In Slovakia there is this VDSL router offered by one of the main providers. Each such router has a different default admin password and I assume it is derived from the MAC address or the serial number of the router. By default all ports (53, 80 and 443) are open to the wide world outside, i.e. a network operator who can access the device can log into it from outside if needed. They make public claims about auto-firmware updates which can be initiated also from the device itself but I did not investigate into this.
My original impression was that the router is dropping
packets so the IPv6 tunnels are possible only using other means but after
setting the port forwarding (see below) even the http://tunnelbroker.net
After setting admin password to something else one should also forward ports (either all of them or just the exposed ones) to a local IP address that does not even need to be running for the purpose of securing the router (i.e. it can lead to nowhere and the packets will timeout).
Now I am forwarding external ports from 1 to 1023 to my local machine with a proper firewall.
The VDSL router has options for port-knocking and I would not be surprised if some undocumented default magic would be set. But this is just an assumption without any practical reasons to believe it is so.
Update about DHCP: The DHCP can not be turned off completely, but can
be set to have only one address in a pool and that address can be assigned
to a pre-set host with a made-up MAC address (like