Recent posts

#1

Questions & Answers / Re: Japan tunnel server with h...

Last post by snarked - May 31, 2026, 12:55:47 PM

Routing.  Someone probably in Japan thinks the best route to HE in Japan is via the U.S. instead of a peering in country.  There may have been a Japan peering with HE which is currently not working.

Using the BGP interface here, HE peers at 2 cities in Japan:  Osaka and Tokyo.  Your trace route hop 3 has a hostname indicating Tokyo routing, but hop 4's latency implies a trans-Pacific crossing.  Although the hostname is truncated, it probably refers to Tata Communications at Equinix Tokyo.  HE and Tata are both present there, but maybe they're not talking to each other.  Tata is presenting only an IPv4 interface at Equinix Tokyo at present, so maybe that has some effect on the peering situation.

#2

Questions & Answers / Japan tunnel server with high ...

Last post by 98118 - May 29, 2026, 07:40:10 PM

Hi HE.net team,

I am running a Oracle VPS intance in Japan datacenter, which has been connected to HE tunnel server for a long time.
But in recent days, I find that the latency between them is increasing a lot, from <10ms to >200ms.
I execute a mtr from VPS to tunnerl server, seeing that the route path is Japan -> US -> Japan.
What causes the issue? Thank you

Code Select Expand

$ mtr 74.82.46.6 -r
Start: 2026-05-30T10:26:02+0800
HOST: intance2                    Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 140.91.206.106             0.0%    10    0.3   0.3   0.3   0.4   0.0
  2.|-- 180.87.180.138             0.0%    10    1.2   1.1   1.0   1.3   0.1
  3.|-- ix-be-35.ecore1.tv2-tokyo 30.0%    10    1.6   1.6   1.6   1.7   0.0
  4.|-- 209.58.55.73              90.0%    10  101.3 101.3 101.3 101.3   0.0
  5.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
  6.|-- 64.86.26.38               50.0%    10  102.2 102.2 101.9 102.4   0.2
  7.|-- 64.86.26.37               80.0%    10  101.6 101.6 101.6 101.6   0.0
  8.|-- if-bundle-2-2.qcore2.sqn- 80.0%    10  101.1 101.3 101.1 101.4   0.2
  9.|-- port-channel22.core3.sjc2  0.0%    10  101.2 101.2 100.9 102.2   0.4
 10.|-- be47.core1.sjc2.he.net     0.0%    10  101.5 103.5 101.5 104.9   1.1
 11.|-- be1.core3.lax1.he.net     10.0%    10  115.5 114.5 112.9 115.5   0.8
 12.|-- be48.core1.lax2.he.net     0.0%    10  114.2 114.1 113.0 115.5   0.8
 13.|-- 100ge0-77.core3.tyo1.he.n 80.0%    10  211.5 211.4 211.2 211.5   0.2
 14.|-- port-channel9.core2.tyo1.  0.0%    10  211.6 211.8 211.4 213.0   0.5
 15.|-- tserv1.tyo1.he.net         0.0%    10  210.7 211.3 210.7 215.8   1.6

#3

General Questions & Suggestions / Re: I cannot make an slave wor...

Last post by alvarohg - May 09, 2026, 02:00:19 AM

Solved!!! Was the AD-blocker, turning off and all fine.

#4

General Questions & Suggestions / I cannot make an slave working...

Last post by alvarohg - May 08, 2026, 05:56:21 PM

Hello, I am trying to setup an slave dns server and I fail every time.

I have a bind9 server as a master, there is my config:

named.conf:

Code Select Expand

acl "he" {
        216.218.133.2;
        2001:470:600::2;
};

options {
        directory "/var/bind";
        pid-file "/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 { ::1; 2001:470:26:5df:1::1; };
        listen-on { 127.0.0.1; 192.168.18.203; };

        max-cache-size 104857600;

        allow-query {
                /*
                 * Accept queries from our "trusted" ACL.  We will
                 * allow anyone to query our master zones below.
                 * This prevents us from becoming a free DNS server
                 * to the masses.
                 */
                trusted;

        allow-query-cache {
                /* Use the cache for the "trusted" ACL. */
                trusted;
        };

        allow-recursion {
                /* Only trusted addresses are allowed to use recursion. */
                trusted;
        };

        allow-transfer {
                /* Zone tranfers are denied by default. */
                none;
        };

    allow-update {
                /* Don't allow updates, e.g. via nsupdate. */
                none;
        };

    /*
    * If you've got a DNS server around at your upstream provider, enter its
        * IP address here, and enable the line below. This will make you benefit
        * from its cache, thus reduce overall DNS traffic in the Internet.
        *
        * Uncomment the following lines to turn on DNS forwarding, and change
        *  and/or update the forwarding ip address(es):
        */

        forward first;
        forwarders {
        //    123.123.123.123;        // Your ISP NS
        //    124.124.124.124;        // Your ISP NS
        //    4.2.2.1;                // Level3 Public DNS
        //    4.2.2.2;                // Level3 Public DNS
                8.8.8.8;                // Google Open DNS
                8.8.4.4;                // Google Open DNS
        };


        //dnssec-validation yes;

        /*
         * As of bind 9.8.0:
         * "If the root key provided has expired,
         * named will log the expiration and validation will not work."
         */
        dnssec-validation auto;

        /* if you have problems and are behind a firewall: */
        //query-source address * port 53;
};


logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category default { default_log; };
        category general { default_log; };
};


include "/etc/bind/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

zone "." in {
    type hint;
        file "/var/bind/named.cache";
};

zone "localhost" IN {
        type master;
        file "pri/localhost.zone";
        notify no;
};

zone "alvaro.hernandez-garcia.me" {
        type master;
        file "ahg.db";
        allow-transfer { he; };
        allow-update { localhost; };
        notify explicit;
        also-notify { 216.218.130.2; };
        forwarders { };

};


Also my zone file:

Code Select Expand

$TTL 600
$ORIGIN alvaro.hernandez-garcia.me.
@               IN    SOA     ns1.he.net.     support         (2026050902 3600 18000 864000 3600)
@               IN    NS    ns1.he.net.
@               IN    NS    ns2.he.net.
@               IN    NS    ns3.he.net.
@               IN    NS    ns4.he.net.
@               IN    NS    ns5.he.net.

ads00           IN    AAAA    2001:470:26:5df:1::13


The response:
https://imgur.com/a/5V366iI

PS:Images not showed, posting link.


I am probe everything with no result. I don't know was I doing wrong.

#5

Questions & Answers / Maximum /48 alocation

Last post by leandroneves - May 04, 2026, 09:43:47 AM

Dear HE.NET team,

I needed to reorganize my network and establish connections to tunnels with lower latency. For Missouri, I connected to Chicago and everything went well. In São Paulo/Brazil, I did the same procedure. The tunnel with the lowest latency is New York.

However, when I tried to create the new /48 block between São Paulo and New York, the platform sent me the message: "Error: Maximum /48s requested. Please try again later."

Does this refer to my maximum number of tunnels (I only have one) or the maximum available from HE.NET in New York?

If it's the former, I would kindly request that you correct my profile so that I can allocate the tunnel.

By the way: I understand that you work with high volume, but as a user, allocating more /56 tunnels might be more valuable than a few /48 tunnels.

I want to thank you for the years of service together. Thank you!

Best Regards,

Leandro Neves

#6

Questions & Answers / Re: SMTP in Tunnnel

Last post by evantkh - May 02, 2026, 07:53:39 PM

Your account itself needs to be old enoough to have the capability to unblock yourself.
https://forums.he.net/index.php?topic=2782.0

#7

IPv6 on Windows / Re: unreachable from outside

Last post by cnsh - April 30, 2026, 04:09:42 AM

I checked everything. From firewall inbound/outbound rules and general firewall settings to registry keys (Ifiso settings and etc). EVERYTHING. Firewall logging won't work (even after restart), and I have no clue how to fix this damn issue.

Thinking that it might be Windows side issue. Will submit a bug report today, even though noone will look into it, I'm enough fed up with this thing.

#8

General Questions & Suggestions / Re: Zone limits was changed?

Last post by patthoyts - April 22, 2026, 04:06:18 AM

I had the same issue, a re-login did not resolve the problem but clearing the dns.he.net cookies and then logging in again did sort it out.

[IfIso]

#9

IPv6 on Windows / Re: unreachable from outside

Last post by cnsh - April 20, 2026, 09:48:09 PM

according to this thread on reddit, I deleted IfIso key from

Code Select Expand

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\, and it works on private profile too. Problem solved? No.

Another issue from deleting that comes at some windows features ending up bricked completely. Advanced windows firewall, media streaming settings, and various other stuffs won't start and gets bricked. Is there a way that it won't brick any of the windows services while getting that IfIso removed?

#10

IPv6 on Windows / Re: unreachable from outside

Last post by cnsh - April 19, 2026, 05:33:43 PM

here is the exported list of inbound rules set on my server. If it helps.