Good evening everyone
I need help for Starlink and Mikrotik
Activated the Bypass Mode on my Starlink, connected to the Eht1 of my microtik, and I go out on the Internet correctly
Now my need is to activate remote access to the mikrotik, and the opening of some ports and the activation of a VPN ipsec to ipsec
Starlink uses a CGNAT, how can I be able to open the ports?
I also activated a VPN to a pfsense and it only works on one side. From the Mikrotik network I see the pfsense network, but from the pfsense network I don’t see the mikrotik network.
Can I activate a second internet connection on the Mikrotik and use only the VPN connection with it, and the Internet connection with the Starlink?
How can I do?
Is there really no possibility to open doors with my Mikrotik and Starlink?
Starlink doesn’t let you open ports, nothing to be done about that.
If your router is ARM-based, ZeroTier is your best option since both ends can be CGNAT.
If the other end of the VPN has a “real”/open public IP, Wireguard (and some other VPNs too) can work. But this requires some fixed router that’s the VPN hub.
You can add a 2nd internet connection for remote management. This involves some firewall rules and “policy routing”, not too hard but not click-a-button simple. If both ends are behind CGNAT/restricted firewall AND your Mikrotik is not based on ARM for ZeroTier…then this be your only approach.
Standard VPN functionality requires you to have a publicly accessible IP, not the case with Starlink.
Thus you cannot use your router as the HOME BASE for VPN like wireguard
Therefore you have to use an external HOME Base for the VPN, it could be another location (relative, friends house) or a third party provider or hosting your own at a datacenter.
There is nothing stopping the MT behind starlink from connecting OUTBOUND to make a wireguard or VPN connection. It just cannot HOST any inbound connections with VPN.
Zerotier (requires arm) gets around this in a way because it uses the third party concept alluded to above. The HOME is in the cloud so to speak. It, like wg is an available options package for arm devices.
However I have activated an OpenVpn connection to a Pfsense on another remote network and it works, from Mikrotik I see the Pfsense and I can access my server, but from the Pfsense I don’t see the printers in my office
With the old connection this worked, maybe because there are no open ports in Starlink
How can I go about solving this?
At this point the only solution is to adopt ZeroThier right?
My router should support it
If the connection you had was from a vpn connection to an external host, there is no reason why reverse traffic is not possible.
Its transparent to the starlink at that point.
I have not used zerotier, the link I gave you and the MT DOCS are your best resources. ( https://help.mikrotik.com/docs/display/ROS/ZeroTier )
Best you apply some brain muscle and attempt on your own and come back when ready to ask questions…
However I have activated an OpenVpn connection to a Pfsense on another remote network and it works, from Mikrotik I see the Pfsense and I can access my server, but from the Pfsense I don’t see the printers in my office
ok. would you be kind enough to let us know which one is your OpenVPN server? is it your pfsense nor the mikrotik?
my guess is your pfsense is the server.
the mt client maybe already have the OpenVPN push route to the server. but not the other way around to the printer in mikrotik network.
basic tools from pfsense subnet:
ping to printer.
if failed, traceroute to it.
if failed at pfsense, netstat -rn from your server - does it have the route to the printer?
if it is reachable, then your printer has choose the wrong gateway to server subnet. split tunneling.
or, the printer maybe doesn’t even have the route to the server subnet. fix it.
and the last thing is the protocol used by your printer dictates how you will see it. either smb or unix printer, broadcast or unicast etc.