Community discussions

MikroTik App
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 6:24 pm

Mikrotik and Starlink

Good evening everyone
I need help for Starlink and Mikrotik
Activated the Bypass Mode on my Starlink, connected to the Eht1 of my microtik, and I go out on the Internet correctly
Now my need is to activate remote access to the mikrotik, and the opening of some ports and the activation of a VPN ipsec to ipsec
Starlink uses a CGNAT, how can I be able to open the ports?


I also activated a VPN to a pfsense and it only works on one side. From the Mikrotik network I see the pfsense network, but from the pfsense network I don't see the mikrotik network.

2) Can I activate a second internet connection on the Mikrotik and use only the VPN connection with it, and the Internet connection with the Starlink?



How can I do?

Is there really no possibility to open doors with my Mikrotik and Starlink?

I await your reply

Greetings
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 6:41 pm

Starlink doesn't let you open ports, nothing to be done about that.

If your router is ARM-based, ZeroTier is your best option since both ends can be CGNAT.

If the other end of the VPN has a "real"/open public IP, Wireguard (and some other VPNs too) can work. But this requires some fixed router that's the VPN hub.

You can add a 2nd internet connection for remote management. This involves some firewall rules and "policy routing", not too hard but not click-a-button simple. If both ends are behind CGNAT/restricted firewall AND your Mikrotik is not based on ARM for ZeroTier...then this be your only approach.
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 6:54 pm

Thanks for your reply

My mikrotik is a rb4011

Can I then activate zero tier?

How does it work?

Do you have any guide?

I saw on Mikrotik router there is wireguard entry, my router os is 7.8
Last edited by danieltnc1981 on Fri Mar 24, 2023 6:55 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 6:54 pm

To clarify.

Standard VPN functionality requires you to have a publicly accessible IP, not the case with Starlink.
Thus you cannot use your router as the HOME BASE for VPN like wireguard

Therefore you have to use an external HOME Base for the VPN, it could be another location (relative, friends house) or a third party provider or hosting your own at a datacenter.
There is nothing stopping the MT behind starlink from connecting OUTBOUND to make a wireguard or VPN connection. It just cannot HOST any inbound connections with VPN.

Zerotier (requires arm) gets around this in a way because it uses the third party concept alluded to above. The HOME is in the cloud so to speak. It, like wg is an available options package for arm devices.

Yes, RB4011 is arm32 device.
viewtopic.php?t=183424
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 6:59 pm

However I have activated an OpenVpn connection to a Pfsense on another remote network and it works, from Mikrotik I see the Pfsense and I can access my server, but from the Pfsense I don't see the printers in my office
With the old connection this worked, maybe because there are no open ports in Starlink
How can I go about solving this?


At this point the only solution is to adopt ZeroThier right?
My router should support it

Can I open ports forwarding with zerothier?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 7:18 pm

If the connection you had was from a vpn connection to an external host, there is no reason why reverse traffic is not possible.
Its transparent to the starlink at that point.

I have not used zerotier, the link I gave you and the MT DOCS are your best resources. ( https://help.mikrotik.com/docs/display/ROS/ZeroTier )
Best you apply some brain muscle and attempt on your own and come back when ready to ask questions.......

https://www.youtube.com/watch?v=60uIlyF8Z5s
https://www.youtube.com/watch?v=eFI59jJ2MM8
https://www.youtube.com/watch?v=dfv1yrclHM0
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 7:24 pm

Maybe this thread will help: viewtopic.php?t=133383
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Mikrotik And Starlink Port Forwarding Question

Fri Mar 24, 2023 8:31 pm

hello.
However I have activated an OpenVpn connection to a Pfsense on another remote network and it works, from Mikrotik I see the Pfsense and I can access my server, but from the Pfsense I don't see the printers in my office
ok. would you be kind enough to let us know which one is your OpenVPN server? is it your pfsense nor the mikrotik?

my guess is your pfsense is the server.

the mt client maybe already have the OpenVPN push route to the server. but not the other way around to the printer in mikrotik network.

basic tools from pfsense subnet:
1. ping to printer.
2. if failed, traceroute to it.
3. if failed at pfsense, netstat -rn from your server - does it have the route to the printer?
4. if it is reachable, then your printer has choose the wrong gateway to server subnet. split tunneling.
5. or, the printer maybe doesn't even have the route to the server subnet. fix it.

6. and the last thing is the protocol used by your printer dictates how you will see it. either smb or unix printer, broadcast or unicast etc.

+++ edit

7. and do check your firewall in mt subnet, if any.

hope this helps.

Who is online

Users browsing this forum: GoogleOther [Bot], outtahere and 65 guests