Two Starlinks, management interface access

markcupitt · December 15, 2023, 7:03am

Hi all, I have two Starlink Devices attached to eth1 and eth2 of my Microtik (Os 7)

All works just fine, except I need to be able to access the management web page on 192.168.100.1, which exists on eth1 and eth2.

I can get to one of them by adding the appropriate route to 192.168.1.1/32 gateway eth1 or eth2 and enabling one or the other, but I would like to be able to access both.

I’m very new to microtik, I have experimented for the last 3 days but have not had any success, nor can I find anyone else who has done this.

If it helps, we only need one machine on our LAN 192.168.2.8 that will check the Starlink APIs on each wan ..

I think VRF may be the right approach, but I’m sure there is more than one way to achieve this ..

Any help or guidance is very much appreciated

jaclaz · December 15, 2023, 9:29am

Not a Mikrotik expert, but right now I am playing with VRF’s, so - at least for these latter ones I may be able to give you a hint or two.

Only to better understand the terms of the problem:
Starlink #1 has management access on 192.168.1.100 and it is physically connected to ether1 on the Mikrotik?
Starlink #2 has management access on 192.168.1.100 and it is physically connected to ether2 on the Mikrotik?

The point-to-point address you have is 192.168.1.1/32 pointing to 192.168.1.100 “network”?

Can you post you current routes ( /ip route export ) inside [ Code ] / [ Code ] tags.?

If the source address of the access is the same 192.168.2.8 I think there is the need to differentiate it or differentiate the “target” (like having - say - a 192.168.1.1/32 pointing to Starlink #1 and a 192.168.1.2/32 pointing to Stalink #2) as otherwise what would be the determinant to choose one route over the other?

markcupitt · December 16, 2023, 4:39am

Hi @jaciaz

Thanks for the reply

Correct on this statement

Starlink #1 has management access on 192.168.1.100 and it is physically connected to ether1 on the Mikrotik?
Starlink #2 has management access on 192.168.1.100 and it is physically connected to ether2 on the Mikrotik?

The attachment shows the interfaces

routes as requested:

add disabled=no distance=1 dst-address=192.168.203.0/24 gateway=wireguard-billrush pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.204.0/24 gateway=wireguard-billrush pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.210.0/24 gateway=wireguard-billrush pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.220.0/24 gateway=wireguard-billrush pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes dst-address=/0 gateway="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.100.1/32 gateway=eth1-Starlink1 pref-src="" routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.100.1/32 gateway=eth2-Starlink2 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

rplant · December 16, 2023, 10:12pm

A couple of options
(Sorry I know little about starlinks)

dst-nat and mangle routing

This is quite dependent on the webserver on the starlink unfortunately.
Sub option 1, (most likely to work)
forward connections to 192.168.100.1:1443 to ether2: 192.168.100.1:443 (and/or :8080 → ether2: 80)
If the web server doesn’t send absolute links, etc. it might work.
You will need to check carefully the URL to make sure it hasn’t redirected back to the normal one.

Sub option 2, (less likely to work, but has some handy features)
Forward all connections to 192.168.100.12 (or other unused IP) to ether2: 192.168.100.1
Might work, but the webserver might check host headers, and not be happy.
Allows you to ping the router on ether2, telnet, etc.

Procedure for both options.

Create an appropriate mangle rule in prerouting based on destination address (and ports for option 1) set a routing mark eg. ViaEther2
Create a dst-nat rule to forward destination address (and ports for option 1) to 192.168.100.1
Create a Route for 0.0.0.0 to use gateway ether2 for table ViaEther2

Note: There are advantages to go via the Rules Table (rather than directly via the route table)
In this case Set routing mark RuleViaEther2

In routing rules
Put rules for all LAN and wg addresses to go via Main Table.
Then a rule for packets with mark RuleViaEther2 to use the ViaEther2 table.

2. Dynamic Address List for Lan host.

In this option, you ping some IP address (eg. 192.168.100.12), and there is a firewall rule that puts your IP address into an Address List
(for a while)
Devices in this Address list then get all (or just to 192.168.100.1) outbound packets mangle route marked to go via RuleViaEther2
So for a while you can connect to ether2 192.168.100.1 (or have all your traffic go via ether2)

Edit: There have been similar (not same) questions, they might have some other useful options.

jaclaz · December 17, 2023, 12:00am

I don’t understand (which is very likely due to my lack of experience with Mikrotik) your configuration. Besides and before the Starlink(s) management page(s) how are you using them?
I don’t see any 0.0.0.0/0 route, aren’t you using the Starlinks for internet access?
And since you have two of them haven’t you setup them in some form of failover or load balancing?
Or this router Is only for the management?
Anyway besides the method (mangle, routine rules, vrfs) I still believe that you need either two different ‘targets’ or two different ‘origins’ if the same source IP connected to the same physical interface asks for the same destination address how can the router decide which one to connect?
Please post also your /ip address export.

rplant · December 18, 2023, 12:33am

You can do something like the following

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.100.1%ether2 routing-table=ViaEther2 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1%ether1 pref-src=“” routing-table=ViaEther1 scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.100.1%ether1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=
10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.100.1%ether2 routing-table=main suppress-hw-offload=no

And if you have the dhcp client enabled, make it use higher default route distances (so they use your manually configured entries).
In the above routes you could possibly also enable the check gateway option on them.

Edit:
You might also need the following to hit .100.1 on specified port.

add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=ether1 pref-src=“” routing-table=ViaEther1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=ether2 pref-src=“” routing-table=ViaEther2 scope=30 suppress-hw-offload=no target-scope=10

markcupitt · December 18, 2023, 12:51am

Thanks @rplant, Ill try that today and let you know

markcupitt · December 18, 2023, 7:38am

Thanks for the reply .. Looking into this, it raised a question, how do I specify which 192.168.100.1 I want to access. They both point to a management web page, Im not sure I can see how I achieve that, ..

/ip address export

# 2023-12-18 20:37:56 by RouterOS 7.12.1
# software id = 1I21-KY0G
#
# model = RB750Gr3
# serial number = HE108Y09W4S
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge-house-p4 network=192.168.2.0
add address=172.16.1.3/24 interface=wireguard-billrush network=172.16.1.0
add address=192.168.69.1/24 interface=vlan-iot network=192.168.69.0
add address=192.168.9.1/24 interface=vlan-lycamichael network=192.168.9.0
add address=192.168.68.1/24 interface=vlan-security network=192.168.68.0

jaclaz · December 18, 2023, 10:19am

I am still not understanding your setup, the ip addresses you just posted seem to apply to a different set of interface names than your routes.
Anyway, that is just a matter of understanding how you named interfaces.

I think that the solution could be a netmap.

Something like these:
http://forum.mikrotik.com/t/internale-lan-netmap/139346/1
http://forum.mikrotik.com/t/why-is-netmap-nat-working-for-icmp-only/169737/1
(using - say - 192.168.200.1 and 192.168.200.2 as “intermediate” IP access address for 192.168.100.1 on starlink #1 and 192.168.100.2 on starlink #2)
it could be similar to ?

/ip firewall nat add chain=srcnat dst-address=192.168.200.1 src-address=192.168.2.8 action=netmap to-addresses=192.168.100.1 out-interface=eth1-Starlink1
/ip firewall nat add chain=srcnat dst-address=192.168.200.2 src-address=192.168.2.8 action=netmap to-addresses=192.168.100.1 out-interface=eth2-Starlink2

And maybe you need also a dstnat translation.
/ip firewall nat add chain=dstnat src-address=192.168.100.1 action=netmap to-addresses=192.168.200.1 in-interface=eth1-Starlink1
/ip firewall nat add chain=dstnat src-address=192.168.100.1 action=netmap to-addresses=192.168.200.2 in-interface=eth2-Starlink2

But no idea if it can work/applies to your setup.

Ca6ko · December 18, 2023, 1:09pm

You need to connect to Starlink and change the internal network addressing. Instead of 192.168.1.1 set something like 192.168.231.1 then there will be no confusion.

aoakeley · December 18, 2023, 3:29pm

You can’t do this.
No option in the starlink router to do this.

rplant · December 19, 2023, 1:09am

Hi,
Strictly you can’t.

You need to make mangle rules to mark the packets and then route them so they will go where you want it to go.
You can either add yourself to an address list, so your packets go out the chosen interface.
Or use dst-nat so you attempt to connect to a different IP (.100.11 and .100.12 for example), and this gets dst-natted
eg. Connection to .100.11 gets dst-natted to .100.1 via ether1, connection to .100.12 gets dst-natted to .100.1 via ether2

See my first post for some options and issues.
http://forum.mikrotik.com/t/two-starlinks-management-interface-access/171919/4

bpwl · December 19, 2023, 10:53pm

You need to connect to Starlink and change the internal network addressing. Instead of 192.168.1.1 set something like 192.168.231.1 then there will be no confusion.

Cannot be done with Starlink. But multiple identical IP addresses are not a problem. Can be masqueraded to unique IP addresses for selecting the proper one.

http://forum.mikrotik.com/t/loud-balance-3-starlink/170886/1

Starlink’s AP on smartphone might go for the fixed 192.168.100.1 or 192.168.1.1 address however. But a browser gives about the same information, and continues when started on http://192.168.100.1 on http://dishy.starlink.com (the short interruptions (<1s) may be missing in the outages statistics of the browser page.)

If 192.168.1.1 fails, try 192.168.100.1, I know the Starlink router is 192.168.1.0/24, but the Dishy is 192.168.100.1. That Dishy subnet should be allowed to go out via the Starlink router as gateway.

markcupitt · December 20, 2023, 4:56am

Hi All, Thanks heaps, will try these this week .. and post back the results … really appreciate the input

markcupitt · December 20, 2023, 7:04am

Ok, here is what I have tried, would like a check on what I have done, if there is any better way

Starlink exposes a GPRC API on port 9200

grpcurl -v -plaintext -d '{"get_status":{}}' 10.0.0.1:9200 SpaceX.API.Device.Device/Handle
grpcurl -v -plaintext -d '{"get_status":{}}' 10.0.0.2:9200 SpaceX.API.Device.Device/Handle

Both Return something like .. (Different Device Ids’ so I guess its working)

Response contents:
{
  "apiVersion": "10",
  "dishGetStatus": {
    "deviceInfo": {
      "id": "ut01000000-00000000-0052771d",
      "hardwareVersion": "rev3_proto2",
      "softwareVersion": "07dd2798-ff15-4722-a9ee-de28928aed34.uterm.release",
      "countryCode": "PH",
      "utcOffsetS": 28801,
      "bootcount": 295,
      "generationNumber": "1702353424"
    },
    "deviceState": {
      "uptimeS": "179520"
    },
    "obstructionStats": {
      "fractionObstructed": 0.009813944,
      "validS": 178731,
      "avgProlongedObstructionDurationS": 1.237146,
      "avgProlongedObstructionIntervalS": 2057.1428,
      "timeObstructed": 0.0020375866,
      "patchesValid": 4891
    },
    "alerts": {},
    "downlinkThroughputBps": 126768.64,
    "uplinkThroughputBps": 123648.08,
    "popPingLatencyMs": 27.15,
    "boresightAzimuthDeg": -0.78238267,
    "boresightElevationDeg": 76.72383,
    "gpsStats": {
      "gpsValid": true,
      "gpsSats": 13
    },
    "ethSpeedMbps": 1000,
    "isSnrAboveNoiseFloor": true,
    "readyStates": {
      "cady": true,
      "scp": true,
      "l1l2": true,
      "xphy": true,
      "aap": true,
      "rf": true
    },
    "softwareUpdateState": "IDLE",
    "disablementCode": "OKAY",
    "hasSignedCals": true,
    "softwareUpdateStats": {
      "softwareUpdateState": "IDLE"
    },
    "alignmentStats": {
      "tiltAngleDeg": 13.092309,
      "boresightAzimuthDeg": -0.78238267,
      "boresightElevationDeg": 76.72383,
      "attitudeEstimationState": "FILTER_CONVERGED",
      "attitudeUncertaintyDeg": 0.4333455,
      "desiredBoresightAzimuthDeg": 0.23636001,
      "desiredBoresightElevationDeg": 75.96587
    },
    "initializationDurationSeconds": {
      "attitudeInitialization": 172,
      "burstDetected": 71,
      "ekfConverged": 213,
      "firstCplane": 115,
      "firstPopPing": 127,
      "gpsValid": 37,
      "initialNetworkEntry": 71,
      "networkSchedule": 118,
      "rfReady": 38,
      "stableConnection": 140
    },
    "config": {
      "snowMeltMode": "ALWAYS_OFF",
      "applySnowMeltMode": true,
      "applyLocationRequestMode": true,
      "applyLevelDishMode": true,
      "applyPowerSaveStartMinutes": true,
      "applyPowerSaveDurationMinutes": true,
      "applyPowerSaveMode": true
    }
  }
}

I can get a ping to both 10.0.0.1 and 10.0.0.2

/ip address

add address=192.168.100.100/24 interface=eth1-Starlink1 network=192.168.100.0
add address=192.168.100.101/24 interface=eth2-Starlink2 network=192.168.100.0


/ip firewall address-list
add address=10.0.0.1 list=translate-to-starlink
add address=10.0.0.2 list=translate-to-starlink

/routing table
add disabled=no name=starlink1-table fib
add disabled=no name=starlink2-table fib

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=10.0.0.1 new-connection-mark=starlink1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=10.0.0.2 new-connection-mark=starlink2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=starlink1 new-routing-mark=starlink1-table passthrough=no
add action=mark-routing chain=prerouting connection-mark=starlink2 new-routing-mark=starlink2-table passthrough=no


/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1-Starlink1
add action=masquerade chain=srcnat out-interface=eth2-Starlink2
add action=dst-nat chain=dstnat dst-address-list=translate-to-starlink to-addresses=192.168.100.1

/ip route
add distance=1 dst-address=192.168.100.0/24 gateway=eth1-Starlink1 routing-table=starlink1-table
add distance=1 dst-address=192.168.100.0/24 gateway=eth2-Starlink2 routing-table=starlink2-table

Interfaces

eth1-Starlink1
eth2-Starlink2

Ca6ko · December 20, 2023, 10:46am

In the old version of the application it was possible, I changed it for myself. Now there is no such item in the network settings menu. I apologize.