- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#31
General Questions & Suggestions / Re: Automatic Dynamic AAAA and...
Last post by Kozlov Sergey Aleksandrovitsch - July 27, 2025, 08:06:48 AM$Names = @("vEthernet (L0)", "vEthernet (L1)")
$Hostnames = @("computer_name.connection_0.domain.zone","computer_name.connection_1.domain.zone")
$Passwords = @("key_0","key_1")
$ipv6Addresses = @()
for ($Counter = 0; $Counter -lt 2; $Counter++) {
$Name = $Names[$Counter]
$Hostname = $Hostnames[$Counter]
$Password = $Passwords[$Counter]
$ipv6Address = Get-NetIPAddress -InterfaceAlias $Name -AddressFamily IPv6
if ($ipv6Address) {
$filteredAddress = $ipv6Address | Where-Object {
$_.PrefixOrigin -eq 'RouterAdvertisement' -and
$_.SuffixOrigin -eq 'Link'
}
if ($filteredAddress) {
$Foundipv6Address = $filteredAddress.IPAddress
$Foundipv6AddressFeet = "$Foundipv6Address"
$ipv6Addresses += $Foundipv6Address
Write-Host "Found IPv6 addresses:" $Foundipv6AddressFeet
Write-Host
$URL = "https://$Hostname"+":$Password@dyn.dns.he.net/nic/update?hostname=$Hostname&myip=$Foundipv6AddressFeet"
Write-Host $URL
Write-Host
curl.exe $URL
} else {
Write-Host "IPv6 address $Name not found"
}
} else {
Write-Host "Interface $Name not found"
}
}
if ($ipv6Addresses.Count -gt 0) {
Write-Host "Found IPv6 addresses:"
$ipv6Addresses | ForEach-Object { Write-Host " - $_" }
}
$Hostnames = @("computer_name.connection_0.domain.zone","computer_name.connection_1.domain.zone")
$Passwords = @("key_0","key_1")
$ipv6Addresses = @()
for ($Counter = 0; $Counter -lt 2; $Counter++) {
$Name = $Names[$Counter]
$Hostname = $Hostnames[$Counter]
$Password = $Passwords[$Counter]
$ipv6Address = Get-NetIPAddress -InterfaceAlias $Name -AddressFamily IPv6
if ($ipv6Address) {
$filteredAddress = $ipv6Address | Where-Object {
$_.PrefixOrigin -eq 'RouterAdvertisement' -and
$_.SuffixOrigin -eq 'Link'
}
if ($filteredAddress) {
$Foundipv6Address = $filteredAddress.IPAddress
$Foundipv6AddressFeet = "$Foundipv6Address"
$ipv6Addresses += $Foundipv6Address
Write-Host "Found IPv6 addresses:" $Foundipv6AddressFeet
Write-Host
$URL = "https://$Hostname"+":$Password@dyn.dns.he.net/nic/update?hostname=$Hostname&myip=$Foundipv6AddressFeet"
Write-Host $URL
Write-Host
curl.exe $URL
} else {
Write-Host "IPv6 address $Name not found"
}
} else {
Write-Host "Interface $Name not found"
}
}
if ($ipv6Addresses.Count -gt 0) {
Write-Host "Found IPv6 addresses:"
$ipv6Addresses | ForEach-Object { Write-Host " - $_" }
}
#32
Questions & Answers / Re: no answer from peer at he....
Last post by buedi - July 27, 2025, 01:46:31 AMI have the same issue, using the same endpoint, but from an OPNsense. All lights are green and I can see that I send traffic to the tunnel, but I never get a reply.
I opened a thread on the OPNsense forums today and asking for help how to debug this, just to make sure it is not a configuration mistake on my side. But reading your post, using the same endpoint, maybe we did it correctly (or the same mistake ;-))?
I opened a thread on the OPNsense forums today and asking for help how to debug this, just to make sure it is not a configuration mistake on my side. But reading your post, using the same endpoint, maybe we did it correctly (or the same mistake ;-))?
#33
General Questions & Suggestions / Automatic Dynamic AAAA and A r...
Last post by Kozlov Sergey Aleksandrovitsch - July 25, 2025, 03:53:29 PMHow can i make automatic dynamic AAAA and A record registration from Windows Network Settings from IPv6 and IPv4 settings: where do i enter Registration URL or Update Key directly?
#34
Questions & Answers / Re: IPV6 tunnel and MTU issue ...
Last post by snarked - July 25, 2025, 03:29:54 PMThen set it to 1400, as you discovered.
HE tunnels should handle up to 1480.
Wireguard (encrypted) tunnels handle 1420.
I don't know of anything that reduces MTU to 1400, other than the combination of both tunnel types.
HE tunnels should handle up to 1480.
Wireguard (encrypted) tunnels handle 1420.
I don't know of anything that reduces MTU to 1400, other than the combination of both tunnel types.
#35
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by skerry - July 23, 2025, 09:41:21 AMYup, same here - literally came back here now to post that. Thanks!
#36
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by ngregory - July 23, 2025, 09:08:52 AMThis now seems resolved for me.
#37
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by skerry - July 23, 2025, 04:23:12 AMAh, thanks for the confirmation that it isnt just me. Interestingly, I have two machines using that endpoint (one in central London, one out by Reading) and I can connect between those two fine, its just onwards routing to anywhere else which fails.
#38
Questions & Answers / Re: Is tserv1.lon working ? al...
Last post by ngregory - July 23, 2025, 03:51:16 AMYeah - same issue here with a tserv1.lon1 tunnel. The tunnel is up and from the client I can ping both the V4/V6 addresses of the remote tunnel. But pinging from a internet location to a HE tunnel address results in a loop/ Time exceeded: Hop limit error (port-channel8.core2.lon2.he.net).
#39
Questions & Answers / Is tserv1.lon working ? also, ...
Last post by skerry - July 23, 2025, 03:26:59 AMI have been having some issues today, so I went to the status page to check the endpoint - I use tserv1.lon1, it's an old tunnel - and it's not listed on the page at all. Similarly, I have another tunnel in Frankfurt - tserv1.fra1 - and that is not listed either.
have these been retired and I missed the warning and I need to shift endpoints ?
am using this status page: https://tunnelbroker.net/status.php
thanks!
-Pete.
have these been retired and I missed the warning and I need to shift endpoints ?
am using this status page: https://tunnelbroker.net/status.php
thanks!
-Pete.
#40
Questions & Answers / Re: Feature request: Add rate ...
Last post by cshilton - July 21, 2025, 04:08:08 PMI know this an old thread.
I don't think that rate-limiting his interface helps. I'm guessing the Hurricane Electric has a lot more bandwidth than he does so if someone starts blasting away UDP packets destined for any of his assigned IPv6 space, that traffic is going to end up routed as protocol 41 traffic, via his ISP, to his firewall. Once it's in his downstream pipe, it's game over. If the net result of this is that his downstream connection gets saturated, that parcel of bandwidth is lost. He won't be able to receive any other packets outside of the denial-of-service traffic. Dropping the packets or replying to them when they get to his side of the pipe won't help. Eventually, I would imagine that this would become a problem between him and his ISP.
I post in this otherwise stale thread because it's a problem that anyone running the Hurricane Electric tunnelbroker service has. E.g. if you piss someone off that can DOS you with UDP or ICMP, or even TCP traffic, there wouldn't be much you could do, short of deleting the tunnel, to stop the flow from the fire hose. I do guess that you could log in from a different connection and reconfigure the tunnel but you'd want to be careful with that because now you're just redirecting the fire hose at someone else. I also remember that to be able to have a tunnel at all, you have to be able to respond to ICMP directed at your side of the tunnel's address. That makes me wonder if you could staunch the traffic and save the configuration by stopping your side from responding to ping echo requests.
-- Chris
I don't think that rate-limiting his interface helps. I'm guessing the Hurricane Electric has a lot more bandwidth than he does so if someone starts blasting away UDP packets destined for any of his assigned IPv6 space, that traffic is going to end up routed as protocol 41 traffic, via his ISP, to his firewall. Once it's in his downstream pipe, it's game over. If the net result of this is that his downstream connection gets saturated, that parcel of bandwidth is lost. He won't be able to receive any other packets outside of the denial-of-service traffic. Dropping the packets or replying to them when they get to his side of the pipe won't help. Eventually, I would imagine that this would become a problem between him and his ISP.
I post in this otherwise stale thread because it's a problem that anyone running the Hurricane Electric tunnelbroker service has. E.g. if you piss someone off that can DOS you with UDP or ICMP, or even TCP traffic, there wouldn't be much you could do, short of deleting the tunnel, to stop the flow from the fire hose. I do guess that you could log in from a different connection and reconfigure the tunnel but you'd want to be careful with that because now you're just redirecting the fire hose at someone else. I also remember that to be able to have a tunnel at all, you have to be able to respond to ICMP directed at your side of the tunnel's address. That makes me wonder if you could staunch the traffic and save the configuration by stopping your side from responding to ping echo requests.
-- Chris