Community discussions

MikroTik App
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

How to access Mikrotik behind Starlink (CGNAT) [SOLVED]

Fri Feb 03, 2023 2:33 pm

I have Starlink Gen 2 in bypass mode.
The hAP ac lite (ROS 7.7) is connected to Starlink via adapter as external router.
Some PC connected to Mikrotik and Internet is working good in such network.
But I need to connect remotely to my Mikrotik router from WAN.
As you know, Starlink uses CGNAT and we cannot access the router by external IP address.
People say that solution is VPN tunnels. But I don't know what I should start from.
Making Mikrotik Router as Open VPN server is not working because we cannot forward any traffic to Mikrotik.
Last edited by vitaly2016 on Fri Feb 10, 2023 9:51 am, edited 2 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 2:47 pm

You would have to initiate the VPN from the MikroTik (run a VPN client) to a public VPN server.
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 2:54 pm

Thank you for quick response.
May I ask you for more details:
1. What public VPN Server is better to use for this purpose? Is there free (without paid subscription) service?
2. May you advise some modern (concerning ROS 7.7) manual for setting Mikrotik as OVPN client?
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 3:15 pm

To add to what erlinden has said, you first have a server that is publicly accessible. It could be a DigitalOcean droplet virtual server, a Linode instance, or even a RPi server running in a buddy's rack. The point is, that you have a server outside of the CGNAT environment. The MikroTik behind CGNAT initiates and maintains a VPN connection to this server under your control. You VPN to this server, there are rules and accessibly features in place, and thus you can VPN back to your MikroTik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 3:28 pm

The only free option is if you have a friend who can run a wireguard server for you ( assuming said friend has a publicly accessible WANIP ). Then your mikrotik as a client would connect to the wireguard server at your friends house. When away from home, you simply need to also wireguard remotely into the same server at your friends house and then you can connect to the Wireguard server.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 3:38 pm

Install TeamViewer on a PC if that PC belongs to your or is from your company?
When you take over the PC, you can Winbox straight to the Mikrotik.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 3:58 pm

Yeah, TeamViewer is very good at nat traversal.

If it's a company pc, do not install it without approval as it might considered as a serious security breach by some organisations.

Configure the standard installation using ”Unattended Access” or just install the separate package called “TeamViewer Host”

https://www.teamviewer.com/en-us/unatte ... -security/
Last edited by Larsa on Fri Feb 03, 2023 4:07 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 4:06 pm

Also, ZeroTier works though a CGNAT and I know that it works with starlink. Just need a ARM device however.
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 4:15 pm

I remembered that I have VPN paid account at SurfShark.
And I found detailed tutorial how to connect router to the SurfShark VPN servers via IKEv2:

https://support.surfshark.com/hc/en-us/ ... with-IKEv2

I made all steps successfully. The manual says that I should see IP-address of selected country VPN server at PC connect to Mikrotik.
It should be some Poland Server.
But I still have Starlink external IP.
So something goes wrong...
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 4:19 pm

Also, ZeroTier works though a CGNAT and I know that it works with starlink. Just need a ARM device however.

Yeah, if it was an arm device, ZeroTier would be a better choice as it is extremly good at nat travarsal (better than TeamViewer)

ZT is also very easy to administrate using their centralized web interface, way more easy to setup than for example Wireguard.

https://help.mikrotik.com/docs/display/ROS/ZeroTier
https://www.zerotier.com/2014/08/25/the ... traversal/
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 4:22 pm

Unfortunately my hAP ac lite router is not ARM but it is MIPSBE one.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 4:34 pm

Btw, surfshark won't help you to enable incoming connections.

I'd install ZeroTier on the local pc and then enable LAN access or optionaly buy a cheap RPI and install it on if you want ZT up and running 7/24.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 4:42 pm

Unfortunately my hAP ac lite router is not ARM but it is MIPSBE one.
Yeah sorry, I missed the "lite" part of hAP. I run into the remote access to MIPSBE problem myself, which ZeroTero solves perfectly for ARM... It is annoying.

I believe starlink offers public IPs now, but only on the business plans, but that start at US$500/month.

But if you're looking for access a few devices, you can just install ZeroTier directly on them, and it be on the same network as other ZeroTero "members". You can then use some Remote Desktop (RDP, VNC, TeamViewer, whatever) to one of them with ZeroTier, and you can run winbox (or ssh etc) on that PC/Mac to access the router.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 5:09 pm

Or optionall, install ZeroTier on just one of the devices and enable LAN access. Then you will be able to access the entire local network.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 5:29 pm

@Larsa, what do you mean by "enable LAN access"? I wasn't aware that was an option in the desktop clients...
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 6:41 pm

@Amm0, @Larsa and others -
Thank you very much for helping.

There are some special moments for this router that I am configuring:
Router will be with Starlink in real field conditions. It will be very hard conditions, if you guess what I mean.
I don't know which client devices will connect to the router. It will be some laptops or mobile phones.
So I can't use TeamViewer or something else "at PC".
I have to configure this system to have access to the router.
For now, this system is with me and I have only a few days before I should send it to the field.

Question: Is it 100% that Surfshark can't help?
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 6:44 pm

@Larsa, what do you mean by "enable LAN access"? I wasn't aware that was an option in the desktop clients...

That's the beauty of ZT, it works like any normal network with routing etc.

Let's use 10.0.0.x as ZeroTier's internal virtual network with ZeroTier installed on three computers on three different local networks 192.168.10.x .. 192.168.30.x
Node       ZT WAN         LAN
1          10.0.0.10      92.168.10.0/24
2          10.0.0.20      92.168.20.0/24
3          10.0.0.30      92.168.30.0/24
If you want to expose LAN on node 1 (92.168.10/24), you only need to push the route using the ZeroTier web controll center, menu Managed Routes: "192.168.10.0/23 via 10.0.0.10".

Then of course you have to take into account normal settings on the local network such as default gateways using masquerade, src-nat etc just like any tunnel.
https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks

There is also an option to control packet flow and routing on an even more detailed level using "Flow Rules":
https://docs.zerotier.com/zerotier/rules/
https://www.zerotier.com/2022/05/19/using-flow-rules-to-direct-users-to-services/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:03 pm

Larsa, the issue is that the MT on site is NOT ARM. Therefore it cannot host zerotier.
Point two, he does not control any of the devices connected to the Router and thus zerotier is not probable.
Conclusion: Need Router connectivity via VPN, native to the router.

His best bet in this case is
a. a friend who will host wireguard server on friends MT
b. OP puts an MT router at his own house to host wireguard
c. Business puts an MT router at work to host wireguard

You need an external host for wireguard. Then the MT on site will connect over starlink to that host opening up two way traffic.
Thus, the host can be setup to allow traffic from host to MT on site from the lan, or from another wireguard tunnel coming in from a remote user such as yourself (admin).

As far as third party VPN goes, I dont think it will work. They are setup mainly for USERS to access the internet outside ( and multiple accounts so as to be able to internet through different geographic locations). Not for allowing multiple users to see each other.
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:15 pm

His best bet in this case is
a. a friend who will host wireguard server on friends MT
I have my own RB3011 (ARM32). It has static WAN address and it is working 24/7

So how this ARM router can help for "starlink+hAP ac lite"? May I ask you for further steps?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:16 pm

What public VPN Server is better to use for this purpose? Is there free (without paid subscription) service?
You probably already have one at home, that is good enough if not for high speed connection, if you have a cabled connection.
If have a VDSL connection with ISP modem, where I can forward a port to one of my LAN devices. That's all I need. That LAN device used is the cheapest MT (haP Lite) I have. It functions as VPN server, using the free MT DDNS registration to be found.

From my remote network (behind Starlink router and also doing load failover to CGNATted 4G networks), a MT router is the VPN client, connecting to my hAP Lite, with one or more of the many VPN possibilities.
I connect to my remote LAN this way. This is possible without modifications to that remote network, because the hAP Lite and the remote MT router both use NAT.
On the road I connect to the same hAP Lite (server) also, directly from my device or by using a mAP Lite as route warrior (and repeater) device with VPN client.

Everywhere I drop such a MT router and connect to the LAN which has Internet access, I remotely operate as member of that LAN. There may be "n" NAT or CGNAT, doesn't matter.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:19 pm

Question: Is it 100% that Surfshark can't help?
If you connect to it, does it give you a public IP address? If so, then yes that helps. But the Surfshark has any stateful firewall or gives you a private address, then NO.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:22 pm

@Larsa, what do you mean by "enable LAN access"? I wasn't aware that was an option in the desktop clients...

That's the beauty of ZT, it works like any normal network with routing etc.
Fair enough. But enabling IP forwarding is a pretty big change that's not the default on most OSes – I was thinking there was a ZT client option I'd missed. Doesn't seem like it even help here however.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:23 pm

Larsa, the issue is that the MT on site is NOT ARM. Therefore it cannot host zerotier.

Hello my dear mf! Yeah, I'm aware of that! Cheers ;-) ❤️
Last edited by Larsa on Fri Feb 03, 2023 7:35 pm, edited 1 time in total.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:25 pm

I have to configure this system to have access to the router. For now, this system is with me and I have only a few days before I should send it to the field. Question: Is it 100% that Surfshark can't help?

Unfortunately, it will be a real challenge to get everything to work on the same device with just that short time left. A few possible options:

1. Buy a new router that is able to run ZeroTier, Tailscale or similar.
2. Or configure a router (mikrotik, pc, rpi or whatever) at home using Wireguard with your own virtual network. Configure your travel device (hAP ac lite) to connect to your home router using Wireguard (like @bpwl explained)

Ps..
Sorry, Surfshark is just for "outgoing" traffic just as most regular vpn providers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:33 pm

His best bet in this case is
a. a friend who will host wireguard server on friends MT
I have my own RB3011 (ARM32). It has static WAN address and it is working 24/7

So how this ARM router can help for "starlink+hAP ac lite"? May I ask you for further steps?
Perfect, that is all you need to setup wireguard.
I just setup my wireguard in a few minutes, and I could provide a host for your devices so it should be easy for you to do as well.

BUT is the static WAN a public IP. How do you get it? ISP modem provides it to you ?
When you go whats my IP, is it the same IP in your router settings???
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:40 pm

@vitaly2016: @anav is a real expert on Wireguard so if you let him help you it might work out anyway. Fingers crossed and good luck!
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:58 pm

BUT is the static WAN a public IP. How do you get it? ISP modem provides it to you ?
When you go whats my IP, is it the same IP in your router settings???
Yes, I have static public IP at my RB3011. This is additional paid service of my ISP.

So If I understand correctly, I should perform such steps:
1. Setup Wireguard Server at my RB3011
2. Setup Wireguard Client at hAP ac lite (at Starlink's end)
Honestly, I haven't had any experience with WireGuard yet so please don't be surprised by my stupid questions.
If I will connect 2 routers (contra spem spero) by WireGuard, how can I manage remote hAP ac lite via Winbox?
Last edited by vitaly2016 on Sun Feb 05, 2023 4:24 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 7:58 pm

@vitaly2016, forget about Surfshark. Surfshark and other similar services are called VPN because they use the same technologies like "real" VPNs, but their purpose is different.

Even though you have an own router with a public address, in your case, spawning a virtual Mikrotik somewhere in a datacenter in EU might be a better option than using a home router, because in this case, the central node of your VPN will not depend on your home ISP which may suffer from power outages, and you can connect to that central node from your home using a Starlink terminal too if your wired ISP is down.

The Wireguard solution as proposed by @anav is currently the simplest VPN protocol to configure. Plus Wireguard (and also IPsec, but that one is the most complex one to configure) can use the central point only to forward the encrypted traffic without having to decrypt and re-encrypt it, which may be advantageous for your use case. Я таке вже робив.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 8:25 pm

If its a static WAN and public IP and you dont have time right now to organize a data center (SINDY is On point suggestion is great)...........
Here is a sample of what you need to do on both MT devices.

Step 1
Need to ensure your RB3011 is at 7.6 or better 7.7 firmware ( latest stable).

Step2 - Wireguard Settings (On RB3011)

1. Add Wireguard Interface - name= WG-UKR
2. Add listening port = 15555 ( you choose )
3. Hit Enter
4. Router generates a hidden private key but a visible PUBLIC KEY.
( The public key is what you will insert at the MT HAP device and any remote devices you may wish to use on the road ( laptop, ipad, iphone etc as many as you want)

Step3 - Create Subnet

5. Add IP address with gateway=WG-UKR ex. 172.16.16.1/24

Step 4 - Create Peers in Wireguard (on RB3011)

6. allowed IPs = 172.16.16.2/32,MTHAPsubnet (if applicable) Public Key (insert public key generated by MT hap device in its wireguard settings ), COMMENT="Peer1 - MTHAP"
7. allowed IPs= 172.16.16.3/32 Public Key (insert public key generated by device ), COMMENT="Peer2 - Admin laptop remote"
8. allowed IPs=172.16.16.4/32 Public Key (insert public key generated by device ), COMMENT="Peer3 - Admin iphone remote"

Step 5 - Create firewall Rules (in RB3011)

9. add chain=input action=accept dst-port=15555 protocol=tcp log=yes log-prefix="Initial Handshake"
10. add chain=input action=accept in-interface=WG-UKR src-address-list=ADMIN { to enable access to RB3011 when you are remote }
11. Firewall address list
add IP address=172.16.16.3/32 list=ADMIN
add IP address=172.16.16.4/32 list=ADMIN
12. add chain=forward action=accept in-interface=WG-UKR out-interface=WG-UKR src-address-list=ADMIN { allows you after reaching 3011 remotely to then go to MTHAP }
13. add chain=forward action=accept in-interface=TrustedSubnet out-interface=WG-UKR src-address=IPAdmin { allows you on local subnet of RB3011 to go to MTHAP }
14. add chain=forward action=accept in-interface=WG-UKR dst-address=TrustedSubnet src-address-list=ADMIN { allows you after reaching 3011 remotely, to go to local 3011 subnet }

Step6 - Routes. ( default route takes care of all traffic )

15. <DAC> dst-address=172.16.16.0/24 gwy=WG-URK table=main { created by router when entered in the wireguard IP address }
16. If applicable you want to be able to access a subnet on the MTHAP for any reason then you will need a route as follows.
dst-address=MTHAPSubnet gwy=WG-UKR routing-table=main

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


u]Step 7 [/u]
Need to ensure your MTHAP is at 7.6 or better 7.7 firmware ( latest stable).

Step8 - Wireguard Settings (On MTHAP)

17. Add Wireguard Interface - name= WG-CLIENT
18. Add listening port = 15555 ( put same as other )
19. Hit Enter - Router generates a hidden private key but a visible PUBLIC KEY.
( The public key is what you will insert at the RB3011 Router )

Step3 - Create Subnet

20. Add IP address with gateway=WG-CLIENT 172.16.16.2/24

Step 4 - Create Peer in Wireguard (on MTHAP)

21. allowed IPs = 172.16.16.0/24,TrustedSubnet (if applicable from RB3011) Public Key (insert public key generated by RB3011), COMMENT="Peer - RB3011, endpoint address=WANIP(rb3011), endpoint port=15555, keep alive=30 seconds

Step 5 - Create firewall Rules (in MTHAP)

22. add chain=input action=accept in-interface=WG-CLIENT src-address-list=TRUSTED { to enable access to MTHAP from RB3100 or when remote }
23. Firewall address list
add IP address=172.16.16.0/24 list=TRUSTED
add IP address=AdminIP ON RB3011 list=TRUSTED
12. add chain=forward action=accept in-interface=WG-CLIENT dst-address=MTHAPSubnet (if applicable for admin to reach MTHAP subnet)
(Assuming no need for LAN devices on MTHAP to reach LAN on RB3011)

Step6 - Routes. ( default route takes care of all traffic )

15. <DAC> dst-address=172.16.16.0/24 gwy=WG-CLIENT table=main { created by router when entered in the wireguard IP address }
16. If you want to be able to access a subnet on the MTHAP from the RB 3011 then you need a return route for that traffic!!
dst-address=TrustedSubnet on RB3011 gwy=WG-CLIENT routing-table=main

++++++++++++++++++++++++++++++

example setup remote connection via iphone to RB3011

Name: WG-RB
Public Key Generated by IPHONE ( need to put in peer settings for the iphone on the RB3011)
Address=172.16.16.4
MTU 1420
DNS Servers 1.1.1.1,9.9.9.9

PEER
Public Key ( the public key inserted here that was generated by the RB3011 )
Endpoint address= FixedWANIP of rb3011
Endpoint port=15555
Allowed IPs=172.16.16.0/24,Trustedsubnet on RB3011, MTHAPSubnet { if applicable }
keep-alive=45 seconds
Last edited by anav on Sat Feb 04, 2023 4:27 am, edited 1 time in total.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 8:28 pm

But enabling IP forwarding is a pretty big change that's not the default on most OSes – I was thinking there was a ZT client option I'd missed. Doesn't seem like it even help here however.

@Amm0: Yup, it's a limitation theses settings are not handled directly by the member nodes (ZT nodes). Unfortunately, the same goes for almost all open source clients for Wireguard, TailScale etc. It's almost like the FOSS community is bad at it cause they are bored by doing that kind of work.

I do understand there might be some challanges managing this directly in regular routers like Mikrotik, but it should definitely be standard on common clients for Windows, macOS and Linux.

Most proprietary solutions for SD-WAN are much better at handling that kind of client configuration changes in a uniform way but do it in slightly different ways, some just push configuration files, others use real-time APIs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 8:35 pm

Good questions.
It gets a bit hard to predict what you will need without seeing the config.
If you can at least make an attempt at the wireguard setup and then post your RB3011 config
/export file=anynameyouwish ( minus router serial number and any public WANIP information or keys )

Then we can refine to ensure you have winbox access.
Right now the setup provided gives you access to winbox generally speaking to the MTHAP from both RB3011 and remotely, and from remote connections to RB3011.
However there are things you may have in your config that block such access.

Ensure in winbox Services list, you dont enter any IPs in the From column so that all are accepted at this location.
I do recommend using
/tool mac-server mac-winbox
set allowed-interface-list=Manage

Where on both the RB3011 and MTHAP you create an interface list
/interface
add name=Manage

RB3011
/interface list member
add interface=WG-UKR list=Manage ( remote access)
add interface=TrustedSubnet list=Manage (where the admin does his local work while at the RB3011)

MTHAP
/interface list member
add interface=WG-CLIENT list=Manage (remote access)
add interface=MTHAPSubnet list=Manage (where the admin does his local while at the MTHAP)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 8:44 pm

But enabling IP forwarding is a pretty big change that's not the default on most OSes – I was thinking there was a ZT client option I'd missed. Doesn't seem like it even help here however.
I do understand there might be a challange managing this directly in regular routers like Mikrotik, but it should definitely be standard on common clients for Windows, macOS and Linux.
More annoyed that this be trivial with ZeroTier on MIPSBE. Drop the ZeroTier interface into the bridge and enabling bridging on ZT central**. Or use IP routing if perferred.

** Now to your point about the subtle details in OSS that get missed... ZT desktop client won't accept a real DHCP response to assign an address, so ZT clients have to be assigned MT LAN address outside the MT DHCP scope making it slightly more complex to bridge ZT and ROS, but we digress...

But yes WG to a DC sounds like the way to go for sure here.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 9:41 pm

More annoyed that this be trivial with ZeroTier on MIPSBE. Drop the ZeroTier interface into the bridge and enabling bridging on ZT central**. Or use IP routing if perferred.

I haven't been able to figure out myself why a minmal ZeroTier without the big controller on MIPSBE would be such a problem but maybe it's because of some dependencies in the source tree they didn't manage to get rid of. Since RoS v7 has become such a monolithic package it's probably lack of system resources thus they probably don't consider it's worth the hassle to port it to MIPSBE devices that would actually be able to run it.
 
mvdswaluw
just joined
Posts: 13
Joined: Wed Sep 16, 2020 8:56 pm

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 10:04 pm

How about setting up Wireguard as suggested and use the Telegram bot feature to aftewards change to what IP it should connect to?

See the recent movies from the Mikrotik Youtube page:
https://www.youtube.com/watch?v=KLX6j3sLRIE&t=407s
https://www.youtube.com/watch?v=xYLYRmpM-Zo
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 10:16 pm

How about setting up Wireguard as suggested and use the Telegram bot feature to aftewards change to what IP it should connect to?
Not sure a potentially fragile script that requires a beta version of ROS be recommended in this case.
 
mvdswaluw
just joined
Posts: 13
Joined: Wed Sep 16, 2020 8:56 pm

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 11:11 pm

Not sure a potentially fragile script that requires a beta version of ROS be recommended in this case.
Or use a script to pull the IP from a webpage every xx mins/hours.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 03, 2023 11:21 pm

Or use a script to pull the IP from a webpage every xx mins/hours.
I'm not sure what the purpose should be? If it was enough to have command line access to the remote Tiks, the Telegram solution alone would be sufficient (but I fully agree with @Amm0's remark regarding it's fragility). But the OP wants to use Winbox so a command line solution is clearly insufficient. And if he's got a router on a static public IP, there's no point in using a complicated solution to change the address to connect to on the remote routers. Using a DNS rather that a fixed address would of course be more flexible; using of two or more routers on different public IPs makes it possible to change the address of one of them and reconfigure the remote routers using the other one(s).
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to access Mikrotik behind Starlink (CGNAT)

Sat Feb 04, 2023 12:03 am

Just a side note that might be useful in the future.

I'm aware OP has a static WAN address at home, but it's worth noting that the current implementation of Wireguard doesn't handle dynamic DNS addresses thus you might need a script that will monitor the public ip address at home if it of some reason would change.

Here is an example of a script found in @anavs excellent guide "Wireguard Success For The Beginner" that detects if a Wireguard endpoint address has changed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Sat Feb 04, 2023 4:02 am

Yes, concur in this case its easier as wanip is fixed.
In the dynamic case, one uses the iP Cloud address of the MT Server Router, on the MT Client device and as you note a script is required for any reason there is an interruption in the service at the Server end ( be it IP address change, power outage etc.. ).

Its a feature that MT should build into their code for wireguard, tied to the fact that if "KEEP ALIVE" has been set on the MT client device, then a script should run automatically when keep alive returns have not been sent back to the MT client device.......

It could be simple as a script to keep attempting to resolve the IP cloud name entered........ As there is no point trying the wireguard tunnel until its resolved.........
1st iteration - 2 minutes
2nd iteration -5 minutes
3rd iteration - 10 min
4t iteration - 30 min
5th iteration 1 hr
6th iteration 6 hrs
7th iteration 24 hrs
8th iteration 48 hr
If no joy report dead WG connection.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Sat Feb 04, 2023 4:35 am

RB3011
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(admin rules)
add action=accept chain=input dst-port=15555 protocol=udp
add action=accept chain=input in-interface=WG-UKR src-address-list=ADMIN
add action=accept chain=input in-interface-list=LAN src-address=IPofLocalAdminDesktop
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" { add this as your last rule in firewall filters }
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=WG-UKR out-interface-list=LAN src-address-list=ADMIN
add action=accept chain=forward in-interface-list=LAN out-interface=WG-UKR
add action=accept chain=forward in-interface=WG-UKR out-interface=WG-UKR src-address-list=ADMIN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


MTHAP
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(admin rules)
add action=accept chain=input in-interface=WG-CLIENT src-address-list=TRUSTED
add action=accept chain=input in-interface-list=LAN src-address=IPofLocalAdminDesktop
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" { add this as your last rule in firewall filters }
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=WG-CLIENT out-interface-list=LAN source-address-list=TRUSTED
add action=accept chain=forward in-interface-list=LAN out-interface=WG-CLIENT { if applicable }
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to access Mikrotik behind Starlink (CGNAT)

Sat Feb 04, 2023 11:23 am

Here is a sample of what you need to do on both MT devices.
Step 1
It's awesome!
Thank you people for your advices.
I didn't even think how many people over here would help me.
Circumstances are such that I won't be able to continue experimenting with the system until Monday.
But I will try Dear Mr. Anav's advice concerning WireGuard on Monday.
THANK YOU FOR #StandWithUkraine

P.S. All of you were absolutely right concerning Surfshark. There is no way this will work.
I asked them yesterday and today a response came from Surfshark's support:
As per your question, I would offer you to contact Mikrotik support, as they should help you better with your question and finding the solution, you can find them here: https://mikrotik.com/support
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Sat Feb 04, 2023 2:59 pm

No worries, I have an email on my profile if you have questions........ dont wait until monday to setup the RB3011 if you have it with you. We can skype if necessary.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Mon Feb 06, 2023 4:26 am

Another option would using SSTP from the "starlink mikrotik" to same public IP home router, it's dramatically simpler to setup if time is of the essence. But certainly WG likely better performance of course.

More saying I do know SSTP works to get back over starlink on MIPSBE (since I do this today to solve no ZeroTier on MIPSBE problem or as backup to ZeroTier on ARM). Since I've never used WG over starlink I can't say if there are any gotchas - BUT WG should work fine over starlink.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to access Mikrotik behind Starlink (CGNAT)

Mon Feb 06, 2023 9:58 am

@Amm0, if you want MITM protection (and I do know why I mention it) when using SSTP, you must use a certificate at least at server side, which requires importing of the CA certificate to each client; if you plan to enable also access from the client sites to the core network, you should generate an individual certificate for each of the clients. This is not necessary with WG - the public key is not delivered by means of a certificate but pre-configured at each peer, and the key pair is generated automatically. So whilst the complexity of SSTP configuration as such is indeed similar to the one of Wireguard, and maybe even less confusing at first glance, this aspect adds an extra layer of complication to it. There is one undisputable advantage of SSTP, though - it works in ROS 6.

Specifically for Starlink use in the environment where @vitaly2016 considers it, WG has an advantage. When the Starlink connection is temporarily lost (which does happen because you cannot always position the dish ideally), the client connections do not come from the same public IP address like before once the connection re-establishes. Whereas WG silently adjusts to a change of IP address and port of one of the peers mid-session, SSTP will establish another session and you have to use a script in the profile to remove the old one, otherwise you end up with two or even more routes to the same destination, most of which are dead. It takes the server side much longer to detect the failure than the client one.

To make it even more complicated, both protocols have some edge conditions when they refuse to connect and need a manual intervention, so the best way might be to configure both in parallel.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: How to access Mikrotik behind Starlink (CGNAT)

Mon Feb 06, 2023 12:14 pm

you have to use a script in the profile to remove the old one
Not my experience. The SSTP disappears and a new one is created (with the same IP address as set in SSTP user)
My VPN server and client are not at the edge of the LAN networks, but VPN clients sit deep inside those LAN's (behind multiple NAT routers as required for those LAN.)
I could have chosen some ARM AP in the LAN as VPN router. :-)

With load balancing (Starlink + multiple 4G connections) when there is a failover, I just loose the connection for 30 seconds, before a new SSTP is established.
("Keep alive timeout" on client and server side)
Anyway since the MT DDNS once failed for a few days, I use double SSTP tunnels as failover by route distance (MT DDNS and NO-IP DDNS)

And to have LAN to LAN connectivity with ROS6, SSTP also supports BCP. The Wiki only elaborates on PPTP based BCP: https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)

PPTP, Is faster than SSTP, but SSTP also should work for BCP. Wiki says: "SSTP also supports BCP which allows it to bridge SSTP tunnel with a local interface." https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
BCP allows full 1500Byte packets and tunneling of Netflix and others, while hiding the SSTP and PPTP for Netflix which stops streaming if VPN is detected.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT)

Mon Feb 06, 2023 3:13 pm

As you both mention, certificates. This presumes the client is comfortable and able to do so with ease on a tight schedule.
If I was going to suggest SSTP it would be a paid third party service (as a backup), easy as pie.....

(1) One input chain rule.
add chain=input action=accept in-interface=SSTP-INTERFACE { allows admin to config router }

(2) One SSTP Client entry through the PPP menu selection.
Name: SSTP-INTERFACE
(Dial Out]
Connect To: Given Winbox Connect Name
User: Given user name
Password: Given password

(3) Go to winbox, enter in the given winbox name:given Port #
and use the admin user name and password for the router ( normal MT ones)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How to access Mikrotik behind Starlink (CGNAT)

Mon Feb 06, 2023 3:57 pm

I totally agree WG is best for the situation. I'd recommend the OP follow @anav – best in business at setting up WG.

Given rugged environment... the other thing I've noticed is the cable is the weak link in starlink. Had to replace the starlink cable between dish and ethernet-dongle several time. One time was squirrels/rat/etc chewed a cable and another seemingly over heated (near metal roof in summer, just replacing the cable fixed it. That's something no VPN fixes. So I'd be reminding the end-user with dish to be careful with the specialized starlink cable, which doesn't seem as durable as even regular Cat5/6 cable and not so easily fixed in field.
 
ax25
just joined
Posts: 20
Joined: Wed Jul 13, 2022 1:25 am

Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 10, 2023 12:03 am

@vitaly2016 – I've deployed a similar setup (but not with a Starlink). Other guys are right that you need something like a droplet on Digital Ocean which will be used as a WireGuard peer. DigitalOcean will cost you $5 per month, you need very basic configuration. In a nutshell:

Deploy a server in any region (closest they have is Frankfurt, I think you'll have ~20ms ping, though have really no experience with Starlink):
https://www.digitalocean.com/community/ ... -debian-11

You can use Ubuntu if you'd like, the main things you have to outline are:
- Networks for both peers (172.16.x.y, 10.0.x.y or smth else)
- Endpoint address (your droplet's public IP) and port on which WireGuard will be listening
- Public key of WireGuard interface on your server.

Then, you go to your hAP ac, and:
1) add a WireGuard interface with address in the same network;
2) add a WireGuard peer with aforementioned public key, endpoint address and port;
3) add a keepalive of 20 secs (excellent on ADSL, I suspect it will help with Starlink too)
4) add WireGuard interface to LAN interface list, so packages coming from it are not dropped

Test the connection! :)

If you need assistance, please leave your contact details, I will be happy to help. Slava Ukraini!
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

[SOLVED] Re: How to access Mikrotik behind Starlink (CGNAT)

Fri Feb 10, 2023 9:49 am

@vitaly2016 – I've deployed a similar setup (but not with a Starlink). Other guys are right that you need something like a droplet on Digital Ocean which will be used as a WireGuard peer. DigitalOcean will cost you $5 per month, you need very basic configuration. In a nutshell:
If you need assistance, please leave your contact details, I will be happy to help. Slava Ukraini!
Dear @ax25. Glory to the Heroes! Thank you a lot for #StandingWithUkraine.
I was too busy last days to set this thread [SOLVED].
Thank you very much for your advises.

My problem was solved successfully by valuable help of @anav.
In may case I use my own RB3011 as WireGuard Server 24/7 with static public IP and hAP behind Starlink is WireGuard client.
 
KarmaHunter
just joined
Posts: 8
Joined: Tue Mar 20, 2018 8:29 pm

Re: How to access Mikrotik behind Starlink (CGNAT) [SOLVED]

Tue Aug 15, 2023 7:56 pm

I tried to deploy the solutions posted here (VNP) but without having a static IP it was complicated to do my own VPN server. I didn't want to pay monthly for a VPN server nor ask someone behind the Starlink to run Anydesk everytime I needed access to the Mikrotik (hAP Lite).

My solution was to attach a miniPC (about $150 USD and half the size of a Kleenex box) inside the Starlkink network. Came with Win 11, installed Anydesk in unattended mode and Winbox.

It is working great :)
MT-miniPC.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to access Mikrotik behind Starlink (CGNAT) [SOLVED]

Wed Aug 16, 2023 4:21 am

Just wanted to point out the one rule in the config provided.
This relay rule is quite advantageous as it allows a remote user to access the haplite via the RB3011 quite easily, assuming to config haplite.
If accessing the lan on haplite then the IP Route and allowed IPs already exist on the RB3011 so good to go there.
Since the Wg IP of the remote user is accepted throughout the course of traffic travels...all is good.

Home Server Router RB3011
add action=accept chain=forward in-interface=WG-UKR out-interface=WG-UKR src-address-list=ADMIN

Who is online

Users browsing this forum: ericksetiawan, Guntis and 72 guests