I wasn’t sure if people wanted to keep discussing IPv6 in a peplink thread.
I’ve run IPv6 on and off for years, and since I’m behind AT&T fixed LTE I would have to use a tunnel broker as peplink doesn’t support IPv6 on wireless WAN links. I have also found that nobody wants to debug ipv6 issues… if Netflix doesn’t work, they ask, turn off ipv6… does it work now… OK, we are done.
I’ll start with using a peplink router. Forget it. (reasons will be coming down message).
The Starlink IPv6 implementation seems to be fundamentally flawed in a number of ways. This is all conjecture as Starlink says nothing about their system.
#1 The Starlink system does not send periodic RAs as required by RFC
#2 The system does not respond to RE requests unless the MAC address of the client is already in contact with the starlink core.
#3 the default router fe80::1 does not respond to NDP packets at all. So if for any reason you loose the NDP via timeout, your default route becomes useless.
The first two items combined make any generic bridged SLAAC system a non starter, and that is the default Peplink “bridged ipv6 mode”.
So, what does work?
A number of open source firewalls seem to work to start. PFsense, OPNsense.
What these do is
#1, DHCP for the IPv4 address, this primes the core to allow services to and from that MAC address. DHCP lease of 500 seconds.
#2 Send a ipv6 RE request, not waiting for the network to advertise a RA that will never come.
#3 In response to this RE the starlink network replies with a RA, (TTL 500sec) This allows the firewall to turn up a SLAAC address add the default route and NDP cache
#4 the firewall requests a DHCPv6 PD, and Starlink sends back a /56 assignment.
This is all well and good for the next 500seconds… Since the starlink network doesn’t send another RA (which should be done at least < 1/2 the RA timeout interval) the original RA will time out, the NDP will time out and the IPv6 addresses go away.
So, to keep the IPv6 network up, as soon as you boot up, you need to convert all dynamic assignments to permanent.
In a shell, find your current address (ifconfig em0) and then switch it from autoconfig to permanent.
ifconfig em0 inet6 ####:####:####:####:####:####:####:#### ( insert your negotiated SLAAC address)
Second, the NDP cache will also time out, since it was filled in via the RA. This is a fixed assignment:
ndp -s fe80::1%em0 02:02:00:00:00:02
Third, fix the default route.
route -6 add default fe80::1%em0
Finally, the firewall needs to keep sending packets into the core to keep the NDP cache primed on the starlink side… so these firewalls send pings once a second to fe80::1.
If you turn off this gateway check… you eventually loose connectivity.
I have not yet configured a LAN side of this firewall to see if it will pass networks out of the /56.
Since Starlink isn’t really supporting IPv6, I will probably stop here until they announce general support.