• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cloudflare Blocked on Free Tunnels now?

Started by Napsterbater, December 04, 2017, 03:18:34 PM

Previous topic - Next topic

Napsterbater

So I was investigating issue with cloudflare not being able to reach my origin servers via IPv6 of which I have a Hurricane Electric tunnel for. The response I got from IPv6@he.net was that it is now blocked for free tunnels.

When was this change made? And I get this is a free service but seems odd that only cloudflare is blocked and not hosting in general.

broquea


cholzhauer

This doesn't affect me, so I don't really care, but what's the reasoning behind it?

Napsterbater

Quote from: cholzhauer on December 04, 2017, 06:01:21 PM
This doesn't affect me, so I don't really care, but what's the reasoning behind it?
I'd like to know to ogcourse I am affected. But since they're not blocking hosting in general and only cloudflare if anything that increases the traffic since cloudflare cache anything or absorbs any DDOS's.

And again I do get it's a free service so I don't have too much to complain about but just curious.

broquea

We don't really discuss internal policy decisions.

divad27182

My main experience with cloudflare is when somebody usurped my projects DNS and put cloudflare in front of my machine.  This: compromised security, compromised performance, compromised security, and made me unable to SSH to my machine.  Cloudflare filled in dummy wildcard records based on an internet draft.  At one point, a DNS lookup on a name got an A record and a CNAME record (but a cache might have been involved).

We are no longer using cloudflare.

(I then tried Amazon's DNS.  They don't do SOA serial numbers.)

JRMTL

rec'd the same reply about cloudflare being blocked. Spent days with cloudflare support going over pcaps etc. It's a shame as cloudflare worked exceptionally well as a ipv4 to ipv6 proxy but I can't blame HE as I suspect someone was abusing CF/HE. FWIW last I checked alternate CF ports were still working whether by design or they were missed by HE

Napsterbater

Quote from: JRMTL on December 06, 2017, 01:54:33 PMFWIW last I checked alternate CF ports were still working whether by design or they were missed by HE
Until now/soon I bet.

JRMTL

#8
lol. I thought about that before posting but honestly if HE did miss those ports I would prefer they close them rather than taking even more aggressive actions if CF proxies are causing them technical or legal issues.

**edit I actually mentioned the unblocked ports to HE on Nov 8th.

Daniel15

Just noticed the same thing when I tried to configure an IPv6 tunnel for a site that uses Cloudflare (unfortunately, I have some servers in data centers that still don't offer native IPv6!). It would be good to document this more clearly on the tunnelbroker site.

jschv6

I agree that this should definitely be communicated more transparently somewhere on the tunnelbroker site.

I thought about setting up a RiotIM server on a raspberry. Because port 443 on my IPv4 (dynamic) IP is already taken I planned to set it up using IPv6 only and use Cloudflare as IPv4->IPv6 proxy.

If I hadn't browsed this forum for a totally different reason I surely would also have spent quite some time debugging this setup.

I can assume why you did this and can a bit sympathize with that. But please make it transparent to all users!