HE Tunnelbroker
-
Sorry if this is a bit off topic, but I know that there are people here who are very knowledgeable about the service.
I was considering signing up for an HE IPv6 tunnel which from what I have heard appears to work well with pfSense.
A couple of questions:
-
How reliable is the service.
-
How identifiable is the IP address to corporate interests/ad trackers etc.? Is it a bit like being on akamai or cloudflare that the entry behind the service isn't easily obtainable short of court order?
-
What if any is the implication of 'Account Name' when signing up. Is this "just a user id to log in", or does it appear in public like a subdomain?
-
I notice that they also offer DNS hosting. Any thoughts about using/not using it, or if Cloudflare is better?
Any input would be much appreciated.
If you find my post useful, please give it a thumbs up!
pfSense 2.7.2-RELEASE -
-
Hurricane Electric tunnels are great for many things. But one thing that definitely will break is probably any kind of streaming (Netflix, Hulu, etc.). That's because nearly all the major streaming services have "blacklisted" Hurricane Electric's IP subnets and classified them as "VPNs". They do this because your geographical location will not match up with the HE tunnel broker network portal where your IPv6 traffic routes to/from.
It does not mean HE is bad nor does it mean the streamers are evil. It's just a consequence of movie licenses that give the streamers rights in some countries but not others. If they do not make a good faith effort to enforce the terms of the licenses they have by making sure their subscribers watching a given movie are in a country where that content is licensed, then the streamers can themselves be held legally liable. Thus the blacklisting of VPN services and tunnel brokers like HE.
So, depending upon your desired use case, HE can be a great way to have an IPv6 connection when your ISP does not offer one natively. But just be aware that some popular Internet services (such as streaming) may not work well over an HE IPv6 tunnel. There are some complicated solutions involving specific
unboundconfigurations in pfSense to work around the problem. Essentially you configureunboundto never reply with an IPv6 AAAA record when queried for certain domains. A forum search here will reveal many threads on that topic. -
@bmeeks said in HE Tunnelbroker:
Hurricane Electric tunnels are great for many things. But one thing that definitely will break is probably any kind of streaming (Netflix, Hulu, etc.). That's because nearly all the major streaming services have "blacklisted" Hurricane Electric's IP subnets and classified them as "VPNs". They do this because your geographical location will not match up with the HE tunnel broker network portal where your IPv6 traffic routes to/from.
It does not mean HE is bad nor does it mean the streamers are evil. It's just a consequence of movie licenses that give the streamers rights in some countries but not others. If they do not make a good faith effort to enforce the terms of the licenses they have by making sure their subscribers watching a given movie are in a country where that content is licensed, then the streamers can themselves be held legally liable. Thus the blacklisting of VPN services and tunnel brokers like HE.
So, depending upon your desired use case, HE can be a great way to have an IPv6 connection when your ISP does not offer one natively. But just be aware that some popular Internet services (such as streaming) may not work well over an HE IPv6 tunnel. There are some complicated solutions involving specific
unboundconfigurations in pfSense to work around the problem. Essentially you configureunboundto never reply with an IPv6 AAAA record when queried for certain domains. A forum search here will reveal many threads on that topic.@bmeeks Thanks for the detailed reply.
I'm not sure what you mean by:
There are some complicated solutions involving specificunboundconfigurations in pfSense to work around the problem. Essentially you configureunboundto never reply with an IPv6 AAAA record when queried for certain domains. A forum search here will reveal many threads on that topic.
Are you referring to the issue of being blacklisted by certain streaming/other services?My actual use case is just to have another IP to use for general surfing. For example, in some cases I with tether to my phone since I end up on a general use IP address. The endpoint isn't going to know who I am unless I tell them or they can successfully fingerprint the device I am using.
Do you use HE? Any thoughts about the questions I asked in the OP?
-
@guardian said in HE Tunnelbroker:
There are some complicated solutions involving specific unbound configurations in pfSense to work around the problem. Essentially you configure unbound to never reply with an IPv6 AAAA record when queried for certain domains. A forum search here will reveal many threads on that topic.
Are you referring to the issue of being blacklisted by certain streaming/other services?Your network devices, pfSense, and everybody out there prefers to uses IPv6 if it is available.
Now, replace "Hurricane Electric tunnels IPv6" by any "commercial VPN" available out there.
That is is the issue."Hurricane Electric tunnels IPv6" uses many POPs : Tunnel Server Status
So, me, located in France, could use a POP of he.net based in New York, and now Netflix 'sees' my US IPv6 based, so I can have see the latest Walking Dead, which is not available for me in France, when I'm using my french based IPv4.
The solution, for you, is : when you - that is, some device in your local network, wants to resolve netflix.com, this device will ask for a AAAA first, and use it if it exists.
If the netflix.com AAAA can not be obtained, the device, the netflix player, will fall back to the good old IPv4 : the A record. That one will resolve : you'll be contacting netflix.com over IPv4 ; every thing goes well : you see your movie.You do this like this :
Install pfBlockerng.Then :
Activate the "no AAAA" check box.
Add "netflix.com" to the list.From now on, when one of your devices asked pfSense for the AAAA of netflix.com, pfSense will say "noop".
So the device will ask for a A : and that will work.@guardian said in HE Tunnelbroker:
My actual use case is just to have another IP ....
"Hurricane Electric tunnels IPv6" is a special case.
Every ISP on planet earth should offer their clients two IPs (to say it simple) : one IPv4 and a IPv6.
The thing is :
Some ISPs don't know what IPv6 is.
-> Not a big issue, as most of the public "Internet" resources work well with 'only' IPv4 available.
Some ISPs implement IPv6 the wrong way.
-> This is seen more often.
Some ISPs just don't have the money to buy IPv4 for their clients (there are no free available ones left since years).
-> These ISPs incorporate a "AAAA to A converter". Not always transparent.
So things are a bit messy.Btw : typically, an ISP that reserves an IPv6 for you does a bit mor then that : it reserves should reserve a /48 for you.
To write that out un full :2001:abcd:efgh:0: 0:0:0:0to
2001:abcd:efgh:ffff:ffff:ffff:ffff:ffffThat is 65535 blocks (prefixes) of /64 where a /64 is 2^64 IPv6 addresses => 65535 x 18 446 744 073 709 551 616 ( so ffff hex x ffffffffffffffff hex or 1 208 907 372 870 555 465 154 560 IPv6 addresses just for you @home.
This type of address management has to be supported by your ISP router, and pfSense as your using that router (also).
Your iMac, iPhone and Microsoft based PC, or Linux device, are already handling this just fine for many years now.Some ISP reserve just a /56 for you, and some just have a very broken /64 for you (plain bad).
You should read this IPv6 Certification.
Follow their advise : take the free training course. It's worth it and you'll have a surprise at the end.See it like this : have the biggest and only world's network rule you,
Or change all that, and you rule the network.
Take your pick.
( don't be alarmed : we are all always part of the two concepts )You've decide to do some network ruling, as you installed pfSense. Finish the story.
Get acquainted with IPv4, so you can talk to your kids latter on how 'we' managed to do thing on a planet level with just 4 wadded numbers aka IPv4, as it will be gone in a decade or two (not that it wasn't any good, but it will be to expensive to maintain it).
Learn IPv6. You'll be needing it. You ill be able to "tell people how things are done instead of "being told and understand nearly half it". And while understanding things, you can forget about them, and pass on to more, real, important things ^^How reliable is the service.
Very.
POPs can go down ones in awhile. That's actually scarry, because how do you ask HE to "repair" their free service ?
If there is an issue, they have tjeir support channel, a forum. They are reactive.
But : only to 'real' questions'@guardian said in HE Tunnelbroker:
How identifiable is the IP address to corporate interests/ad trackers etc.? Is it a bit like being on akamai or cloudflare that the entry behind the service isn't easily obtainable short of court order?
Unidentified Internet usage doesn't exist.
It is created for the ... how should I call them : the "ignorant ones", and then there is the commercial side of it (fear always gets exploited) as it is always a good plan to make people understand that they have a problem, then propose a solution for a small fee, and everybody is happy.he.net actually owns a big part of world's entire Internet backbone.
See here.
You might say they are the Internet.[https://www.tunnelbroker.net/](link url) offers a very important possibility : you can revers PTR your IPv6 addresses !
If you want to use their IPv6 for a mail server, this is a must have ( !! ) as all big mail hosters like gmail, hotmail, etc etc do not accept mail from your server (over IPv) if the PTS isn't set right.
So : your mails server MX : mail.your-server.tld points to 2001
efgh:1:2:3:4:5 points mail.your-server.tld
Sending mail from an unidentified (unknown) IP address is equivalent to say the the recipient : "got some garbage for you - shall I /null it or will you do it for me ?"@guardian said in HE Tunnelbroker:
What if any is the implication of 'Account Name' when signing up. Is this "just a user id to log in", or does it appear in public like a subdomain?
Just an account ID.
For what it's worth : the mail address I used with their account never (over 10 years) received one spam mail.@guardian said in HE Tunnelbroker:
I notice that they also offer DNS hosting. Any thoughts about using/not using it, or if Cloudflare is better?
Never used these services.
Not for privacy reasons, more for practical reasons, and because wanted to understand what needs to be done to make things work, I deal with my own DNS (domain names servers) myself.@guardian said in HE Tunnelbroker:
or if Cloudflare is better?
Cloudflare ?
pfSense doesn't need "Cloudflare", or the Google DNS, or any other "commercially available" public resolver. Why would you give your DNS traffic to these guys ?
Take my word for it, or better, fact check yourself : Netgate never said you needed an external resolver for the pfSense (DNS) set up.
pfSense uses a build resolver. Cloudflare uses/is a resolver. -
@guardian said in HE Tunnelbroker:
-
my entry point is Switzerland and it is reliable
but the most important thing of all is that they give you a t-shirt if you became a SAGE -
idk but i think you need a court order ..
but the most important thing of all is that they give you a t-shirt if you became a SAGE -
it's just a user id to log in
but the most important thing of all is that they give you a t-shirt if you became a SAGE -
idk, but i'm using the free rDNS for my email server
but the most important thing of all is that they give you a t-shirt if you became a SAGE
You'll take care of all the technical part later, all the answers are available here in the forum, but for now go get that damned t-shirt
̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
-
@kiokoman said in HE Tunnelbroker:
.... they give you a t-shirt if you became a SAGE
Yep, that was the surprise ^^
I wasn't actually sure they would actually do that, but I received mine.
But, now I'm thinking about it .... they wanted to fill in my postal addresses - so they know where I live ...
Never saw any black helicopters, neither black vans in front of my door, that's true.It's not really a free gift.
You have to do something for it, mostly by clicking on a mouse, and typing some stuff. Activating some neurons in your head, etc.
This was know before as "taken an exam" : showing that you can manage the stuff they give you.
The advantage for them : no need to support the unsupportable, so they can expose their services for free. -
The other replies here have, I believe, answered your question. My remark about special configurations for
unboundis what @Gertjan described. You basically have to configure the local DNS so that any network device asking for one of the popular streaming platforms IP address is directed to IPv4 and never IPv6. If it finds and uses the IPv6 address for the streaming platform, it is higly likely the IPv6 address will be flagged by the streamer and you will get a warning message about VPN use and denied access since it will be an HE-assigned address block. -
@kiokoman said in HE Tunnelbroker:
but the most important thing of all is that they give you a t-shirt if you became a SAGE
That's certainly sage advice!
