• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Recent posts

#61
Questions & Answers / Re: IPv6 tunnel and GeoIP
Last post by MaZe - July 19, 2023, 11:21:57 AM
I happen to *know* that Google uses https://tunnelbroker.net/export/google as the source of it's geo feed.

What I cannot figure out is where HE gets that information from.

It does not appear to be configurable in the tunnelbroker UI that I can see.

It does not appear to be derived from the geo location of the ipv4 endpoint.

I have two tunnels.  One in California, US, one in Krakow, Poland.

The Krakow tunnel's /64 and /48 are both geolocated to US,US-CA per the above geo feed.
(In practice I use only the /48 as the /64 is DoS blocked and google search 403s)

The tunnel's IPv4 end point has been in Krakow for probably a year if not longer.
The tunnelserver itself is in Warsaw (Poland) too...

This misconfiguration results in Google thinking I'm in California, and that my time zone is Pacific,
which is super annoying...
#62
Packet loss to London1 is still ongoing, with the result of IPv6 traffic being severely degraded (less than half speed download rate I have seen). I can't really use it in this state, it's just too unreliable.
ThinkBroadband ping chart for yesterday 13th July 2023:
#63
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by anzial - July 13, 2023, 09:44:51 AM
can't tell you the precise wording about /48 subnet from support, the effing google now signed me out of my email account and forcing to wait for a restore email (it happened after I tried to setup /48), but yeah, it was something about google banning whole subnets but /48 might reduce chances of it happening in future to a specific user as opposed to using /64.
#64
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by cshilton - July 13, 2023, 09:22:16 AM
Quote from: anzial on July 12, 2023, 04:02:38 AMsupport advises to switch to /48 to avoid google bans in future.

Do you mean block outbound connections to Google at the xxxx:yyyy:zzzz::/48 level? Or, are you saying that Google has not banned Hurricane Electric at the 2001:470::/32 level and a tunnelbroker 2001:470:xxxx::/48 customer assignment may not be in the banned range? I ask because as I understand it, Netflix is flagging anything from 2001:470::/32 as coming from via a proxy. I understand that they are two different companies here but I compare Google and Netflix because both are implementing a control policy for communications coming into into their network. I had made the possibly wrong assumption that Google is blocking 2001:470::/32.
#65
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by doktornotor - July 13, 2023, 04:23:17 AM
Quote from: anzial on July 12, 2023, 04:02:38 AMsupport advises to switch to /48 to avoid google bans in future.

Well, the thing is, we've already been using /48s everywhere before this happened. Anyway, seems to be working for now.
#66
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by anzial - July 12, 2023, 04:02:38 AM
support advises to switch to /48 to avoid google bans in future.
#67
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by supergvozd - July 12, 2023, 12:32:53 AM
Quote from: Volui on July 10, 2023, 06:29:09 PMIt's seems to Google working again through v6 tunnel... can anyone confirm?
Yes, I confirm
#68
Questions & Answers / Re: Google forcing ReCAPTCHA o...
Last post by Volui - July 10, 2023, 06:29:09 PM
It's seems to Google working again through v6 tunnel... can anyone confirm?
#69
IPv6 on Linux & BSD & Mac / Opnsense configuration and per...
Last post by jmrickerby - July 05, 2023, 02:32:04 PM
Hi there,

Apologies, but I'm new to IPv6, so please be patient with me.

I'm a personal internet user, ISP is IPv4 only obviously, configuring an existing Opnsense 23.1.11 firewall with Tunnel Broker. I used the following links for instructions for this process:
https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html
https://medium.com/swlh/ipv6-on-opnsense-router-599a9198aaed

With 3 internal networks, I have a Tunnel Broker Routed /48 prefix, which I have allocated into 4 subnets. There is an Internet accessible server on one of the LANs.

Testing wise, https://test-ipv6.com seems happy with me 10/10, but https://ipv6-test.com/ gives inconsistent results.

Question 1 – ICMPv6 access to LAN(s)?
If I am understanding correctly, ICMPv6 is important to a properly functioning IPv6 network. In Opnsense, the "Firewall - Rules - TunnelBroker [interface]" has default rules for passing inbound ICMPv6 packets to internal interfaces. However, as these rules do not include an Echo type, I am unsure how to test that ICMPv6 is working. Is it advisable/necessary to have a "Firewall - NAT - Port Forward" rule to allow TunnelBroker inbound ICMPv6 to the internal interfaces, or will that just create an unnecessary security hole?

Question 2 – DHCPv6 and IPv6 addresses?
If I want to advertise and configure an internal NTP server, does this mean I'm required to use DHCPv6, or should I rely on Router Advertisements and SLAAC to configure IPv6 interfaces? If so, how do I configure clients to use the NTP server? The server LAN interfaces are all manually configured with an IPv6 general address (within a subnet from the Tunnel Broker /48 range). I assume I shouldn't use link-local addresses for internal DNS? If I ever switch to an IPv6 providing ISP, I assume I will be re-addressing my servers and re-configuring DHCPv6? If my ISP provides a /64 prefix, I will have to adopt unique local addresses and use NPTv6 to have separate internal networks? (Is it normal that an ISP will provide a /62 or other non /64 prefix?) Should I adopt unique local addresses and NPTv6 now to avoid re-addressing interfaces in the future? Is it correct that I should ignore link-local addresses with any configuration I am considering, like internal DNS, etc.?

Question 3 – Overall Tunnel Broker performance and gaming?

Pinging sites with IPv4 and IPv6 indicates about 3 times the latency using Tunnel Broker. However, latency is still reasonable. However, I notice with some web pages (e.g. bbc.com), content loads in chunk, almost as if in phases. Not sure what specifically would be causing this phenomenon. Another example is on the Opnsense Dashboard, there is a "Telemetry Status" widget for proofpoint. Without Tunnel Broker, this widget updates immediately when accessing the Opnsense Dashboard page. However, with Tunnel Broker IPv6 active, this widget can take ~30 seconds to display.

Something that is interesting is that Fallout 76 takes MUCH longer to sign-in with Tunnel Broker than IPv4. "MUCH" meaning, click sign-in then go grab a snack from the kitchen. Fallout 76 may have signed in by the time you get back, assuming you took your time getting that snack. While IPv6 latency is higher, it still seems reasonable, so I'm not sure what is happening?

Pinging bethesda.net [2600:9000:2377:b600:2:82e9:3a00:93a1] with 32 bytes of data:
Reply from 2600:9000:2377:b600:2:82e9:3a00:93a1: time=30ms

Pinging bethesda.net [108.138.94.44] with 32 bytes of data:
Reply from 108.138.94.44: bytes=32 time=9ms TTL=248

While I can live with this Fallout 76 sign-in inconvenience, I have other family members that are annoyed. I have tried creating a Firewall - Rule that Rejects IPv6 traffic for the ports used by Fallout 76, hopefully forcing the game to IPv4, but this doesn't seem to have worked/made any difference. It could be there are other ports that Fallout 76 is using that I am unaware of. Once signed in, the game appears to run normally.

Thank you for reading this far. Any advice would be appreciated.
#70
Quote from: qpg on June 28, 2023, 05:18:20 PMI saw heavy presentation of CAPTCHAs a week or two ago when using Google search.
Google reCaptcha was also annoying on other websites with my HE tunnel, so not only Google websites are affected.