Hi all, very first time using MikroTik. Bought a Hex5 to block the ports of my IP cameras from the internet.
I have Starlink. The MicroTik POE/Wan port plugs into Starlink. Then I have a 16-port cat5 hub that plugs into the MicroTik’s first ethernet port.
I haven’t attempted to do any blocking or setup yet-- this is just a straight, out of the box plug in. I can’t see internet, and I can’t see the Starlink router at 192.168.100.1 either. If I move the MicroTik to be anywhere but between the Cat5 hub and Starlink (i.e. put it on the line between my computer and the hub), it all works fine. I am not attempting to use Starlink’s POE, the Hex5 is plugged into the wall.
Is there anything special I have to do for Starlink? Crude diagram of setup attached, just in case my descriptions don’t convey.
I highly doubt the starlink can be powered from the hex.
The starlink comes with its own POE does it not, use that.
Concur, no one should use the starlink router LOL.
Gen1 starlink Router has an extra ethernet port which you can attach to the router
Gen1 requires a POE adapter, supplied with the kit
Gen2 starlink Router, you need to get a stark link ethernet adaptor
Gen2 does not require a POE adapter.
So where is the problem??
+++++++++++++++++++++++++++++
In any case will assume poe is not the issue and that you are getting ethernet from either the router itself or the ethernet adaptor and getting public IP.
SO we cannot help further until you show how you have screwed up the config.
/export hide-sensitive file=anynameyouwish and post it here, be sure not to include serial number and any public WANIP info.
I’m not trying to power the Starlink from the hex. I have Starlink setup normally, with its own wireless router still in operation. I have the cat5 adapter to make it a wired connection. This goes to the WAN port in the hex, and then ethernet1 on the hex goes to the uplink on the switch that goes through my house (before you ask, yes I plugged it into a non-uplink port just to touch all bases).
Everything works if I put the hex between my computer and the switch… it just won’t work between the switch and starlink. (Just to test I tried my old centurylink router, and it has no problem moving packets-- but unfortunately it can’t be accessed by its normal IP, and neither starlink nor nmap list it as a device on the network, or I would just try to block the ports there)
As for screwing up the config-- I just plugged it in out of the box (of note: the mac address on the device and its real mac address do not match). Then I factory reset it. I have not yet attempted to do any firewalling, I wanted to get to a baseline “everything works” before trying to make adjustments.
One more possible clue:
If I add in ANOTHER SWITCH between Starlink and the Hex, I can see internet. But then I can no longer see anything on the local network (i.e. can’t access cameras or network hard drives or network printers).
So my setup goes:
Starlink → Switch → Hex → Switch → Home computer & rest of LAN
Is there some kind of incompatibility between RouterOS and Starlink? Something that gets solved by sticking another switch in-between?
So you are providing a private IP from the starlink to the hex router??
It sounds like your not bypassing the star link router?
BYPASS Starlink router Goal
GEN1: From the white side of the supplied POE device (the right side), do not plug the ethernet port to the starlink router.
Instead plug it into the wan port of your router. The black ethernet part of the POE device goes to the antenna.
You no longer need to use or power the starlink router.
GEN2 Bridge mode through APP. (using separately purchased ethernet adapter)
Starlink App: Under settings → Advanced —> Bypass Starlink WIFI Router
Then hit SAVE! The starlink router needs to remain powered on in bridge mode.
I haven’t bypassed the Starlink router because it’s located in a place where several people use the wireless from it.
Is there any way to put the hex into a mode where it ONLY passes/filters the packets and doesn’t try to route? I tried turning off the DHCP server and putting it into bridge mode, but all it did then was cut off my internet again.
All I want to do is block ports 8000-8010 from ever getting to Starlink! Twenty years ago this would have been a simple task. How do I achieve this impossible feat in 2022???
For this exercise assuming you are getting a lan subnet from the starlink of 192.168.2.0/24 and LANIPs like 192.168.2.5 and the starlink lan gateway IP is 192.168.2.1
[By the way the stupid WANIP one gets from bypassing the router (gen1) or bridge mode (gen2) is carrier grade NAT, or basically useless bastardized nat where the public IP is not useable for much I think.]
In any case to use the hex:
This is what you need to do
…
/interface bridge
add name=bridgehex
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess-5
/interface list
add name=management
/interface bridge port
add bridge=bridgehex interface=ether1 { to starlink }
add bridge=bridgehex interface=ether2 {to switch }
add bridge=bridgehex interface=ether3 { to whatever }
add bridge=bridgehex interface=ether4 { to whatever }
/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=bridgehex list=management
add interface=emergaccess-5 list=management
/ip address
add address=192.168.2.X comment="address of hex on starlink lan subnet"
add address=192.168.5.1/24 interface=emergaccess network=192.168.5.0 comment="ether5 access off bridge"
/ip firewall filter
add chain=input action=accept in-interface=emergaccess-5 src-address=192.168.5.0/24
add chain=input action=accept src-address=192.168.2.X comment="allow admin to router for config"
add chain=input action=accept src-address=192.168.2.Y comment="allow admin to router for config"
add chain=input action=drop src-address=192.168.2.0/24 dst-port=winboxport protocol=udp comment="drop rest of LAN from access tor router"
add chain=forward action=drop dst-port=8000-8010 protocol=tcp
add chain=forward action=drop dst-port=8000-8010 protocol=ucp
/ip dns
set allow-remote-requests=yes servers=192.168.2.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set winbox address=192.168.2.X,192.168.2.Y,192.168.5.0/24 etc. *****
/tool mac-server mac-winbox
set allowed-interface-list=management
…
/ip service
set winbox address=192.168.2.X, 192.168.2.y, 192.168.5.0/24 etc. *********
********* Where X and Y are your (ADMIN IP) addresses for your desktop, laptop, smartphone, ipad on the starlink lan subnet. In this way although anyone could theoretically access the Hex from the starlink lan for config purposes, this winbox service setting ensures only you can (besides username and password protection of course). I will add firewall rules to also ensure this is true.
If for example you always would use 192.168.5.5 to set on ipv4 computer settings, when attaching your laptop to ether5 for emergency access to the router you could narrow down the input chain firewall rule and the winbox settings to that specific IP, but not necessary.
For the IP address of the hex, suggesting using a number not likely to be used by the starlink.
If it starts giving out IP addressess 192.168.2.2 and up then give the hex an address of 192.168.2.220 for example.
+++++++++++++++++++
Feel free to ask any questions. The idea here is the ether ports (except 5) are on the same bridge and getting dhcp from the starlink.
The extras added allow you to access the hex while connected to the lan or directly via ether5. Ether 5 for extra backup is not on the bridge so if the bridge gets screwed you can still access the hex. The hex is in this mode basically a switch with a few router like functions in the mix.
Hi Anav-- that DID work to make it a passthrough router!
But I have a question… right now my configuration is:
Starlink Router (with wireless) → Hex → Switch → Rest of house
My IP Cameras use ports 8000-8010 (which I wanted blocking). Now: I would expect those to be blocked when accessing the Starlink’s wireless router. Is than an incorrect assumption, because the wireless router is on the LAN? I’m able to see the cameras from both the “Rest of house” and when I’m on the “Starlink Wireless.” I was expecting the hex to act as a dam of sorts, and refuse to set the pins for the outgoing message up to the Starlink router. This is because the Starlink is located in a guest house, and I’d prefer neither the guests nor the internet have access to those cameras.
Is there a way to get this effect? I was able to get it when I put the router between the switch and the computer (but away from the Starlink).
(Note: I did add a filter for src-port as well, since the cameras send out with ports 8000-8010)
I found an error on my config I forgot on the IP address to detail the interface, it should be the bridge… /ip address
add address=192.168.2.X interface=bridgehex comment=“address of hex on starlink lan subnet”
See if that makes a difference but assuming you probably did this on your own anyway!
I would have thought that the rule would block any wired traffic on those ports coming behind the router aka from the switch…
I will have to think about why that is not working.
Clearly nothing you can do about the wifi from the starlink itself as that is available before the hex comes into play.
Hi again… thanks for the input 2frogs! I think I am SO CLOSE to getting this working now!
I have one final issue: Now my Starlink Wireless cannot see the internet (this actually happened before implementing 2frog’s addition). I am only able to see the internet from BEHIND the hex now.
I’ve reset the whole hex and re-implemented the simplest version of the above that I could (i.e. no remote access, no security, ONLY going into bridge mode). I currently have all the firewall filters turned off. This is my current setup:
When I connect to the Starlink Router + Wifi with a smartphone, it connects, but sees no internet. From within the home network I see internet fine. I do want internet access through the starlink router for guests, and I don’t care if they’re firewalled (although I do want them prevented from receiving ports 8000-8010).
Any idea what’s interfering on the Starlink end to nuke the internet from the starlink wifi?
I agree completely… but I think this might be the end of this experiment. I’m running into too many problems doing this-- after looking at the matter further I’m seeing that various devices inside the home network do and don’t have access to the internet at various times. I think the combination of hex as firewall, then starlink as router just isn’t going to work the way I want it to.
Looking at alternative rule set so go back to its working for all users until I can provide something else.
Just to be clear, I can understand blocking wifi users on the starlink from accessing lan devices behind the hex.
But surely you also have the IP addresses of those devices and not just the ports in question?
Second, how would such devices originate or send information on those ports ( do they also stream data )?
Sounds like the config on your HEX is garbage and probably still has a DHCP server running or it does some other funky stuff in your network.
If the only goal to all this is to add another firewall between your IP cameras and the internet, just set that HEX as a normal router and add another layer of NAT and keep only the CCTV system behind it, and that’s it.
Or, post an export of your current config to see what you did so far on that HEX.
