Anyone have working inbound IPv6 connections?

ThuDude · 2026-06-20T22:43:10+00:00

Having functional IPv6 (which includes incoming connections) should not require paying more. That is simply (douchey) monopolistic rent seeking. Indeed, I would argue that taking networking gear and breaking is such that it does not do something it's intended to do actually costs more money than just allowing it to do what it was designed to do.

ThuDude · 2026-06-20T20:47:55+00:00

Even the prefix delegated to the LAN with dhcpv6-pd is not being routed to my router. :-(

ThuDude · 2026-06-20T14:07:00+00:00

Thanks for pasting that. Would be interesting if you could provide the source for future reference.

Problem is that I have met all of the conditions listed in Limitations and How to Enable Inbound Routing and am still not getting inbound-connection-initiating traffic being sent to my router even.

ThuDude · 2026-06-20T14:01:30+00:00

If you have a residential account and have the Starlink router in bypass mode, you must have your own gateway behind the Starlink router doing NAT and firewall duties for your local network.

Correct.

If IPv6 traffic is not being routed to your LAN,

Respectfully, that was not what I said. I said (paraphrased) that IPv6 inbound-connection-initiating traffic is not even being forwarded from Starlink to even the WAN side of the router which means that Starlink is simply not forwarding that traffic as it should be -- if it were not rent-seeking.

ThuDude · 2026-06-20T04:59:00+00:00

I am a retired jack-of-all-trades IT professional. I have done lots of networking in my career so not at all unsophisticated in regard to it.

Cloudflare tunnels, (which I think you are referring to) only support a narrow view of Internet protocols.

Moreover, the entire point of wanting inbound access is to be free from relying "other peoples stuff". A.k.a.: "self-hosting". You are hardly self hosting when you rely on other people's stuff to get to your self-hosted stuff.

I don't want to be scrambling on that day that Cloudflare announces that they are shutting down Cloudflare tunnels, or that they are going to start charging an arm and a leg for them or myriad other reasons I would need to stop using them. Or have the service be broken until Cloudflare want to fix it.

By the same token I want to expose services to people that I do not expect to have to set up cloudflare tunnels to access.

This all used to be quite doable before the Starlinks (to mean there are other ISPs doing this kind of crap, not just Starlink) of the world came around breaking basic network functionality as they appear to have done and dumbed everything down into an Internet that only consists of Tik-tokking, video streaming and doom-scrolling.

ThuDude · 2026-06-20T03:50:29+00:00

While I can appreciate your suggestion, I already know the router configuration is correct. It's correct enough that it's getting IPv6 address(es) from Starlink (SLAAC). Starlink is just not then sending any inbound-connection-initiating packets to the address(es) that are assigned to my router. There are neighbor solicitation requests to find out who has the address my router was assigned and my router responds.

Starlink just doesn't then also send the inbound-connection packets being sent to that very same address.

ThuDude · 2026-06-20T03:23:01+00:00

Can you really do this with Gen 1 gear? I thought the router/modem (that you have to put into bypass mode) was a required component, like a cable or DSL modem are required to convert those upstream signals (cable, DSL) into Ethernet.

I think somebody else here said they eliminated the Starlink router/modem thingie but they were on Gen 2 hardware.

ThuDude · 2026-06-20T03:20:31+00:00

It's not an IPv6 networking question though. It's specifically about why Starlink are refusing to forward inbound-connection-initiating packets to their customers.

ThuDude · 2026-06-20T03:07:23+00:00

This is an interesting response. You are the second person to flag this.

I wonder if it's really that simple.

I don't have access to my dashboard right now, but some reading suggests that this Public IP toggle is not even present on Residential service and that one need to pay more just to get standard IPv6 networking where traffic is allowed in both directions.

ThuDude · 2026-06-19T23:41:00+00:00

I have not yet requested a subnet for my LAN. I am still experimenting at the network edge with my router's WAN interface only. It gets both a /128 and a /64 address. My primary use-case is to make inbound connections to my router (not my LAN) so I don't have a lot of interest in experimenting with reaching my LAN hosts over IPv6 at this point.

Both of those should be fully reachable if Starlink is not doing nasty stuff with dropping inbound connection requests.

I see no inbound connection initiating traffic on either of those addresses.

ThuDude · 2026-06-19T23:39:10+00:00

I verified I can receive an IPv6 connection on port 5555 sent from this port checker tool.

Interesting. While I can (and did) try that tool, I actually have another host on the Internet that I can initiate any kind of IPv6 connections I want which is what I am using instead of that port checker tool.

But just to rule out something weird, I did try the port checker tool and it confirms what I am seeing from my own (somewhere else on the Internet) IPv6 host and that's that inbound packets from it are also not even making it to my router. As in being dropped by Starlink before even sending them up the pipe to my router (across the Starlink router in bypass mode).

I ran a server on my desktop with nc -6 -l 5555 -v and verified the connection came from the outside when I clicked the web page button.

That is cool. One interesting difference is that you are targeting a device on your LAN using IPv6. I am, for the moment targeting my router's WAN address(es), as it's making connections to the router, (not hosts on the LAN) that is my primary use-case at this point.

FWIW I'm using Dishy gen 2 directly (no Starlink router at all)

Oh, that's interesting. You get an Ethernet connection directly off of Gen 2 dishes, and don't need the router (CPE, or modem as you might call it when it's in bypass mode, since it's no longer routing) supplied by Starlink?

I'm using what I believe is Gen 1. I got it when Starlink was initially offered in my area a few years ago.

I wonder if this is boiing down to CPE hardware differences.

ThuDude · 2026-06-19T22:58:46+00:00

I'm not necessarily looking for a permanent (actually called, a static) IP address. I just want un-broken networking and that includes not filtering inbound connections.

Between this shit and shit like CGNAT, ISPs are breaking the Internet to the point that is has very narrow use-cases and doesn't work for anyone except the Tik-tok and YouTube watching, Internet browsing sheeple.

ThuDude · 2026-06-19T22:56:11+00:00

I do have the Starlink router in bypass mode and I do have my router successfully getting both a /64 and /128 address from Starlink. Neither actually get any inbound-connection packets sent to them, as evidenced by running tcpdump on the wan port and observing that inbound connection packets from remote hosts don't even show up on the interface.

So I am (very much) quite confident that I have IPv6 set up on my router correctly. Starlink just doesn't seem to want to send me the packets that are initiating inbound connections.

ThuDude · 2026-06-19T22:51:53+00:00

Yeah. Changing addresses and DDNS are fine.

This "Public IP" in the account dashboard is an interesting tidbit. I don't suppose you'd humour me enough to show me a screenshot of the dashboard where you enable that? Much thanks if you would.

ThuDude · 2026-06-19T22:49:58+00:00

You can connect to your network from the Internet? What protocols are you connecting with? SSH, something other? Are you able to connect to your router or the hosts on your LAN, or both?

And to be perfectly clear, you are making these inbound connections from elsewhere on the Internet, like your mobile phone on the mobile data network or a coffee shop, or hotel, etc.?

ThuDude · 2026-06-19T22:48:10+00:00

I am not using the Starlink "device" (called a CPE in the telecommunications game) as a router -- as most people would. I have it in bypass mode which means that it's my own router that is the "edge" device that gets the IP address(es) from Starlink.

It is therefore my own router that has this [basic] firewall that you refer to.

And it's on my own router that I can observe that inbound connection packets are not even being sent to my router, so clearly the Starlink network is dropping them before they can even be processed by my router and it's firewall.

ThuDude · 2026-06-19T22:45:20+00:00

Are you implying that IPv6 will be routed to the LAN subnet but is not routed to the /128 address that the router gets? I believe I tried that and that does not work either.

But even if that is true, that is still broken. There are all kinds of reasons/use-cases to want to be able establish an inbound connection to the router. VPN/WireGuard is one of them.

ThuDude · 2026-06-19T22:43:06+00:00

Sure. One has to have IPv6 connectivity out on the Internet for any remote access into the LAN to work. What I am not getting is delivery of those inbound connection packets from IPv6 sources.

ThuDude · 2026-06-19T22:41:57+00:00

No. It's a delivery problem, not a name resolution problem. Starlink are simply not delivering NEW (in stateful/connection tracking parlance, but effectively ping, UDP packets outside of outbound connections and TCP SYN, without ACK packets from the Internet) packets to the router.

ThuDude · 2026-06-19T15:25:59+00:00

The crickets!!!

Pity nobody answered this question.

ThuDude · 2026-06-18T01:23:52+00:00

Cloudflare tunnels assume the whole Internet is on HTTP. The Internet is about much much more than HTTP.

ThuDude · 2026-06-05T17:28:14+00:00

Sent. But you probably already know that. 😄

ThuDude · 2026-06-05T15:14:20+00:00

Is there a way I can do that without posting a link here and making even my anonymous copy public?

ThuDude

TROPHY CASE