Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  


Welcome to Hurricane Electric's forums!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - snarked

Pages: [1] 2 3 ... 47
Questions & Answers / Re: Traffic appears to be coming from China
« on: January 08, 2018, 12:17:26 PM »
Note the differences in revision dates of the databases.  The one that has your proper location is the most recent update.  It may take time for that update to propagate to the other database versions, and then more time for the sites to fetch the update.  It should straighten out in a month.

1)  Look carefully at your "up ip -6" rules.  They are not parallel for the two interfaces.  The explicit interface declaration "dev xxx" isn't similar - it hops between the "rule" and "route" subcommands.

2)  If you want packets to go out via both interfaces, you need to do some sort of multi-routing.  This may entail running a routing protocol (BGP, OSPF, etc), or enabling multiple equal path routing in the kernel.  You have multiple default routes, so only the first one found in the routing table will be used in the absence of multi-routing.

IPv6 Basics & Questions & General Chatter / Re: How or Where to tell?
« on: November 27, 2017, 01:24:44 PM »
You're asking the wrong question.  The real question should probably be:  Why doesn't this person understand that a 404 means that the resource isn't there, and why they don't get the clue to give up on it....?

Who really cares if they continue to hold a defunct certificate?

There is a way to create a certificate revocation list (to revoke unexpired certificates, including CA certificates).  However, the details of this construct is beyond my knowledge.  Maybe that's what you need to do if you really care to....

IPv6 on Linux & BSD & Mac / Re: Joining Router to all-routers multicast
« on: October 24, 2017, 12:21:49 AM »
Interfaces have a "multicast" flag.  See if that flag matches the ones you see (it should) and if it is absent from the other interfaces.  If that's the case, then you need to use "ip" or "ifconfig" to set the multicast flag, and see if that fixed the issue.

Virtual interfaces based on a real one (or set, such as bond0) usually reflect the multicast flag of the real one(s).  Could it be that one of your bonded interfaces has an incorrect flag?  (That shouldn't happen, but it can).

I don't use the CentOS distribution, so you've probably reached the limit of my help and suggestions.

IPv6 on Linux & BSD & Mac / Re: Joining Router to all-routers multicast
« on: October 23, 2017, 01:40:02 PM »
Next issue: Are they configured as multicast routers?  That requires an additional kernel configuration item (and if you use modules, an additional module need be loaded).  The configuration item is called CONFIG_IP_MROUTE, so look for a module with "mroute" in its name if you use modules.  (CentOS uses the Linux kernel).

You cannot assign a multicast address to an interface as it is not valid to use as a SOURCE address.  "netstat -g" will tell you for which multicast addresses you're listening.

General Questions & Suggestions / Re: Dynamic Prefix for IPv6
« on: October 23, 2017, 01:30:17 PM »
A6 might still be implemented by some DNS software that never was updated to remove it.  Snoop around.

Questions & Answers / Re: Is an IPv6 tunnel applicable for Xbox One?
« on: October 22, 2017, 11:28:36 AM »
Your router should be set to "6in4".

IPv6 on Linux & BSD & Mac / Re: Joining Router to all-routers multicast
« on: October 20, 2017, 11:23:03 PM »
...  All is working well, however the boxes do not respond to FF01::2 "all-routers" address so I have a few questions....

Did you try FF02::2?

IPv6 on Linux & BSD & Mac / Re: IPv6-Tunnel on two DSL
« on: October 20, 2017, 11:39:26 AM »
...  Hosts don't end-up multicasting, so there isn't a problem.... 

You're wrong about that.  From where do you think multicast packets are sourced?

Questions & Answers / Re: Problems configuring Tunnel
« on: October 17, 2017, 12:37:44 PM »
Re - #45:  Agreed.  Furthermore, as one can get up to 5 /64 tunnels, no one who needs (or has needed in the past) less than 6 different /64 segments should have a /48.  Furthermore, if you get a /48, you should turn in your excess /64s.

I note that there are always exceptions, so don't harp on me for the advice if it doesn't fit your situation.

Questions & Answers / Re: Problems configuring Tunnel
« on: October 08, 2017, 08:36:03 PM »
Re - Reply #40:  True that there's no delegation, but there's the DNS interface at, and a tunnel user can get a free account and establish his routed reverse zone(s) there (either as primary or secondary).  In tracing a zone from the DNS root, the HE servers will always get queried at the /32 zone cut, so there's no reason why they shouldn't also have the final query response as well.   Works for me....  (Otherwise agreeing with reply #42).

Reply #41:  No reason not to ignore the routed /64 and simply use the tunnel endpoint /64 for your single device.  The routed /64 is only used for additional devices existing beyond the endpoint.  However, that's probably not going to change HE's design of handing out a /64 routed via every tunnel and every tunnel consuming a full /64 as well.  I agree it may be wasteful in some circumstances.

Questions & Answers / Re: Strange routing to google
« on: September 05, 2017, 01:34:12 PM »
Not everyone peers with their peers at all their shared locations.....

See if this order of operations helps:
1)  Add servers to zone.  Reload zone.
2)  Tell servers to serve the zone.
3)  Tell the registrar to add the servers.
Verify that it works.
4)  Remove other servers at registrar (if applicable).
5)  Remove other servers from zone.  Reload zone.

When reloading the zone, don't forget to bump the SOA serial first.

General Questions & Suggestions / Re: DNSSEC for slaves?
« on: August 25, 2017, 06:42:24 PM »
Serving these records IS extra processing that is not currently supported.

General Questions & Suggestions / Re: DNS types
« on: June 19, 2017, 10:56:16 PM »
But with numeric input, at least you get an output.....

Pages: [1] 2 3 ... 47