So....

It seems like there is some kind of issue with the hop posted above, since I can see the packet loss even in HEs LG:

Is there anything you guys can do about it? 

Hi everyone 

I'm using a Ubiquiti Edge Router to connect to the Tunnelbroker Service. My uplink is a DSL PPPoE Connection. (MTU 1492)
Since a few weeks I have trouble connecting to Facebook.com via the tunnel. The connection is extremely slow. When I use nativ IPv4 everything is fine. Every other site I have tested yet is fine via the tunnel.

Does anyone have the same problem and/or knows how I can fix it?

Here is my full setup:
Tunnel MTU: 1472 (1500 - 8 (PPPoe) - 20 (SIT))
V6 MSS Clamping is set to 1412 (1472 - 60)

Edge Router:
configure
edit interfaces tunnel tun0
set encapsulation sit
set local-ip 0.0.0.0
set remote-ip 216.66.80.30
set address 2001:470:1f0a:2b7::2/64
set description "HE.NET IPv6 Tunnel"
set mtu 1472
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit


EDIT:
So as it turns out I can even see major packet loss on the way to Facebook.com This makes me think it is not related to an issue regarding MTU/MSS size.
The first hop where the packet loss occurs is coloured red below.
Since this hop is the first one which belongs to Facebook, it seems the problem is on their side. However since this issue exists for me since about half a year now, I wonder if there is more to this....

Here is a trace:

traceroute to facebook.com (2a03:2880:f11c:8083:face:b00c:0:25de) from 2001:470:1f0a:xxxx::2, port 33434, from port 55510, 30 hops max, 60 bytes packets
 1  tunnelxxx619.tunnel.tserv6.fra1.ipv6.he.net (2001:470:1f0a:2b7::1)  16.731 ms  14.008 ms  13.978 ms
 2  10ge3-18.core1.fra1.he.net (2001:470:0:69::1)  15.000 ms  14.753 ms  13.230 ms
 3  100ge11-1.core1.fra2.he.net (2001:470:0:404::2)  15.311 ms  28.471 ms  10.383 ms
 4  2001:7f8:bd::3:2934:2 (2001:7f8:bd::3:2934:2)  62.711 ms  35.523 ms  35.376 ms
 5  * po141.asw01.fra2.tfbnw.net (2620:0:1cff:dead:beef::21fa)  34.604 ms  *
 6  po214.psw01.fra3.tfbnw.net (2620:0:1cff:dead:beef::ae1)  34.722 ms  * 49.700 ms
 7  * po4.msw1ad.01.frt3.tfbnw.net (2a03:2880:f01c:ffff::2a3)  49.691 ms  34.225 ms
 8  * * edge-star-mini6-shv-01-frt3.facebook.com (2a03:2880:f11c:8083:face:b00c:0:25de)  34.526 ms

+1 for a tunnel server in Milan.. it would be great not only for Italy but for southern europe in general

"Blacklisted" is the wrong term. The session got too many prefix announcements from you than expected, tripped the max limit of 200 routes, and closed the sessions. We just had to clear & reset on our side, and ensure your side wasn't leaking routes.

For anyone running BGP, always make certain you've got a nice tidy outbound filter applied to your sessions.

Yes, thx again for your help.


For the record, the problem is I was blacklisted because I reached the max prefix limits (mistake with my  filters).



Have a good day

+1 for API that doesn't require removing 2FA

asked/answered in TT opened.

Hello,

I'm using bird (v2.0.7)  for my BGP routers. I wanted to route IPv6 through Cogent but they can't do it for Google IPv6 ranges ( https://adminhacks.com/broken-IPv6.html ) so I decided to create an IPv6 BGP peering with HE (thx for that, very useful)

But during some tests, without any relevant changes, my HE BGP endpoint starts refusing BGP connections with me

bird: hurricane: Connecting to 2001:470:xxxx:1 from local address 2001:470:xxxxx:2
bird: hurricane: Connection lost (Connection refused)


The tunnel ID is "573440"


Did I do something wrong, too many tests or something?


Thx

PowerDNS says this: 

DNAME

The DNAME record, as specified in RFC 6672 is supported. However, dname-processing has to be set to yes for PowerDNS to process these records.

Please turn it on.  Queries for sub-labels of a DNAME RR label are returning NXDOMAIN instead of following the target lookup which does have records at the final label (i.e. should be NOERROR).

I'm desparately looking for DNSSEC support too, using dns.he.net and its webinterface as master/primary dns server.

As master/primary dns server, it's currently not possible.

DNSSEC support is only if dns he.net are slaves.