Well, this is interesting...

Someone told me about adding " /cdn-cgi/trace" to the Cloudflare websites to get troubleshooting info.

All of them, when connected through my /48 prefix on the London HE server, give loc=RU.

RU as in Russia??? Something wrong there surely. I've checked my tunnel server address, it is correct and is the London server.

If I use the separate /64 prefix, I get loc=GB and everything works.

Who moved me to Russia?

ETA: Maxmind is the one that  has it in Russia, the entire 2001:470:6800::/40 prefix! All the other geolocations databases I've checked are North America (not really correct since I use it from the UK, but that's a known issue that has never bothered anyone except Netflix).

There is a procedure to correct it, but really it should be HE doing that, not me. ETA2: I've done it myself - now to see if they make the correction.

https://www.maxmind.com/en/geoip-demo
https://support.maxmind.com/geoip-data-correction-request/

kasperd, see the attachment for the 6rd values that I need.  Does the ISP charge for these values?  Also, with the current 6to4 settings configured in my Netgear D6400 router, I am able to view the web site ( "www.kame.net" - Mosaic version ).  When I visit the "testmyipv6.com" web site, and click on the "IPv6-only Test" link, I receive a message that my computer has successfully connected to that server using IPv6.  However, when I click on the "Dual-Stack ( IPv6 & IPv4 ) Test" link, I receive an error message that indicates that my computer is choosing the IPv4 connection over the IPv6 connection.  Let me know what you think. 

kasperd, after locating an online user manual for the Netgear D6400 router ( i.e., at the following link: https://www.manualslib.com/manual/966359/Netgear-D6400.html?page=87#manual ), I was able to find the 6rd tunnel configuration settings.  At this point, the only thing I am unsure of are the prefix values, etc. ( the directions indicate that the Internet Service Provider ( ISP ) is supposed to provide these ).  Thank you for mentioning the 6rd option.  How do I configure 6rd with my He.net tunnel values? 

It's the first time for me.

I've done some more testing and determined that it is the entire /48 prefix which is being blocked by Cloudflare. Anywhere in it gets blocked.

If I change to the /64 prefix we also get, everything works OK. I need the /48 for local subnets though.

Cloudflare still has not replied to me of course. Frankly it's outrageous that some company can arbitrarily block someone's use of the internet.

I'm going to delete and reallocate the /48 in a couple of days if I get no reply; maybe sooner if I get annoyed waiting. Hopefully the system won't reallocate the same prefix, and I get one that works.

I used to see this fairly often, but I can't think of the last time I saw it show up for me.

found that ddns is now possible for txt records (YAY). The things I'm unable to figure out now is how to update the records if you have two of the same txt records? For example if you have a Let's Encrypt certificate for *.domain.ext and domain.ext then you need two txt entries _acme-challenge.domain.ext and _acme-challenge.domain.ext. I can do this manually but when I setup the entries to be dynamic I'm only able to update the last one I updated with a password. Does anyone know if there is a trick for this situation or if this part isn't implemented yet?

I have added DoT support to my NAT64 service. The DoT servers have the name dot.nat64.dk.

tjeske, the terminology in my Netgear D6400 router "6to4 Tunnel" settings is "6to4."

Look carefully through the list of options. There exist 3 different but still quite similar tunnel protocols: 6to4, 6in4, and 6rd. Which of them does your router support? 6rd is the most flexible and if configured correctly can be made compatible with either 6in4 or 6to4.

What is the difference between "6in4" and "6to4"?

With 6to4 you get IPv6 addresses which are constructed from your IPv4 address. There is no provider as such, you will be relying on third party relays. You have little control over the choice of third party relays and consequently there isn't much you can do when they are unreliable.

With 6in4 you choose a tunnel provider (such as HE). Your traffic goes through your chosen provider and if it doesn't work you can contact your provider or choose a different provider.

There is also a hybrid between the two called 6rd. It has more configuration options and can be configured manually or autoconfigured through DHCP.

6to4 is a different tunnel protocol than 6in4. They are not compatible.

It's true that they are different and that a router configured with 6to4 is no use for communicating with HE. But they are still compatible enough that you can make 6to4 and 6in4 communicate directly with each other. I wouldn't recommend it though. Anything involving 6to4 should be recommended anymore.

This has been going on for several weeks now, after many years of using IPv6 without trouble.

Every site I visit that is protected by Cloudflare, I get protracted "checking your browser" delays, often followed by a capcha. That is to sites I visit many times a day; I get the checks every time I close my browser, or navigate away from the site for more than a few minutes.

Worse, I've just discovered I'm also being blocked completely from some websites by their Cloudflare firewall.

If I disable IPv6 and force just IPv4, there are no problems. The issue happens on all my PCs and on a clean test installation. Any IPv6 address in my prefix gets 'caught'.

There is no good reason for this, not at my end anyway. No viruses, nothing has been compromised... all of that was the very first thing I checked.

Any suggestions? Is there a way to check 'reputation' for IPv6 addresses? I've done it for my public IPv4 subnet before I discovered it was IPv6 that was causing the problem.

Edit to add: I checked the reputation of my IPv6 at https://www.projecthoneypot.org/search_ip.php as recommended on Cloudflare's forum.
No problems were found. So it's not that.

Sure. Depends on the operating system. The configuration steps/commands are listed in your tunnel profile on HE's homepage (when you login to your account, select the tunnel, then "Example configurations"). Your computer should have a static IP address inside your network, e.g. 192.168.0.50. You then need to forward all traffic to this IP. Look for a setting called "DMZ".

Maybe check out this guide:
https://www.cellstream.com/reference-reading/tipsandtricks/160-setting-up-a-6to4-tunnel-in-windows-7

However, it could be that the Netgear doesn't pass protocol 41. In that case, you won't be able to setup a tunnel using the D6400 as your DSL modem.