Project Members – Network Related
Last Updated: August 26th, 2024
Do I need IPv4 or IPv6 to connect to your network?
You can connect to our network using either protocol. We fully support both for our WireGuard profiles and all routers will respond to connections from either protocol as long as your profile is valid.
I tried both protocols and cannot connect, help!
There have been some issues with a very few ISPs and some locations such as universities or public cafes that do not allow UDP connections. Unfortunately, WireGuard makes use of UDP connections to work. While there are work arounds to this problem, we choose not to deploy them except in very specific situations because of the advanced configuration that doing so requires. (Usually involves tunneling the UDP traffic inside of TCP and takes a performance hit or making OVPN look like HTTPS traffic, which has problems on its own.)
The second scenario where connections sometimes fail is when there is an MTU problem with one of the networks that our project’s data may flow over. By default, we run an MTU of 1365 for all external facing interfaces that our project members or end users would connect to. If you find that you are having connection stability problems, reach out to our support desk and ask for the MTU of your endpoints to be adjusted down to 1280.
I loaded my profile in two places and nothing is working!
Please, do not do this. It confuses our routers and only leads to frustration for you as the end user. Reach out to support and describe your network setup and let them know how many profiles you actually need. Our support will work with you to get things setup properly.
Are your IPv6 addresses on the public internet?
Yes. If your request for service gets approved, we will assign you a publicly routable IPv6 address. There is a small catch though: While you can get your homelab or device onto the public IPv6 internet, there are some systems and networks that do not like our upstreamās ASN. Most things should work, but you may run into issues for certain websites and games. This is nothing we can do about it short of getting our own ASN and netblock, which isnāt cheap or easy for our project to do at this time.
Do I have to get IPv4 access with my IPv6 request?
Not at all, in fact that is the default configuration for approved service request. IPv6 is our core focus, with IPv4 just being an after thought. So no, unless you ask for IPv4 access, it will not be enabled by default.
Are your IPv4 addresses on the public internet?
Yes, on the WAN side. If you do request IPv4 service along with your IPv6 request, you will receive a NATād IPv4 address in the 10.0.x.x range. This is provided as an option for convenience and is not the focus of our project. Side note, if you want us to port forward something to your NATād address, let us know what port and why. We will get back to you when we have a moment.
Can I get just NAT’d IPv4 Service?
No, IPv4 is not the focus of our project. Without having IPv6 service in place from us, you will not get IPv4 service by itself. If you come across a project member or end user who states they are mainly using IPv4 from us, do note that they also have a /127 direct or a /127 with a routed /64 attached to their account. We do not service IPv4 by itself and probably never will, IPv4 service must be bundled with IPv6 service.
Do you own your address space?
No, we donāt have that kind of funding. Our address space for both IPv4 and IPv6 comes from our upstream providers. Due to record keeping, however, sometimes our IP ranges will show either our
upstreamās information or āMarbled Fennec Networks.ā
When requesting IPv6 service from you, what subnet ranges are usable?
Our upstream gives us access to the network ‘2604:4300:f03::/48’ and most of our routing gear, services and project members get serviced from their subnet. We also lease the network ‘2602:f992:f3::/48’ from an LIR in the US. Project members requesting service(s) from us can ask to have a /64 routed to them from either of our pools with the understanding that the LIR pool does not support PTR records.
When requesting IPv6 service from you, who actually services the network?
We have been asked this a few times now. Marbled Fennec Networks handles the public facing services of the project and FurrIX is responsible for the actual network operations. When you request service from us, you will interact with the volunteers at Marbled Fennec Networks, who will then put your request with the appropriate details through to the volunteers over at FurrIX.
Why are there bandwidth limits on your routers?
Our physical host features a 1Gbps link between our server and the data center. To make an attempt to prevent accidental network saturation, we place hard limits on each of our routers that should keep any one router from crashing the network. For our shared routers the limit is currently 350Mbps download and 175Mbps upload shared between all connected users to a specific router. For our end users making use of VM hosting with us, the CX router is limited to 250Mbps shared in both directions.
What do you mean by āsharedā bandwidth?
All project members connected to one of our routers will share the bandwidth on that router with all other members who are currently connected to that router. We run the project to get our members connected to the greater IPv6 internet as well as to enable them to host things in their homelabs in situations where their ISP does not make it easy or possible to do so, not to replace their ISP. For cost and practical reasons, we cannot provide every member with line speed; therefor we set what we determine to be reasonable limitations to allow everyone fair use of the network. Additionally, our routers use QoS systems to try and keep the total load balanced and latency acceptable.
When connected to your network, I cannot browse certain sites/servicesā¦
Just an unfortunate fact of being on the internet and using our network ranges. Some overzealous network and system admins out there automatically deem data center IP ranges to be a threat to their network or services; and as such, they block our network from accessing theirs. The only thing we can advise in this situation is that you access those services or sites outside of our network or that you seek out other services or sites that do not practice such blocking. Blanket blocking isnāt offering much for for security and these guys are catching legitimate traffic in their nonsense, as well as breaking parts of the internet with their actions.
When connected to you network, I sometimes see various DNS servers answering my queries…what’s up with that? How are you handling DNS?
Around July 5th, 2024 Marbled Fennec Networks started taking the OpenNIC compatible DNS server that was being hosted on our network a little more serious than just as another neat toy. We started looking into how it was performing across our network and decided to take the leap of making the server a core part of our network. As of July 7th, 2024 the server ‘dns.marbledfennec.net’ gained a slave server known as ‘dns2.marbledfennec.net’ and they now handle all DNS lookups for our routers, VMs, servers, project members and end users on our network.
These name servers are able to be used by the general public and provide DNS over HTTPS and DNS over TLS, as well as answer to a few different ports in addition to the standard port 53.
As of July 29th, 2024 we have disabled Unbound on all our of routers. The network has been reconfigured to use our name servers directly. Project members and end users were also emailed with the changes they need to make to their connection profiles in order to keep performing DNS queries over our network. Before the above changes were made, every router on the network simply forwarded all DNS queries to our IPv6 edge router, ipv6.furrix.zone. This behavior has been changed in favor of having dedicated name servers and cutting down on duplicate code running on our virtual machines.
Okay, but I don’t like the idea of using your name servers or OpenNIC’s for that matter…
Okay, that is your choice. If you do not want us processing DNS queries for you, you may modify your connection profile to be a split tunnel and exclude your DNS server of choice from the tunnel. This will keep your name traffic outside of our servers and network. To be honest with you, at the end of the day..our team just isn’t interested in where you went or why you went there as long as we don’t receive complaints about your traffic. Most people who ask this question are coming from a point of privacy but seem to miss the mark of we can still see where you sent traffic to without seeing your DNS queries. Just the nature of computer networking.
I saw a few different domains servicing your project, why is that?
Our team maintains two different namespaces for the project. ‘marbledfennec.net’ is the public facing website and is where we post updates, policies and interact with our project members and end users. ‘fenfox.run’ was the namespace that all of our routing gear resided within, but as July 31, 2024, that namespace has been retired in favor of all the routing gear being migrated to ‘furrix.zone’ and the project beginning to operate as two groups working towards a common goal.
In a nutshell:
‘marbledfennec.net‘ is the people who run the projects and interact with the public.
‘furrix.zone‘ is the gear that handles the packets, the people who maintain our network and is what people connect to.
‘fenfox.run‘ has been retired from use and is no longer a part of Marbled Fennec Networks.
Alright, I saw something about WireGuard. Are you a VPN provider?
Not in the sense that you are most likely thinking. While we do deploy VPN technologies to connect our members, we do not focus on privacy or āhidingā any memberās traffic. If we may use a bit of a misnomer here, we deploy what we call an ārVPNā or reverse VPN network stack. Our goal is to get your homelab or device on the public internet and reachable. Andā¦before you ask: Yes, we log various metrics and stats about our connected members. Do not assume total privacy with our service, that is not our goal at Marbled Fennec Networks. Our volunteer techs all have access to various metrics and real time data for every router, bridge and VM on our network at all times.
Simple answer: No, we are not a VPN provider.
Are your systems automated?
As of July 31, 2024…Partially. But as far as I am aware, neither group plans to automate too much on the network because a few of us enjoy working on the configurations by hand. Plus, working on things by hand allows as to work closer with our project members to ensure we create a profile that meets their needs for their homelab or device, instead of relying on automated templates.
Why are you so upfront about how the network operates?
Short answer- Nothing special or magical is going on here. Anyone with enough know how and determination can match us on feature parity and network design; and to be straight to the point, the
project and the network it operates are built that way on purpose. And if we can be a bit to the point, our projects are built to showcase how easy it is to design and deploy these little corners of the internet where people can still play and learn about the underlying technologies that power the modern internet.
Long answer-
Anyone who is into computer networking, Linux and virtual machines can easily figure how our network is built and replicate it in about two to three days if they really wanted to. We donāt have anything to hide here or anything special going on in the back end. All of our tooling is standard off-the-shelf firmware, applications, services and libraries. Furthermore, being open and transparent means that our members will be fully aware of what, who and how they are connecting their equipment to us.
Our environment is virtualized and deploys a mix of network soft bridges, opnsense powered routers, a few Linux VMs for various services and some amount of hand written routing table and firewall mess. We wanted to try and keep the projectās network stack on the more simple scale of things to allow for new volunteer techs to be able to easily grasp the ropes and be able to get up to speed quickly in their roles; but also to allow the project to make sense to members who are moving on so they may recall and make use of what they learned where ever they progress on to.
Project Members – Operations Related
If I request service, how long is the wait?
Bruh, we are hobbyist. This is a spare time project brought online because we wanted to and we enjoy operating a virtual ISP. If you reach out to support via the ticket system or email, you should expect to wait for a response for around one to two days. We try to be quick with request and support related inquiries, but all of our volunteer techs have lives, jobs and projects outside of both Marbled Fennec Networks and FurrIX.
What level of support is provided by your volunteers?
Skylar instructs, and usually limits, the rest of the teamās technical support response to getting members connected, ports forwarded if needed, subnets adjusted, VMs provisioned and answering general inquiries about the projects. The team is not required to assist with VM configuration or recovery, router or system specific profile configs, member deployment or other issues. Sure, some team members may take an interest in your project and opt to provide a little more insight, but it is not to be expected and is not required.
What is the process of on-boarding a new project member?
Typically once a guest has emailed support or created a ticket, the request will be reviewed at a glance. If the request seems reasonable and like it would be something we could help out with, it will be forwarded from tier one support to Skylar or another upper team member for secondary review. During this time, things such as bandwidth impact, configuration load, resources used and overall risk to the network are evaluated by multiple vlounteer techs. If everyone agrees that the request is reasonable, we will reach
out to you for more information. If it is determined that your request doesnāt fit within the scope of our projects, you should receive an email stating such.
Project Members – VM/GS Hosting Related
Is MFN a GSP? (Game Server Provider)
No.
As of August 26th, 2024 Marbled Fennec Networks no longer offers any form of VM, GS or VPS hosting at all. Project members and guest who currently have said service with us will continue to see their instances serviced as long as they keep the registration current with the support desk; however, we will not be accepting new applications for this service type and members or guest who allow their registration to lapse will not be able to regain hosted service of this type.
Other Frequently Asked Questions
I really would like my own IPv4 to skip your routers!
Two problems with this:
1) IPv4 addresses are too expensive to rent just for your use. It cost FurrIX $12/mo for each /29 and we can only request one additional /29 every three months and three of those addresses must be āin serviceā by end of month one. We have been burned doing this for past members of the projects who decided they wanted to back track after the order was placed.
and
2) IPv4 is not the focus of the project. We only offer IPv4 as a mix of legacy support and a courtesy to our project members. For what we do, IPv6 is much easier to work with and roll out. The IPv6 protocol also allows us to service more project members with our network stack.
If after reading the above you still really would like your own IPv4 address, we encourage you to inquire about how the network is designed and to rent a dedicated box from a data center to build your own project on. It can be a fun and rewarding process once you get the hang of it all.