• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Recent posts

#41
Questions & Answers / [Solved] Re: Native IPv6 confi...
Last post by cshilton - August 23, 2024, 05:53:21 AM
When I looked at this further, I discovered that I have my OpenBSD network stack to do IPv6 autoconf without an RA provider on the network. The ULA was self-generated.

Regarding the other part of the question: Should I use a ULA for local services like DNS resolution? A few people do this. It mainly involves assigning a ULA on the interface where you source your router advertisements and then statically assigning an IP address within that ULA to provide your service.
#42
Questions & Answers / Native IPv6 configuration ques...
Last post by cshilton - August 22, 2024, 09:34:07 AM
So, I figure that this may be forum for this question. About a year ago, Verizon rolled out native IPv6 to me. I'm still using my HE tunnel because I'm not clear on the some of the implications.

Question: With Verizon's native IPv6 I'm getting 3 meaningful IP addresses on my interface, public - [2600:4040:xxxx:yyyy::host-part], and ULA - [fdww:xxxx:yyyy:zzzz::host-part] and of course, an link-local [fe80::host-part] address. Is the function of the ULA assignment to run local services?

Question: Is it safe to run services on the link local address?

What I see is that native IPv6 changes the way I get my IPv6 address. Verizon assigns me an address via dhcp-pd. That assignment is static the way a CATV cable modem gets a, for all intents, static IP. But I still need to assign known IP addresses to my DNS resolvers for example. With HE, this was [<he-prefix>::<static-host-part>] but with Verizon, the prefix can change. Being clear, is the dhcpcd program assigning me a ULA address so I can put my DNS resolver at a configured place?

-- Chris
#43
Questions & Answers / IPv6 Connectivity Issue
Last post by mauropc - August 17, 2024, 05:25:21 PM
I hope this message finds you well.
I am writing to report a connectivity issue with my IPv6 host, specifically the address 2001:470:d:xxx::y. It appears that there is a block on incoming connections to this host (only this host), others works fine, which is affecting my ability to use the services associated with it.

The host use web/mail server. ports 80,443, 110, 143, 20 and 21.
#44
Questions & Answers / Re: Possible IPv6 Routing Issu...
Last post by cshilton - August 15, 2024, 02:44:53 PM
The streaming services have a problem in general with the HE tunnelbroker service. Netflix was the first but others have followed. Other people have issues too because the freedom and the performance that makes the service great opens the doors for a technical person to abuse things.

Netflix:

Netflix's specific beef was that there was a person or company somewhere in Europe who advertised a "service" that got you the United States Netflix catalog from Europe. It wasn't a service, the entity was setting up HE tunnels to Europe that terminated on East Coast tunnelbroker servers. So the IP addresses that you got were in the US and originally, Netflix gave you the US catalog rather than the European one. Netflix retaliated by blocking all of 2001:470::/32 via a proxy warning rather than just emitting a TCP RST. Sigh...

Other streaming services:

So far as I can see, many other streaming services followed Netflix. This kindof sucks.

Other issues:

There are people in the world who abuse the Tunnelbroker service to harass both Google and Wikipedia. In the case of Google, we vacillate between an outright kick/ban of 2001:470::/32 and a forced CAPTCHA if our devices hit google over IPv6. In Wikipedia it turns into long kick/bans for editing Wikipedia pages. I haven't seen issues with browsing Wikipedia though.

Conclusion:

None of the options are good here. Outside of HE, the opinion seems to be that "dynamic IP's" ought to be "dynamic" meaning that they should change often even if they don't need to. This belief seems to be as stubborn as the "NAT provides security" argument that's also prevalent. Just in general, people don't seem to get IPv6 because it breaks the conception of network addressing which seems to be bound to the limitations that we see with IPv4. I can get native IPv6 on one of my connections and possibly soon both, my wife works out of Boston so we keep an apartment up there but we generally live in CT, but I'm still using HE tunnels but the IP addresses are static and that's really really useful, especially at the price that HE is charging.

So long as the service is structured the way it is and free, as in freedom from restrictions, you're gonna see this. I think that leaves your choices as: Don't use the service because asshats being asshats, random stuff is going to get broken at random times; Do use the service and employ a subset of the workarounds for the breakage.

The workarounds are basically:

  • Employ a domain based dns block list -- E.g. doing resolve AAAA queries for anything in *.google.com;
  • Employ a program that does the DNS resolution periodically and update your firewall so as to block by external IP address;
  • Enumerate your internal assets which shouldn't be using IPv6 and arrange to block outbound IPv6 on them.

As an example of the last issue, if you use SLAAC, you can't stop an AppleTV from getting and IPv6 address. It won't be able to get to Netflix if your IPv6 address comes from HE. You could put your AppleTV into a separate VLAN but to have them in a different broadcast domain than your iPhones and iPads is to nerf a lot of their capabilities.

At the end of the day, none of the solutions are great. For me, using HE is still better than figuring out where my moved to on FiOS when Verizon changes my prefix. Before people start, I get that Verizon changing my IPv6 address is a "me" issue. But the fact that people think that dynamic means stuff should changes makes it a little harder to find the correct DHCPv6 configuration to use on Verizon for an OpenBSD router.
#45
Questions & Answers / Re: Does any know which DNS do...
Last post by cshilton - August 15, 2024, 02:13:48 PM
I do this by name because the addresses aren't even remotely static. My program consumes this YAML file:

---
blocklist:
  max:
    prefixlen: 48
    sitelist:
      - www.max.com
      - auth.max.com
      - default.prd.api.max.com
      - events.prd.api.max.com
      - telegraph.prd.api.max.com
      - play.max.com
      - busy.prd.api.max.com
      - default.prd.api.max.com
      - default.use.prd.api.max.com
      - services.brightline.tv
      - cdn-media.brightline.tv
      - images.cdn.prd.api.discomax.com
      - busy.prd.api.discomax.com
      - images.cdn.prd.api.discomax.com
      - akm.prd.media.h264.io
      - gcp.prd.media.h264.io
      - cf.prd.media.h264.io
      - beam-images.warnermediacdn.com
      - lightning.warnermediacdn.com
      - wmff.warnermediacdn.com
      - geolocation.onetrust.com

Explanation: max as in "max:" refers to the HBOmax service. I have a program that goes through every name in sitelist and does a AAAA lookup. It cuts the answer back to a [...]/48 block and then adds those blocks to my firewall. My firewall sends an immediate TCP RST for new connections to any address in the set of /48 blocks.

More detail: My strategy is defense in depth. I maintain two tables on a PfSense firewall one is a list of external addresses to automatically block when an internal host tries to start a TCP connection. The other is a list of internal address who see a TCP RST for any connection to IPv6 TCP port 80 or 443. Between those two list and happy eyeballs, my streaming devices have no trouble consuming HBOMax. Finally, my DNS resolver doesn't do AAAA resolution for a set of domains.
#46
General Discussion / Unable to receive emails
Last post by chunqiucq - August 05, 2024, 02:39:50 AM
When I authenticate my IPv6 email address, it prompts me with Status: Message body failed
#47
Hello fellow Hurricane Electric community members,

I wanted to share this with users in case others also have issues with streaming services such as Netflix blocking IPv6 tunnel brokers. I seem to have found a solution, it is to force pfSense's Unbound DNS resolver to utilize DNS A records when accessing specific Netflix domains or other domains that have this issue.

Unbound DNS resolver has a custom option in here. You can add these options.

server:
dns64-ignore-aaaa: netflix.com
dns64-ignore-aaaa: netflix.net
dns64-ignore-aaaa: nflxext.com
dns64-ignore-aaaa: nflxso.net
dns64-ignore-aaaa: nflxvideo.net
dns64-ignore-aaaa: www.netflix.com

This seemed to resolve my issue as anything with those domains will now only use DNS A records.

I hope that helps. Thanks for all you do
#48
Questions & Answers / Re: Unable to use Google Searc...
Last post by kirgudu - July 23, 2024, 01:58:58 AM
Google CAPTCHA is annoying again.

Tunnelbroker, do something
#49
Questions & Answers / Re: Possible IPv6 Routing Issu...
Last post by kernelpanic1 - July 22, 2024, 03:50:52 PM
A bit of an update, I was able to null route AAAA records on my DNS server based on the similar workaround needed for Netflix here and Paramount seems to be working again. The domains I came up with for Paramount are below:

server=/cbsivideo.com/#
address=/cbsivideo.com/::
server=/cbsi.com/#
address=/cbsi.com/::
server=/cbsistatic.com/#
address=/cbsistatic.com/::
server=/cbsimg.net/#
address=/cbsimg.net/::
server=/pplusstatic.com/#
address=/pplusstatic.com/::
server=/paramountplus.com/#
address=/paramountplus.com/::
server=/www.paramountplus.com/#
address=/www.paramountplus.com/::
server=/paramountplus.map.fastly.net/#
address=/paramountplus.map.fastly.net/::
server=/saa.paramountplus.com/#
address=/saa.paramountplus.com/::
server=/cbsaavideo.com/#
address=/cbsaavideo.com/::
server=/cbsinteractive.data.adobedc.net/#
address=/cbsinteractive.data.adobedc.net/::
server=/cbsig.net/#
address=/cbsig.net/::
server=/irdeto.com/#
address=/irdeto.com/::

I'm still not sure if this is some kind of IPv6 routing issue or if Paramount is silently blocking HE IPv6 tunnel traffic. If they are blocking, there is no mention of this on their support site, in any error messages, or any other references found on Google.
#50
Questions & Answers / Re: Possible IPv6 Routing Issu...
Last post by coxim - July 21, 2024, 09:00:42 PM
Exact same problem here. Would love to know a solution to this. Had to disable IPv6 to get Paramount Plus to work.