Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 ... 8 9 [10]
 91 
 on: February 09, 2021, 11:17:04 AM 
Started by garothor - Last post by heysoundude
I think this is something I need to know too:  I'm running unbound on my router, a (stupid fast) caching rDNS for my network, and I'm about to self-host a small website on it.  (the hosting account expired and the content is still germane).  I registered the domain with Icann on my own, so I was able to move it to HE's nameservers...

I just want to confirm - I need to set up DDNS on my router even though it's native IPv6 (because my ISP package gives me a non-static WAN IP) so that the A- and AAAA-records for the domain point to the right place consistently, right?

 92 
 on: February 05, 2021, 05:21:13 PM 
Started by KNBu5ZMdbR - Last post by dittman
From submitted tickets and internal tests, MTR/ping/traces show that packets are delivered to Yahoo nodes without loss. Native IPv6 is connecting without issue to service ports at the destination. Over tunneled connections, MTR works, however Yahoo is not responding at the service level regardless of MTU tuning. I've sent them an email detailing this, but since packets are clearly being delivered to their network, they've likely got some issues to sort out on their side.

If their users haven't already, I recommend also contacting them directly since this appears to be an issue with their service and not us delivering packets over the network.

I haven't had a problem with Yahoo lately, so perhaps they found the issue and have fixed it.

The problem is back for me as well.  I can ping, I just can't connect to any of their services.

 93 
 on: February 03, 2021, 12:18:20 PM 
Started by TrickyZerg - Last post by Zane Reick
It would be a good idea to just get a raspberry pi 4 and run pfSense on it, or really get any old system and run pfSense on it.

 94 
 on: February 03, 2021, 11:58:29 AM 
Started by matth1187 - Last post by Ofloo
Ever found out where to get one? I've got mine for about 11 years and wear is starting to show. And I want an other one.

 95 
 on: February 03, 2021, 11:30:35 AM 
Started by bunxbun - Last post by Zane Reick
I'm not sure the support still exists. I'm 99% sure EVERYTHING on the back-end is 100% automated, and therefore there are no people to provide support.

 96 
 on: January 30, 2021, 04:49:04 PM 
Started by ivordurham - Last post by ivordurham
The cause was the load balancing configuration. The solution was to add a static route for the HE server network to use the interface for which HE had the public IP address:
set protocols static interface-route 72.52.104.0/24 next-hop-interface eth0

 97 
 on: January 30, 2021, 12:43:30 AM 
Started by nordmark - Last post by nordmark
Hello,

Traffic between  sto1.he.net (supposedly in Stockholm, Sweden) and other hosts in Stockholm seem to take very long routes, bouncing across several European countries before finding its way back to Stockholm. This was not so in 2016, but may have started when sto1 went down (and was temporary relocated to Germany?) a few years ago. This adds delays of several tens of milliseconds to tunnel traffic, which used to be in the order of 2ms.

The supplied traceroute output seems to indicate that only IPv4 out from sto1.he.net takes the expected direct route, whereas IPv4 in and all IPv6 traffic takes inefficient routes through twelve99.net.

Arne

----------------------------------------

IPv4 out from sto1 (using HE Looking Glass)

core1.sto1.he.net> traceroute 81.227.238.47  source 216.218.252.154 numeric
 
Tracing the route to IP node (81.227.238.47) from 1 to 30 hops

  1    49 ms   53 ms   52 ms 213.155.141.253
  2    95 ms   98 ms   95 ms 62.115.123.167
  3    96 ms   93 ms   97 ms 81.228.86.255
  4    94 ms   98 ms   99 ms 81.227.238.47

----------------------------------------

IPv4 into sto1

traceroute to tserv1.sto1.he.net (216.66.80.90), 30 hops max, 60 byte packets
 1  gw1-no264.tbcn.telia.com (213.64.65.1)  0.777 ms  0.797 ms  0.852 ms
 2  fre-peer4-link.se.telia.net (81.228.87.195)  0.901 ms fre-peer4-link.se.telia.net (81.228.86.27)  0.551 ms fre-peer4-link.se.telia.net (81.228.86.29)  0.868 ms
 3  s-b5-link.telia.net (62.115.123.166)  0.738 ms  0.756 ms  0.787 ms
 4  s-bb2-link.ip.twelve99.net (62.115.136.110)  23.882 ms s-bb3-link.ip.twelve99.net (62.115.142.216)  32.203 ms  32.238 ms
 5  hbg-bb3-link.ip.twelve99.net (80.91.249.8)  31.728 ms  31.382 ms hbg-bb4-link.ip.twelve99.net (62.115.115.58)  23.740 ms
 6  ldn-bb1-link.ip.twelve99.net (80.91.249.10)  28.132 ms  26.867 ms ldn-bb4-link.ip.twelve99.net (62.115.122.161)  23.854 ms
 7  ldn-b2-link.ip.twelve99.net (62.115.120.239)  23.994 ms  23.951 ms ldn-b2-link.ip.twelve99.net (62.115.122.189)  27.211 ms
 8  hurricane-svc072772-ic360371.c.telia.net (62.115.175.190)  27.760 ms  23.743 ms  26.933 ms
 9  100ge11-2.core1.lon2.he.net (184.104.195.109)  33.965 ms  30.955 ms  30.169 ms
10  100ge6-2.core1.ams1.he.net (72.52.92.214)  27.648 ms  27.612 ms  24.479 ms
11  100ge8-2.core1.sto1.he.net (184.105.65.126)  24.962 ms  27.181 ms  24.106 ms
12  tserv1.sto1.he.net (216.66.80.90)  24.966 ms  24.012 ms *

----------------------------------------

IPv6 out from sto1 (using HE Looking Glass)

core1.sto1.he.net> traceroute ipv6 2001:2002:51e3:ee2f::1  source 2001:470:0:10f::1 numeric
 
Tracing the route to IPv6 node 2001:2002:51e3:ee2f::1 from 1 to 30 hops

  1    17 ms   23 ms   24 ms 2001:470:0:3aa::1
  2    25 ms   24 ms   25 ms 2001:470:0:168::2
  3    30 ms   31 ms   36 ms 2001:2034:1:6b::1
  4    30 ms   32 ms   36 ms 2001:2034:1:75::1
  5    31 ms   38 ms   35 ms 2001:2034:0:b9::1
  6    31 ms   39 ms   33 ms 2001:2000:3080:11ce::2
  7    *       *       *     ?
  8    62 ms   51 ms   48 ms 2001:2000:4020:14::2
  9    42 ms   50 ms   43 ms 2001:2002:51e3:ee2f::1

----------------------------------------

IPv6 into sto1

traceroute to tserv1.sto1.he.net (2001:470:0:11e::2), 30 hops max, 80 byte packets
 1  * * *
 2  2001:2000:4020:14::1 (2001:2000:4020:14::1)  2.630 ms  2.801 ms  4.039 ms
 3  fre-peer4-v6.se.telia.net (2001:2000:4018:16a::1)  1.320 ms  1.012 ms  1.267 ms
 4  * * *
 5  s-bb3-v6.ip.twelve99.net (2001:2034:1:c3::1)  22.761 ms s-bb2-v6.ip.twelve99.net (2001:2034:1:c5::1)  22.865 ms  22.985 ms
 6  ffm-bb2-v6.ip.twelve99.net (2001:2034:1:6c::1)  21.617 ms  21.250 ms ffm-bb1-v6.ip.twelve99.net (2001:2034:1:6b::1)  23.776 ms
 7  ffm-b2-v6.ip.twelve99.net (2001:2034:0:13::1)  27.241 ms  24.923 ms  24.559 ms
 8  10gigabitethernet9.switch2.fra1.he.net (2001:470:0:168::1)  22.757 ms  24.242 ms  22.877 ms
 9  100ge12-1.core1.sto1.he.net (2001:470:0:3aa::2)  41.352 ms  39.780 ms  39.745 ms
10  tserv1.sto1.he.net (2001:470:0:11e::2)  41.354 ms  39.836 ms  39.838 ms

 98 
 on: January 29, 2021, 04:08:28 PM 
Started by KNBu5ZMdbR - Last post by JBDynamics
From submitted tickets and internal tests, MTR/ping/traces show that packets are delivered to Yahoo nodes without loss. Native IPv6 is connecting without issue to service ports at the destination. Over tunneled connections, MTR works, however Yahoo is not responding at the service level regardless of MTU tuning. I've sent them an email detailing this, but since packets are clearly being delivered to their network, they've likely got some issues to sort out on their side.

If their users haven't already, I recommend also contacting them directly since this appears to be an issue with their service and not us delivering packets over the network.

I haven't had a problem with Yahoo lately, so perhaps they found the issue and have fixed it.

I cannot connect to any Yahoo services over the HE tunnel for secure TCP on port 443 (https://www.yahoo.com, https://finance.yahoo.com). It seems like HE is blocking that traffic to Yahoo. My firewall isn't blocking the traffic, I have disabled IDS. I have an allow rule for all IPv4 and IPv6 traffic from the LAN to WAN and WANv6 for all ports and protocols. I have no entries of the traffic being blocked by my firewall. I have a 1480 MTU on the tunnel and my adapter interface is 1500. I can ping6 and traceroute6 the yahoo servers and I get echo replies and there is a route to the servers, but when I try to execute an HTTPS GET, the traffic is blocked.

I get a timeout for an https curl:

Code: [Select]
curl --verbose --verbose https://finance.yahoo.com
*   Trying 2001:4998:60:800::1106...
* TCP_NODELAY set
* Connected to finance.yahoo.com (2001:4998:60:800::1106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Operation timed out after 300341 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 300341 milliseconds with 0 out of 0 bytes received

However for http, I get a response which is an https redirect:

Code: [Select]
curl --verbose --verbose http://finance.yahoo.com
*   Trying 2001:4998:60:800::1105...
* TCP_NODELAY set
* Connected to finance.yahoo.com (2001:4998:60:800::1105) port 80 (#0)
> GET / HTTP/1.1
> Host: finance.yahoo.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sat, 30 Jan 2021 00:01:17 GMT
< Server: ATS
< Cache-Control: no-store
< Content-Type: text/html
< Content-Language: en
< Content-Security-Policy: frame-ancestors 'self' https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=finance&region=US&lang=en-US&device=desktop&yrid=5e5vlcdg198ed&partner=;
< Location: https://finance.yahoo.com/
< Content-Length: 8
< Referrer-Policy: no-referrer-when-downgrade
< Age: 0
< Connection: keep-alive
<
* Connection #0 to host finance.yahoo.com left intact
redirect* Closing connection 0

Doing it over IPv4 works just fine:

Code: [Select]
curl --verbose --verbose -4 https://finance.yahoo.com
*   Trying 69.147.92.11...
* TCP_NODELAY set
* Connected to finance.yahoo.com (69.147.92.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Sunnyvale; O=Oath Inc; CN=*.yahoo.com
*  start date: Jan 14 00:00:00 2021 GMT
*  expire date: Mar  2 23:59:59 2021 GMT
*  subjectAltName: host "finance.yahoo.com" matched cert's "*.yahoo.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe33c00d600)
> GET / HTTP/2
> Host: finance.yahoo.com
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< referrer-policy: no-referrer-when-downgrade
< strict-transport-security: max-age=15552000
< x-frame-options: SAMEORIGIN
< content-security-policy: sandbox allow-downloads allow-forms allow-modals allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=yahoofinance; report-to csp-endpoint;
< report-to: {"group":"csp-endpoint","max-age":10886400,"endpoints":[{"url":"https://csp.yahoo.com/beacon/csp?src=yahoofinance"}]}
< content-type: text/html; charset=utf-8
< set-cookie: B=9723i9tg198op&b=3&s=uo; expires=Sat, 30-Jan-2022 00:06:49 GMT; path=/; domain=.yahoo.com
< date: Sat, 30 Jan 2021 00:06:49 GMT
< server: ATS
< cache-control: max-age=0, private
< expires: -1
< age: 0
< expect-ct: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
...............

 99 
 on: January 28, 2021, 09:06:02 AM 
Started by ivordurham - Last post by ivordurham
Since I originally set up our HE IPv6 tunnel (not actually used much yet), we added a second broadband service and configured our EdgeRouter X for load balancing. The second service is somewhat faster than the first so I wanted to explore moving the HE tunnel from eth0 to eth1. Before making any changes I double-checked the tunnel from the router's CLI and found "ping6 google.com" not responding. I'm assuming ping from the CLI is outside the firewall. The router dashboard says the tunnel is "Connected" and shows traffic being transmitted, but nothing being received. "show interfaces tunnel tun0 brief" shows state/link as u/u. "show interfaces tunnel tun0" does shows RX > 6M packets received, but that number is now static while the TX numbers are increasing. I tried "show interfaces tunnel tun0 capture" and see only outbound packets. The router uptime is "3 months 4 weeks 1 day" as I type, so receiving packets must have stopped during those ~4 months. I don't know if adding the second connection on eth1 affected the tunnel through eth0, but that's the only change in the interim I believe. I'm currently stumped. I've attached our (redacted) configuration in the hope someone can offer a hint on how to further diagnose or correct why incoming packets on the HE tunnel are not being received. Thanks in advance.
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-name IPv6-FW {
        default-action drop
        description "IPv6 Firewall"
        rule 10 {
            action accept
            log disable
            protocol icmpv6
        }
        rule 20 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 70 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
   ... BEGIN PORT FORWARDING RULES LIKE:
        rule NN {
            action accept
            description "DESCRIPTION"
            destination {
                address 192.168.1.XXX
                port YY
            }
            log disable
            protocol tcp
        }
   ... END PORT FORWARDING RULES ...
        rule 90 {
            action accept
            description "Encapsulated IPv6 Packets"
            log disable
            protocol 41
        }
        rule 110 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "ICMP to Router"
            log disable
            protocol icmp
            state {
                established enable
                invalid disable
                new enable
                related disable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1420
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address yyy.yyy.yyy.85/28
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        address xxxx:xxxx:1f05:xxxx::1/64
        description Local
        firewall {
            in {
                modify balance
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 1420
                managed-flag false
                max-interval 600
                name-server 2001:4860:4860::8888
                other-config-flag false
                prefix xxxx:xxxx:1f05:xxxx::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS xxxx:xxxx:1f04:xxxx::2 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
    tunnel tun0 {
        address xxxx:xxxx:1f04:xxxx::2/64
        description "HE IPv6 Tunnel"
        encapsulation sit
        firewall {
            in {
                ipv6-name IPv6-FW
            }
            local {
                ipv6-name IPv6-FW
            }
        }
        local-ip yyy.yyy.yyy.85
        multicast disable
        remote-ip 72.52.104.74
        ttl 255
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            dest-addr disable
            dest-port disable
            proto disable
            source-addr enable
            source-port disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    wan-interface eth0
}
protocols {
    static {
        interface-route6 ::/0 {
            next-hop-interface tun0 {
            }
        }
        route 0.0.0.0/0 {
            next-hop yyy.yyy.yyy.81 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.199
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dhcpv6-server {
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name tunnelTTTTTT.tunnel.tserv3.fmt2.ipv6.he.net
                    login OURHELOGIN
                    password OURHEUPDATEKEY
                    server ipv4.tunnelbroker.net
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        ... IPv4 PORT FORWARDING RULES ...


        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name TheCatHouse
    login {
        user admin {
            authentication {
                encrypted-password ENCRYPTEDPASSWORD
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec disable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}




/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1028 */

 100 
 on: January 26, 2021, 03:46:24 AM 
Started by mennig - Last post by tomkep
I think the point is that it is listed on https://tunnelbroker.net/ when you are not logged in:

Quote
Ability to create your tunnel on geographically diverse tunnel-servers (Dubai, Sydney, Ashburn, Calgary, Chicago, Dallas, Denver, Fremont, Honolulu, Kansas City, Los Angeles, Miami, New York, New York, Palo Alto, Phoenix, San Jose, Seattle, Toronto, Winnipeg, Amsterdam, Berlin, Budapest, Düsseldorf, Frankfurt, Lisbon, London, Paris, Prague, Stockholm, Warsaw, Zurich, Hong Kong, Singapore, Tokyo, Bogota, Djibouti City, and Johannesburg)

but is not present on https://tunnelbroker.net/new_tunnel.php page after logging in.

Pages: 1 ... 8 9 [10]