VOOZH about

URL: https://ipv6.he.net/certification/faq.php

⇱ Frequently Asked Questions

👁 Hurricane Electric Internet Services
Frequently Asked Questions

[Registration]

I've registered for your site and received my password via email but I cannot log into my account. Can you help me?

Please make sure your Internet browser is javascript enabled. Also, check your keyboard 'CapsLock' is not 'ON'. If the problem still exists, please send email to ipv6@he.net along with your account password.

I would like to change my account's email address. What should I do?

Please log into your account and click 'Update Info' which is located at the top left hand corner, in the 'Account Menu' box. There should be an option for changing the account email, next to the email address.

I would like to change my current password. What should I do?

Please log into your account and click 'Update Info' which is located at the top left hand corner, in the 'Account Menu' box. There should be an option for changing the password.

I forgot my account username. Is there a way to retrieve that?

Please visit http://ipv6.he.net/certification/forgot_password.php and enter your account email address. You will receive an email containing a link to set a new account password, along with your account username.

I forgot my account password. Is there a way to reset my password?

Please visit http://ipv6.he.net/certification/forgot_password.php and enter your account email address. You will receive an email containing a link to set a new account password.

I changed/lost my phone and no longer have my two-factor credentials. Is there a way to reset/remove them?

Once you have enabled two-factor authentication, you need those credentials or one of the backup codes on your account information page to get into your account. If you do not have the recovery information saved somewhere, there is no way back into the account without it.

I no longer need my certification account. How do I delete the account?

Under the Account Information page, there's an option to remove your account. Do note that removing your account removes all services associated with it, including any ac tive DNS zones.

[IPv6 Certification]

I was hoping to change my domain name that I submitted during the Enthusiast level. Can you help me?

Unfortunately, we don't allow the domain name to be changed once submitted. However, You can reset your certification level back to the 'Explorer' level. Simply log into your account and visit http://ipv6.he.net/certification/reset_explorer.php. Please remember that once you set back your certification level, you must retake all the certification tests.

If possible, could I have the certification test reset?

You can reset your certification level back to the 'Explorer' level. Simply log into your account and visit http://ipv6.he.net/certification/reset_explorer.php. Please remember that once you set back your certification level, you must retake all the certification tests

I am really lost. Do you have any video tutorials or a certification forum available?

Yes, we have video tutorials available for each certification test and a certification forum. You may also send email to

[Tunnel Broker]

I've tried to create a tunnel but did not succeed. Is there a basic guideline on how to set up a tunnel?

  1. Visit our tunnelbroker.net site and log in.
  2. Once you log into the site, click "Create Regular Tunnel" and provide your IPv4 endpoint address and choose a preferable tunnel server location. (Note: Your IPv4 endpoint address should be displayed on the tunnel creation page)
  3. After you successfully create a tunnel, visit your tunnel's detail page and choose your OS type to get example configuration commands.
  4. Use the commands to configure your machine. Please remember, you must have 'administrator' privilege to configure your machine.
  5. Once you configure your machine, please browse sites like http://ipv6.google.com or http://kame.net to test your IPv6 connectivity.

*Two important notes:
  1. Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
  2. If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.
What is IP Protocol 41?
IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.
**Useful references:
  1. Video Tutorials: http://ipv6.he.net/presentations.php
  2. Tunnel Broker Forums: http://tunnelbroker.net/forums/

I am confused. What is an IPv4 endpoint address?

An IPv4 endpoint address is the IPv4 address for the system you're planning on anchoring the tunnel on. If you're using the same system to configured the tunnel as you want to anchor it on, the IPv4 endpoint address would be the one displayed on the tunnel creation page.

My IPv4 endpoint address is dynamic. Can I still create a tunnel? If yes, what do I need to do when my IP address changes?

Yes, you can still create a tunnel even if you are using a dynamic IPv4 endpoint address. If your IPv4 endpoint address changes, you can either login to the tunnelbroker.net page and update your IPv4 endpoint address or use https://ipv4.tunnelbroker.net/nic/update which is designed to be used to update your IPv4 endpoint address.

While setting up a tunnel, I received an error saying "IPv4 endpoint is unreachable or unstable." What's wrong?

In order to create a 6in4 tunnel, your IPv4 endpoint must be reachable. Please go over your firewall settings and make sure external ICMP requests are allowed.

I'm trying to set up a tunnel to an IP behind a router providing NAT. Will this work?

In most cases, this configuration will not work. If the router is smart enough to recognize 6in4 traffic, it may. If it supports a full forwarding DMZ, it might. If it support forwarding traffic by protocol (not port!), it might.

My ISP uses CGNAT. Can I configure an IPv6 tunnel?

Such a configuration has all the above complications of NAT, in addition to no ability to adjust the CGNAT router. It's highly unlikely to work as CGNAT relies on TCP and UDP ports within normal IPv4 traffic for forwarding to the proper end-user, and CGNAT implementation usually do not have any knowledge of how to forward 6in4 traffic.

I have a router that doesn't support IP protocol 41. Is there any other way to set up a tunnel?

If possible, get a new router that supports (allows and forwards) IP protocol 41. Alternately, you can either put the host in a DMZ and secure it as best as you can, or bypass your router to set up a tunnel.

My system says the tunnel is up. Why isn't it working?

This is normal for any configured 6in4 tunnel. As the protocol has no underlying keep-alive or heartbeat mechanism, 'up' simply means your computer has an IPv4 route which may reach the remote side. It doesn't indicate if the remote side is reachable, configured, up, or the tunnel is functional.

How can I troubleshoot a tunnel then?

Because a tunnel is effectively throwing packets at the other side, without any signalling process for the tunnel mechanism itself, there's often not much to do aside from ensuring everything on your side you control will permit IP protocol 41 traffic in and out to the system you're anchoring the tunnel on. If you have a traceroute available on the system you're trying to anchor the tunnel on, and it support an option to specific the protocol the IPv4 trace packets are marked with, a trace to the tunnel server's IPv4 address with the protocol set to 41 can sometimes provide additional information.

I delegated reverse DNS to my own nameservers but it terminated at the he.net DNS servers rather than my delegated DNS servers. What am I doing wrong?

We don't delegate reverse DNS for the tunnel's Point-To-Point(PTP) /64. We delegate only to the routed /64 or /48s. Please make sure you are using the routed prefix(es), and not the PTP /64 in your rDNS entries.

I see you've added a new tunnel server. Can I move my tunnel to that one and keep my IPv6 addresses?

This is not possible. IPs are assigned to the specific tunnel server. The routing table growth from permitting IP portability between tunnel servers would not be feasible.

Why can I not connect to IRC?

Due to a high and persistent amount of abuse, we've had to filter IRC access by default. If you need IRC access, complete the Sage level of the free IPv6 certification and then please send an email to ipv6@he.net explaining your situation. Approvals will be handled on a case-by-case basis and will usually require completion of the Sage level of the IPv6 certification.

I can't send email via IPv6. What's wrong?

Due to a high and persistent amount of abuse, we had to filter SMTP (tcp/25) connections by default. If you're not providing email service yourself, you should be able to use port 587 instead to your provider's email server. If you are providing email services over your tunnel and need port 25 opened, please send an email to ipv6@he.net explaining your situation. We will normally require completion of the Sage level of the IPv6 certification prior to removing this filter. NOTE: this filtering does not affect the SMTP-related tests on the IPv6 certification program.

My IP is being geolocated to a location different from where I am. How can this be fixed?

IP addresses carry no inherent location data. Administrative databases such as WHOIS can provide some location context. However, most geolocation providers appear to use their own proprietary heuristics to attempt to determine an IP's location. Often these do not use WHOIS, or other location data available in public records. As such, the ability to correct these is often limited.