I can ping your address.

If you want the machine to forward for everybody else, install and configure radvd.  This will get all the other machines on the subnet addresses, and tell them where to route.  This should be using "2001:470:1f1d:da2::/64" , unless you've also requested a /48.

If "" is you masking it out, OK.  If not, you can just omit the "local" clause altogether, and let the kernel decide on its own.

Edit: if you want it forwarding, you also need to turn on IPv6 routing, typically by adding "net.ipv6.conf.all.forwarding = 1" to /etc/sysctl.conf or /etc/sysctl.d/something.conf (and then either run the command manually or reboot...)

Well, they do have impressive technology pushing user configuration changes all around the world. 

And that's the bit I really would not expect to see published, unless they want to support people going into competition with them.

They also have a nice large BGP configuration to deal with all the various tunnel servers, and replicated machines.  (Apparently, they have multiple copies of the 5 DNS servers.)

General Questions & Suggestions / Re: Dynamic Prefix for IPv6
« on: October 22, 2017, 06:35:29 PM »
That's what the A6 record type is for.  Pity.  It went from proposed standard to experimental to historical.

Questions & Answers / Re: Is an IPv6 tunnel applicable for Xbox One?
« on: October 22, 2017, 11:44:04 AM »
The 3 to 126 question should probably be 64.  Bits in the netmask.

You might want to write to Hurricate Electric's support desk: to work out how to do it, and to enable them to setup an "Example Configuration" page for your box.

Alternatively, if it is indeed Windows 10, you might try the Windows 10 Example Configuration.  I believe it will fill in all your values, and you need only paste it into a privileged shell.

On my main actual interface, I gave a static IPv6 ip '2001:470:1f06:282::4' to the interface. And for the gateway IP, I gave the IPv6 ip which is working on my Linux machine in this case '2001:470:1f06:282::2', is that what I was supposed to do?

I believe 2001:470:1f06::/48 is the transit networks off the New York City tunnelbroker.  You cannot give any other addresses on that subnet.  i.e. 2001:470:1f06:282::4 is improper.  You are assigned a second subnet, probably 2001:470:1f07:282::/64 that you may allocate addresses in, and have your machine that is 2001:470:1f06:282::2 route to and from.

IPv6 on Routing Platforms / Re: BGP Default Route Only
« on: October 17, 2017, 08:52:54 AM »
BGP is what you do to not have default routes.  You could tell BGP to not set the routes on your local machine, but you would probably only do that if you are doing some routing research (and you aren't).

Questions & Answers / Re: Problems configuring Tunnel
« on: October 15, 2017, 07:37:41 PM »
Im using just Lan 1 by the way, the Lan 2 is not used at all!

If you have and are not using the /48, you should cancel the request for it.  Those are a somewhat limited resource and you should not get one and not use it.

Questions & Answers / Re: Problems configuring Tunnel
« on: October 07, 2017, 06:50:09 PM »
And the fact that they DON'T delegate, but DO have well setup DNS, means that JDH1986JDH could just use domain name
for his server.  Admittedly, if he changes his configuration before completing certification, he might need to do the reset operation and start over.

edit: Not sure if that's his current address.  He later showed one for a different account.

Questions & Answers / Re: Problems configuring Tunnel
« on: October 07, 2017, 06:42:03 PM »
Actually, if you only intend to have one machine there, then the hassle is setting up the routed /64.

I've actually considered doing just this with my laptop.  I haven't, but I might.  Actually, I sort of wish that you could request no routed /64, and a tunnel /126.  Then I wouldn't feel I was wasting resources.

Pages: [1] 2 3 4