- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#21
General Questions & Suggestions / Automatic Dynamic AAAA and A r...
Last post by Kozlov Sergey Aleksandrovitsch - July 25, 2025, 03:53:29 PMHow can i make automatic dynamic AAAA and A record registration from Windows Network Settings from IPv6 and IPv4 settings: where do i enter Registration URL or Update Key directly?
#22
Questions & Answers / Re: IPV6 tunnel and MTU issue ...
Last post by snarked - July 25, 2025, 03:29:54 PMThen set it to 1400, as you discovered.
HE tunnels should handle up to 1480.
Wireguard (encrypted) tunnels handle 1420.
I don't know of anything that reduces MTU to 1400, other than the combination of both tunnel types.
HE tunnels should handle up to 1480.
Wireguard (encrypted) tunnels handle 1420.
I don't know of anything that reduces MTU to 1400, other than the combination of both tunnel types.
#23
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by skerry - July 23, 2025, 09:41:21 AMYup, same here - literally came back here now to post that. Thanks!
#24
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by ngregory - July 23, 2025, 09:08:52 AMThis now seems resolved for me.
#25
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by skerry - July 23, 2025, 04:23:12 AMAh, thanks for the confirmation that it isnt just me. Interestingly, I have two machines using that endpoint (one in central London, one out by Reading) and I can connect between those two fine, its just onwards routing to anywhere else which fails.
#26
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by ngregory - July 23, 2025, 03:51:16 AMYeah - same issue here with a tserv1.lon1 tunnel. The tunnel is up and from the client I can ping both the V4/V6 addresses of the remote tunnel. But pinging from a internet location to a HE tunnel address results in a loop/ Time exceeded: Hop limit error (port-channel8.core2.lon2.he.net).
#27
Questions & Answers / Is tserv1.lon working ? also, ...
Last post by skerry - July 23, 2025, 03:26:59 AMI have been having some issues today, so I went to the status page to check the endpoint - I use tserv1.lon1, it's an old tunnel - and it's not listed on the page at all. Similarly, I have another tunnel in Frankfurt - tserv1.fra1 - and that is not listed either.
have these been retired and I missed the warning and I need to shift endpoints ?
am using this status page: https://tunnelbroker.net/status.php
thanks!
-Pete.
have these been retired and I missed the warning and I need to shift endpoints ?
am using this status page: https://tunnelbroker.net/status.php
thanks!
-Pete.
#28
Questions & Answers / Re: Feature request: Add rate ...
Last post by cshilton - July 21, 2025, 04:08:08 PMI know this an old thread.
I don't think that rate-limiting his interface helps. I'm guessing the Hurricane Electric has a lot more bandwidth than he does so if someone starts blasting away UDP packets destined for any of his assigned IPv6 space, that traffic is going to end up routed as protocol 41 traffic, via his ISP, to his firewall. Once it's in his downstream pipe, it's game over. If the net result of this is that his downstream connection gets saturated, that parcel of bandwidth is lost. He won't be able to receive any other packets outside of the denial-of-service traffic. Dropping the packets or replying to them when they get to his side of the pipe won't help. Eventually, I would imagine that this would become a problem between him and his ISP.
I post in this otherwise stale thread because it's a problem that anyone running the Hurricane Electric tunnelbroker service has. E.g. if you piss someone off that can DOS you with UDP or ICMP, or even TCP traffic, there wouldn't be much you could do, short of deleting the tunnel, to stop the flow from the fire hose. I do guess that you could log in from a different connection and reconfigure the tunnel but you'd want to be careful with that because now you're just redirecting the fire hose at someone else. I also remember that to be able to have a tunnel at all, you have to be able to respond to ICMP directed at your side of the tunnel's address. That makes me wonder if you could staunch the traffic and save the configuration by stopping your side from responding to ping echo requests.
-- Chris
I don't think that rate-limiting his interface helps. I'm guessing the Hurricane Electric has a lot more bandwidth than he does so if someone starts blasting away UDP packets destined for any of his assigned IPv6 space, that traffic is going to end up routed as protocol 41 traffic, via his ISP, to his firewall. Once it's in his downstream pipe, it's game over. If the net result of this is that his downstream connection gets saturated, that parcel of bandwidth is lost. He won't be able to receive any other packets outside of the denial-of-service traffic. Dropping the packets or replying to them when they get to his side of the pipe won't help. Eventually, I would imagine that this would become a problem between him and his ISP.
I post in this otherwise stale thread because it's a problem that anyone running the Hurricane Electric tunnelbroker service has. E.g. if you piss someone off that can DOS you with UDP or ICMP, or even TCP traffic, there wouldn't be much you could do, short of deleting the tunnel, to stop the flow from the fire hose. I do guess that you could log in from a different connection and reconfigure the tunnel but you'd want to be careful with that because now you're just redirecting the fire hose at someone else. I also remember that to be able to have a tunnel at all, you have to be able to respond to ICMP directed at your side of the tunnel's address. That makes me wonder if you could staunch the traffic and save the configuration by stopping your side from responding to ping echo requests.
-- Chris
#29
Questions & Answers / Re: IPV6 tunnel and MTU issue ...
Last post by moeller - July 21, 2025, 07:49:57 AMHi
I created a little test using socat
On an oracle free cloud server
#printf '%*s' 1500 | tr ' ' 'A' > filename.txt
#socat TCP6-LISTEN:8888,reuseaddr,fork FILE:"filename.txt",rdonly
On my client through the tunnel I run telnet and it hangs
#telnet [v6-ip] 8888
Connected to [v6-ip] (v6-ip).
Escape character is '^]'.
When I reduce the file size to 1400 bytes e.g.
#printf '%*s' 1400 | tr ' ' 'A' > filename.txt
the telnet works
#telnet [v6-ip] 8888
Connected to [v6-ip] (v6-ip).
Escape character is '^]'.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
As soon as I go over 1400 bytes it breaks :-(
I see the icmp for it, but seems to be ignored.
14:51:58.837064 IP6 tserv1.lon1.he.net > first-instance-20210620: ICMP6, packet too big, mtu 1480, length 1240
Regards
Markus
I created a little test using socat
On an oracle free cloud server
#printf '%*s' 1500 | tr ' ' 'A' > filename.txt
#socat TCP6-LISTEN:8888,reuseaddr,fork FILE:"filename.txt",rdonly
On my client through the tunnel I run telnet and it hangs
#telnet [v6-ip] 8888
Connected to [v6-ip] (v6-ip).
Escape character is '^]'.
When I reduce the file size to 1400 bytes e.g.
#printf '%*s' 1400 | tr ' ' 'A' > filename.txt
the telnet works
#telnet [v6-ip] 8888
Connected to [v6-ip] (v6-ip).
Escape character is '^]'.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
As soon as I go over 1400 bytes it breaks :-(
I see the icmp for it, but seems to be ignored.
14:51:58.837064 IP6 tserv1.lon1.he.net > first-instance-20210620: ICMP6, packet too big, mtu 1480, length 1240
Regards
Markus
#30
Questions & Answers / Re: IPV6 tunnel and MTU issue ...
Last post by moeller - July 21, 2025, 12:22:55 AMHi snarked,
Thank you for the correction. I changed the tunnel interface to 1480 bytes, but still have a hanging connection with TLS over IPv6 to some sides. I see the server hello in wireshark to have 1508 bytes ( over ipv4 ). When the server hello is smaller it works over ipv6.
Markus
Thank you for the correction. I changed the tunnel interface to 1480 bytes, but still have a hanging connection with TLS over IPv6 to some sides. I see the server hello in wireshark to have 1508 bytes ( over ipv4 ). When the server hello is smaller it works over ipv6.
Markus