• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Recent posts

#11
General Questions & Suggestions / Notify's not taking effect?
Last post by beewoolie - February 25, 2024, 04:06:57 PM
Greetings.

From time to time, when I want to move a service, I edit a zone on the master server and have it notify the HE server which is active as a slave. Eventually, he pulls the zone and make the update, but this is often hours later.

Is there some detail about a zone that limits notified updates?

I also try the "Validate" button which has an effect of pulling the zone from the master.  I can see that the HE server has requested the zone due to a tsig request in the logfile of the master.  However, the zone still doesn't update on he.net, even after 30 minutes.

Any suggestions?
#12
Questions & Answers / HE tunnel issues for Apple dev...
Last post by cshilton - February 25, 2024, 02:37:18 PM
I don't have two much information about this right now. Having said that, I've noticed that my Apple devices, iPads, and iPhones, are having trouble connecting to my network when the HE tunnel is up and active. When I reboot my iPad, it comes up and doesn't indicate that it's connected to my WiFi. I give it a minute, then connect it to the WiFi either in Setup or by pulling down the control pad and toggling the WiFi off, then back on once, quickly. If I do this in Setup, most of the time the device will have an error message: "No Internet Connection". Toggling the WiFi off and then back on solves the "No Internet Connection" problem and things just work as I expect them to from then on.

Turning off SLAAC so devices don't get an IPv6 address automatically fixes this problem.

I've taken a tcpdump of my iPad starting and I'm looking to see what IPv6 traffic the iPad is  trying to send at startup. Nothing is being blocked and nothing looks out of the ordinary.

Has anyone else seen anything like this? Did my google searches on the subject fail because I looked for the wrong thing or because this problem is too obscure?
#13
Questions & Answers / Re: abuse warning but tunnel w...
Last post by anzial - February 13, 2024, 10:29:51 PM
well, now I get the "abuse" message AND the tunnel no longer works.
#14
General Questions & Suggestions / Support for SVCB and HTTPS rec...
Last post by cdauth - February 11, 2024, 07:27:16 PM
I just stumbled across this article explaining the new SVCB and HTTPS record types: https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns

Basically they can instruct clients to load a website through HTTP/3 straight away without having to make a HTTP/2 request first (to look for an Alt-Svc header) and without having to make a HTTP request first (to see if there is a redirect to HTTPS).

I would love to be able to add such records in my HE DNS configuration. Or maybe there is already a way?
#15
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by ChrisDos - January 25, 2024, 06:05:09 AM
Quote from: cecilspiqwuc on January 25, 2024, 01:19:24 AMI first noticed this issue with Google search also, then it slowly spread across all Google Services, and now I basically find that the entire 2001:470:: address space, or maybe the entire HE.NET domain, is basically blacklisted. 

I no longer get Captcha challenges, I am immediately met with HTTP 403 - Forbidden everywhere I go regardless of the browser, app, device, or operating system.
Netflix, Microsoft, Google, Apple, Samsung, Github, mozilla, live.com, Amazon, banks, paypal, ticketmaster, walmart, etc. I even get 403 errors in the browser console from advertising networks. Then things got worse, basically any site/app that uses cloudflare or AWS gives me a 403 error.  Now I even get 403 errors from major DNS services - CloudFlare, GooglePublic DNS, SafeDNS, OpenDNS, Quad9 are all blocking DNS requests of any type from my he.net tunnel. 

Disabled the tunnel and all problems immediately disappear. Re-enable tunnel and problems return.

I tried deleting my tunnel then creating a new tunnel to different North American site with both /64 and /48 networks in order to obtain a new prefix. I have tried tunnels to Seattle/Beaverton, Fremont, Ashville, Denver, and Phoenix.  They worked at first but all ended up the same after the first few hours.

Then add insult to injury I also found I could not create a AAAA DNS record that contained a he.net tunnel address because the DNS service provider said the address space is prohibited.

I finally just gave up and disabled IPv6 on my connection, then deleted my HE.NET tunnels in my account and I'm just going to let the account fade away.
Whatever.....

Boy, I had not idea it had gotten that bad.  I was waiting for it to clear up again before re-enabling it, but based on what you were saying, I don't think that is going to happen.

Time to look to see if there is another provider of of IPv6 tunnels.  It sure is a lot of work on my end to switch everything over if an alternative exists.
#16
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by cecilspiqwuc - January 25, 2024, 01:19:24 AM
I first noticed this issue with Google search also, then it slowly spread across all Google Services, and now I basically find that the entire 2001:470:: address space, or maybe the entire HE.NET domain, is basically blacklisted. 

I no longer get Captcha challenges, I am immediately met with HTTP 403 - Forbidden everywhere I go regardless of the browser, app, device, or operating system.
Netflix, Microsoft, Google, Apple, Samsung, Github, mozilla, live.com, Amazon, banks, paypal, ticketmaster, walmart, etc. I even get 403 errors in the browser console from advertising networks. Then things got worse, basically any site/app that uses cloudflare or AWS gives me a 403 error.  Now I even get 403 errors from major DNS services - CloudFlare, GooglePublic DNS, SafeDNS, OpenDNS, Quad9 are all blocking DNS requests of any type from my he.net tunnel. 

Disabled the tunnel and all problems immediately disappear. Re-enable tunnel and problems return.

I tried deleting my tunnel then creating a new tunnel to different North American site with both /64 and /48 networks in order to obtain a new prefix. I have tried tunnels to Seattle/Beaverton, Fremont, Ashville, Denver, and Phoenix.  They worked at first but all ended up the same after the first few hours.

Then add insult to injury I also found I could not create a AAAA DNS record that contained a he.net tunnel address because the DNS service provider said the address space is prohibited.

I finally just gave up and disabled IPv6 on my connection, then deleted my HE.NET tunnels in my account and I'm just going to let the account fade away.
Whatever.....
#17
Questions & Answers / Re: Transfer /48 in between tu...
Last post by kcochran - January 11, 2024, 11:54:49 AM
/48s are also allocated from a server-specific pool.  Making them portable would also result in tens of thousands of additional routing entries.
#18
Questions & Answers / Transfer /48 in between tunnel...
Last post by HQuest - January 11, 2024, 10:00:47 AM
More a request than an issue, but would it be too complex to implement a "move your /48" from one tunnel to another? I understand the /64 pool at certain endpoints but whoever asked and is actually using a /48 as a /48 most likely has a good number of systems using these subnets and it might not be an easy change to get them all updated (talking static assignments, interfaces, security policies, domain entries, etc) to the new assigned subnet. However, trivial to change just your endpoint tunnel setup.

Happy for your consideration, and really appreciative for your services: years ahead of what our paid ISPs offers (which for my sad VZ case, is just non-existent).
#19
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by cholzhauer - January 11, 2024, 09:37:47 AM
This just hit me too...time to disable the tunnel :(
#20
Questions & Answers / Re: DDNS updating as a cron jo...
Last post by kcochran - January 03, 2024, 09:18:26 PM
I wouldn't say the limit is "every few minutes", but "when your IP changes."

We'll accept an attempt to request an update, regardless of it is an actual change, and not block it every few minutes, but the goal is to request an update only when you need to.

At least 90% of the updates we see are unneeded, or entirely malformed requests because people put their information in the wrong fields (passwords as tunnel IDs, etc.), and then never test their setup, so it runs that way for years.