- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#21
Questions & Answers / Re: paris tserv1.par2 down?
Last post by Monphpnet - August 28, 2024, 02:36:18 AMQuote from: lmamane on August 27, 2024, 10:01:04 PMIt is back now.
Yes at 04:08 AM :)
#22
Questions & Answers / Re: rDNS delegation stopped wo...
Last post by bxrwtat - August 28, 2024, 12:43:46 AMThe problem has been finally solved!
Yesterday tserv1.par2.he.net went down, when it came back up the issues with dns.he.net also disappeared.
Yesterday tserv1.par2.he.net went down, when it came back up the issues with dns.he.net also disappeared.
#23
Questions & Answers / Re: paris tserv1.par2 down?
Last post by lmamane - August 27, 2024, 10:01:04 PMIt is back now.
#24
Questions & Answers / Re: paris tserv1.par2 down?
Last post by Monphpnet - August 27, 2024, 05:44:45 PMhello same problem here
Since 9h 3m 52s
I'm in Paris too and no IPv6
via the tunnel:
tserv10.par1 Paris, FR
***
216.66.84.42
Down
***
Since 9h 3m 52s
I'm in Paris too and no IPv6
via the tunnel:
tserv10.par1 Paris, FR
***
216.66.84.42
Down
***
#25
Questions & Answers / Re: paris tserv1.par2 down?
Last post by sfim - August 27, 2024, 09:46:29 AMhello same problem here
i'm on Paris too and no ipv6 since begin of afternoon and like lmamane is see paris up i was thinking was on my side
i'm on Paris too and no ipv6 since begin of afternoon and like lmamane is see paris up i was thinking was on my side
#26
Questions & Answers / paris tserv1.par2 down?
Last post by lmamane - August 27, 2024, 09:10:07 AMI can't ping tserv1.par2 over IPv6 from three different ISPs. Traceroutes stop at
100ge0-34.core2.bru1.he.net (184.104.194.110)
On https://tunnelbroker.net/status.php the Paris server is called tserv10.par1 and is shown "up", is that the same one, or am I somehow on an old unlisted/deprecated server???
100ge0-34.core2.bru1.he.net (184.104.194.110)
On https://tunnelbroker.net/status.php the Paris server is called tserv10.par1 and is shown "up", is that the same one, or am I somehow on an old unlisted/deprecated server???
#27
Questions & Answers / [Solved] Re: Native IPv6 confi...
Last post by cshilton - August 23, 2024, 05:53:21 AMWhen I looked at this further, I discovered that I have my OpenBSD network stack to do IPv6 autoconf without an RA provider on the network. The ULA was self-generated.
Regarding the other part of the question: Should I use a ULA for local services like DNS resolution? A few people do this. It mainly involves assigning a ULA on the interface where you source your router advertisements and then statically assigning an IP address within that ULA to provide your service.
Regarding the other part of the question: Should I use a ULA for local services like DNS resolution? A few people do this. It mainly involves assigning a ULA on the interface where you source your router advertisements and then statically assigning an IP address within that ULA to provide your service.
#28
Questions & Answers / Native IPv6 configuration ques...
Last post by cshilton - August 22, 2024, 09:34:07 AMSo, I figure that this may be forum for this question. About a year ago, Verizon rolled out native IPv6 to me. I'm still using my HE tunnel because I'm not clear on the some of the implications.
Question: With Verizon's native IPv6 I'm getting 3 meaningful IP addresses on my interface, public - [2600:4040:xxxx:yyyy::host-part], and ULA - [fdww:xxxx:yyyy:zzzz::host-part] and of course, an link-local [fe80::host-part] address. Is the function of the ULA assignment to run local services?
Question: Is it safe to run services on the link local address?
What I see is that native IPv6 changes the way I get my IPv6 address. Verizon assigns me an address via dhcp-pd. That assignment is static the way a CATV cable modem gets a, for all intents, static IP. But I still need to assign known IP addresses to my DNS resolvers for example. With HE, this was [<he-prefix>::<static-host-part>] but with Verizon, the prefix can change. Being clear, is the dhcpcd program assigning me a ULA address so I can put my DNS resolver at a configured place?
-- Chris
Question: With Verizon's native IPv6 I'm getting 3 meaningful IP addresses on my interface, public - [2600:4040:xxxx:yyyy::host-part], and ULA - [fdww:xxxx:yyyy:zzzz::host-part] and of course, an link-local [fe80::host-part] address. Is the function of the ULA assignment to run local services?
Question: Is it safe to run services on the link local address?
What I see is that native IPv6 changes the way I get my IPv6 address. Verizon assigns me an address via dhcp-pd. That assignment is static the way a CATV cable modem gets a, for all intents, static IP. But I still need to assign known IP addresses to my DNS resolvers for example. With HE, this was [<he-prefix>::<static-host-part>] but with Verizon, the prefix can change. Being clear, is the dhcpcd program assigning me a ULA address so I can put my DNS resolver at a configured place?
-- Chris
#29
Questions & Answers / IPv6 Connectivity Issue
Last post by mauropc - August 17, 2024, 05:25:21 PMI hope this message finds you well.
I am writing to report a connectivity issue with my IPv6 host, specifically the address 2001:470:d:xxx::y. It appears that there is a block on incoming connections to this host (only this host), others works fine, which is affecting my ability to use the services associated with it.
The host use web/mail server. ports 80,443, 110, 143, 20 and 21.
I am writing to report a connectivity issue with my IPv6 host, specifically the address 2001:470:d:xxx::y. It appears that there is a block on incoming connections to this host (only this host), others works fine, which is affecting my ability to use the services associated with it.
The host use web/mail server. ports 80,443, 110, 143, 20 and 21.
#30
Questions & Answers / Re: Possible IPv6 Routing Issu...
Last post by cshilton - August 15, 2024, 02:44:53 PMThe streaming services have a problem in general with the HE tunnelbroker service. Netflix was the first but others have followed. Other people have issues too because the freedom and the performance that makes the service great opens the doors for a technical person to abuse things.
Netflix:
Netflix's specific beef was that there was a person or company somewhere in Europe who advertised a "service" that got you the United States Netflix catalog from Europe. It wasn't a service, the entity was setting up HE tunnels to Europe that terminated on East Coast tunnelbroker servers. So the IP addresses that you got were in the US and originally, Netflix gave you the US catalog rather than the European one. Netflix retaliated by blocking all of 2001:470::/32 via a proxy warning rather than just emitting a TCP RST. Sigh...
Other streaming services:
So far as I can see, many other streaming services followed Netflix. This kindof sucks.
Other issues:
There are people in the world who abuse the Tunnelbroker service to harass both Google and Wikipedia. In the case of Google, we vacillate between an outright kick/ban of 2001:470::/32 and a forced CAPTCHA if our devices hit google over IPv6. In Wikipedia it turns into long kick/bans for editing Wikipedia pages. I haven't seen issues with browsing Wikipedia though.
Conclusion:
None of the options are good here. Outside of HE, the opinion seems to be that "dynamic IP's" ought to be "dynamic" meaning that they should change often even if they don't need to. This belief seems to be as stubborn as the "NAT provides security" argument that's also prevalent. Just in general, people don't seem to get IPv6 because it breaks the conception of network addressing which seems to be bound to the limitations that we see with IPv4. I can get native IPv6 on one of my connections and possibly soon both, my wife works out of Boston so we keep an apartment up there but we generally live in CT, but I'm still using HE tunnels but the IP addresses are static and that's really really useful, especially at the price that HE is charging.
So long as the service is structured the way it is and free, as in freedom from restrictions, you're gonna see this. I think that leaves your choices as: Don't use the service because asshats being asshats, random stuff is going to get broken at random times; Do use the service and employ a subset of the workarounds for the breakage.
The workarounds are basically:
As an example of the last issue, if you use SLAAC, you can't stop an AppleTV from getting and IPv6 address. It won't be able to get to Netflix if your IPv6 address comes from HE. You could put your AppleTV into a separate VLAN but to have them in a different broadcast domain than your iPhones and iPads is to nerf a lot of their capabilities.
At the end of the day, none of the solutions are great. For me, using HE is still better than figuring out where my moved to on FiOS when Verizon changes my prefix. Before people start, I get that Verizon changing my IPv6 address is a "me" issue. But the fact that people think that dynamic means stuff should changes makes it a little harder to find the correct DHCPv6 configuration to use on Verizon for an OpenBSD router.
Netflix:
Netflix's specific beef was that there was a person or company somewhere in Europe who advertised a "service" that got you the United States Netflix catalog from Europe. It wasn't a service, the entity was setting up HE tunnels to Europe that terminated on East Coast tunnelbroker servers. So the IP addresses that you got were in the US and originally, Netflix gave you the US catalog rather than the European one. Netflix retaliated by blocking all of 2001:470::/32 via a proxy warning rather than just emitting a TCP RST. Sigh...
Other streaming services:
So far as I can see, many other streaming services followed Netflix. This kindof sucks.
Other issues:
There are people in the world who abuse the Tunnelbroker service to harass both Google and Wikipedia. In the case of Google, we vacillate between an outright kick/ban of 2001:470::/32 and a forced CAPTCHA if our devices hit google over IPv6. In Wikipedia it turns into long kick/bans for editing Wikipedia pages. I haven't seen issues with browsing Wikipedia though.
Conclusion:
None of the options are good here. Outside of HE, the opinion seems to be that "dynamic IP's" ought to be "dynamic" meaning that they should change often even if they don't need to. This belief seems to be as stubborn as the "NAT provides security" argument that's also prevalent. Just in general, people don't seem to get IPv6 because it breaks the conception of network addressing which seems to be bound to the limitations that we see with IPv4. I can get native IPv6 on one of my connections and possibly soon both, my wife works out of Boston so we keep an apartment up there but we generally live in CT, but I'm still using HE tunnels but the IP addresses are static and that's really really useful, especially at the price that HE is charging.
So long as the service is structured the way it is and free, as in freedom from restrictions, you're gonna see this. I think that leaves your choices as: Don't use the service because asshats being asshats, random stuff is going to get broken at random times; Do use the service and employ a subset of the workarounds for the breakage.
The workarounds are basically:
- Employ a domain based dns block list -- E.g. doing resolve AAAA queries for anything in *.google.com;
- Employ a program that does the DNS resolution periodically and update your firewall so as to block by external IP address;
- Enumerate your internal assets which shouldn't be using IPv6 and arrange to block outbound IPv6 on them.
As an example of the last issue, if you use SLAAC, you can't stop an AppleTV from getting and IPv6 address. It won't be able to get to Netflix if your IPv6 address comes from HE. You could put your AppleTV into a separate VLAN but to have them in a different broadcast domain than your iPhones and iPads is to nerf a lot of their capabilities.
At the end of the day, none of the solutions are great. For me, using HE is still better than figuring out where my moved to on FiOS when Verizon changes my prefix. Before people start, I get that Verizon changing my IPv6 address is a "me" issue. But the fact that people think that dynamic means stuff should changes makes it a little harder to find the correct DHCPv6 configuration to use on Verizon for an OpenBSD router.