Community discussions

MikroTik App
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Simple Starlink setup doesn't work

Mon Sep 19, 2022 10:12 pm

Hi all, very first time using MikroTik. Bought a Hex5 to block the ports of my IP cameras from the internet.

I have Starlink. The MicroTik POE/Wan port plugs into Starlink. Then I have a 16-port cat5 hub that plugs into the MicroTik's first ethernet port.

I haven't attempted to do any blocking or setup yet-- this is just a straight, out of the box plug in. I can't see internet, and I can't see the Starlink router at 192.168.100.1 either. If I move the MicroTik to be anywhere but between the Cat5 hub and Starlink (i.e. put it on the line between my computer and the hub), it all works fine. I am not attempting to use Starlink's POE, the Hex5 is plugged into the wall.

Is there anything special I have to do for Starlink? Crude diagram of setup attached, just in case my descriptions don't convey.
SDeXFCD.jpeg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Simple Starlink setup doesn't work

Mon Sep 19, 2022 10:36 pm

What is exactly your RouterBOARD and RouterOS version?
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Mon Sep 19, 2022 10:54 pm

My OS is 6.49.6 ... routerboard version, I'm not sure where to find it, the product has "RB760iGS" on it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Mon Sep 19, 2022 11:51 pm

I highly doubt the starlink can be powered from the hex.
The starlink comes with its own POE does it not, use that.

Concur, no one should use the starlink router LOL.

Gen1 starlink Router has an extra ethernet port which you can attach to the router
Gen1 requires a POE adapter, supplied with the kit

Gen2 starlink Router, you need to get a stark link ethernet adaptor
Gen2 does not require a POE adapter.

So where is the problem??

+++++++++++++++++++++++++++++

In any case will assume poe is not the issue and that you are getting ethernet from either the router itself or the ethernet adaptor and getting public IP.

SO we cannot help further until you show how you have screwed up the config.

/export hide-sensitive file=anynameyouwish and post it here, be sure not to include serial number and any public WANIP info.
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 12:05 am

I'm not trying to power the Starlink from the hex. I have Starlink setup normally, with its own wireless router still in operation. I have the cat5 adapter to make it a wired connection. This goes to the WAN port in the hex, and then ethernet1 on the hex goes to the uplink on the switch that goes through my house (before you ask, yes I plugged it into a non-uplink port just to touch all bases).

Everything works if I put the hex between my computer and the switch... it just won't work between the switch and starlink. (Just to test I tried my old centurylink router, and it has no problem moving packets-- but unfortunately it can't be accessed by its normal IP, and neither starlink nor nmap list it as a device on the network, or I would just try to block the ports there)
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 12:06 am

As for screwing up the config-- I just plugged it in out of the box (of note: the mac address on the device and its real mac address do not match). Then I factory reset it. I have not yet attempted to do any firewalling, I wanted to get to a baseline "everything works" before trying to make adjustments.
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 1:10 am

One more possible clue:
If I add in ANOTHER SWITCH between Starlink and the Hex, I can see internet. But then I can no longer see anything on the local network (i.e. can't access cameras or network hard drives or network printers).

So my setup goes:

Starlink -> Switch -> Hex -> Switch -> Home computer & rest of LAN

Is there some kind of incompatibility between RouterOS and Starlink? Something that gets solved by sticking another switch in-between?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 1:32 am

So you are providing a private IP from the starlink to the hex router??
It sounds like your not bypassing the star link router?

BYPASS Starlink router Goal

GEN1: From the white side of the supplied POE device (the right side), do not plug the ethernet port to the starlink router.
Instead plug it into the wan port of your router. The black ethernet part of the POE device goes to the antenna.
You no longer need to use or power the starlink router.

GEN2 Bridge mode through APP. (using separately purchased ethernet adapter)
Starlink App: Under settings --> Advanced ---> Bypass Starlink WIFI Router
Then hit SAVE! The starlink router needs to remain powered on in bridge mode.

So which one did you do??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 1:33 am

If you dont want to use the hex as a router then just plug it into the switch directly.....................
In other words, as I thought this was a nothing burger.
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 1:36 am

I haven't bypassed the Starlink router because it's located in a place where several people use the wireless from it.
Is there any way to put the hex into a mode where it ONLY passes/filters the packets and doesn't try to route? I tried turning off the DHCP server and putting it into bridge mode, but all it did then was cut off my internet again.

All I want to do is block ports 8000-8010 from ever getting to Starlink! Twenty years ago this would have been a simple task. How do I achieve this impossible feat in 2022???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 2:11 am

AHA now we are getting to the real requirements!!

For this exercise assuming you are getting a lan subnet from the starlink of 192.168.2.0/24 and LANIPs like 192.168.2.5 and the starlink lan gateway IP is 192.168.2.1

[By the way the stupid WANIP one gets from bypassing the router (gen1) or bridge mode (gen2) is carrier grade NAT, or basically useless bastardized nat where the public IP is not useable for much I think.]


In any case to use the hex:
This is what you need to do
....
/interface bridge
add name=bridgehex
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess-5
/interface list
add name=management
/interface bridge port
add bridge=bridgehex interface=ether1  { to starlink }
add bridge=bridgehex  interface=ether2  {to switch }
add bridge=bridgehex interface=ether3  { to whatever }
add bridge=bridgehex  interface=ether4  { to whatever }
/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=bridgehex  list=management
add interface=emergaccess-5  list=management
/ip address
add address=192.168.2.X  comment="address of hex on starlink lan subnet"
add address=192.168.5.1/24 interface=emergaccess network=192.168.5.0 comment="ether5 access off bridge"
/ip firewall filter
add chain=input action=accept in-interface=emergaccess-5 src-address=192.168.5.0/24
add chain=input action=accept src-address=192.168.2.X  comment="allow admin to router for config"
add chain=input action=accept src-address=192.168.2.Y  comment="allow admin to router for config"
add chain=input action=drop src-address=192.168.2.0/24 dst-port=winboxport protocol=udp  comment="drop rest of LAN from access tor router"
add chain=forward action=drop dst-port=8000-8010 protocol=tcp
add chain=forward action=drop dst-port=8000-8010 protocol=ucp
/ip dns
set allow-remote-requests=yes servers=192.168.2.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set winbox address=192.168.2.X,192.168.2.Y,192.168.5.0/24  etc. *****
/tool mac-server mac-winbox
set allowed-interface-list=management
.....
/ip service
set winbox address=192.168.2.X, 192.168.2.y, 192.168.5.0/24 etc. *****

***** Where X and Y are your (ADMIN IP) addresses for your desktop, laptop, smartphone, ipad on the starlink lan subnet. In this way although anyone could theoretically access the Hex from the starlink lan for config purposes, this winbox service setting ensures only you can (besides username and password protection of course). I will add firewall rules to also ensure this is true.

If for example you always would use 192.168.5.5 to set on ipv4 computer settings, when attaching your laptop to ether5 for emergency access to the router you could narrow down the input chain firewall rule and the winbox settings to that specific IP, but not necessary.

For the IP address of the hex, suggesting using a number not likely to be used by the starlink.
If it starts giving out IP addressess 192.168.2.2 and up then give the hex an address of 192.168.2.220 for example.

+++++++++++++++++++

Feel free to ask any questions. The idea here is the ether ports (except 5) are on the same bridge and getting dhcp from the starlink.
The extras added allow you to access the hex while connected to the lan or directly via ether5. Ether 5 for extra backup is not on the bridge so if the bridge gets screwed you can still access the hex. The hex is in this mode basically a switch with a few router like functions in the mix.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 2:15 am

NM.....
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 3:09 am

Hi Anav-- that DID work to make it a passthrough router!
But I have a question... right now my configuration is:

Starlink Router (with wireless) -> Hex -> Switch -> Rest of house

My IP Cameras use ports 8000-8010 (which I wanted blocking). Now: I would expect those to be blocked when accessing the Starlink's wireless router. Is than an incorrect assumption, because the wireless router is on the LAN? I'm able to see the cameras from both the "Rest of house" and when I'm on the "Starlink Wireless." I was expecting the hex to act as a dam of sorts, and refuse to set the pins for the outgoing message up to the Starlink router. This is because the Starlink is located in a guest house, and I'd prefer neither the guests nor the internet have access to those cameras.

Is there a way to get this effect? I was able to get it when I put the router between the switch and the computer (but away from the Starlink).

(Note: I did add a filter for src-port as well, since the cameras send out with ports 8000-8010)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 4:34 am

Good question.

I found an error on my config I forgot on the IP address to detail the interface, it should be the bridge.......
/ip address
add address=192.168.2.X interface=bridgehex comment="address of hex on starlink lan subnet"


See if that makes a difference but assuming you probably did this on your own anyway!

I would have thought that the rule would block any wired traffic on those ports coming behind the router aka from the switch.........
I will have to think about why that is not working.

Clearly nothing you can do about the wifi from the starlink itself as that is available before the hex comes into play.

Try this instead........

add chain=forward action=drop src-port=8100-8110 dst-port=8100-8110 protocol=tcp out-interface=ether1
add chain=forward action=drop src-port=8100-8110 dst-port=8100-8110 protocol=udp out-interface=ether1


I
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 4:46 am

Anav missed that to use IP Firewall on Bridge Ports, you need:
/interface bridge settings set use-ip-firewall=yes
But this comes at a cost, CPU usage.

Edit: Should have mentioned that I have no issues with my HexS connecting to my Starlink 2nd Gen ethernet adapter.
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 12:12 pm

Hi again... thanks for the input 2frogs! I think I am SO CLOSE to getting this working now!

I have one final issue: Now my Starlink Wireless cannot see the internet (this actually happened before implementing 2frog's addition). I am only able to see the internet from BEHIND the hex now.

I've reset the whole hex and re-implemented the simplest version of the above that I could (i.e. no remote access, no security, ONLY going into bridge mode). I currently have all the firewall filters turned off. This is my current setup:


Startlink Router + WIFI --> Hex ---> Switch --> Home network

When I connect to the Starlink Router + Wifi with a smartphone, it connects, but sees no internet. From within the home network I see internet fine. I do want internet access through the starlink router for guests, and I don't care if they're firewalled (although I do want them prevented from receiving ports 8000-8010).

Any idea what's interfering on the Starlink end to nuke the internet from the starlink wifi?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 1:52 pm

Makes no sense to me..........the starlink wifi doesnt depend on the hex being there.........
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 2:20 pm

I agree completely... but I think this might be the end of this experiment. I'm running into too many problems doing this-- after looking at the matter further I'm seeing that various devices inside the home network do and don't have access to the internet at various times. I think the combination of hex as firewall, then starlink as router just isn't going to work the way I want it to.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 2:32 pm

Looking at alternative rule set so go back to its working for all users until I can provide something else.

Just to be clear, I can understand blocking wifi users on the starlink from accessing lan devices behind the hex.
But surely you also have the IP addresses of those devices and not just the ports in question?

Second, how would such devices originate or send information on those ports ( do they also stream data )?
Last edited by anav on Tue Sep 20, 2022 2:36 pm, edited 1 time in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 2:36 pm

Sounds like the config on your HEX is garbage and probably still has a DHCP server running or it does some other funky stuff in your network.
If the only goal to all this is to add another firewall between your IP cameras and the internet, just set that HEX as a normal router and add another layer of NAT and keep only the CCTV system behind it, and that's it.
Or, post an export of your current config to see what you did so far on that HEX.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 2:37 pm

The OP doesnt want double nat, all users have to be one the same LAN network...............................
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 3:09 pm

Anav, I can optionally block their IP addresses. Port was just a convenience, so I could add more cameras without having to update anything, since the cameras all talk on ports 8000-8010 out of the box.

But at this point, just plugging in the hex, even in full bridge mode, just seems to cause interference all over the place. I expect I just don't have the know-how to do this setup (I did something similar about 20 years ago, before the internet companies started supplying modem/router combinations, but that was modem -> firewall -> router/switch , whereas this is modem/router -> firewall -> switch) and I'm making assumptions based on ancient technology. :)

And yeah, I don't want to start turning this into a huge project with multiple networks and virtual networks all over the place... I had intended to plug this in, block ten ports from crossing it, and get on with my day.

Znevna: In trying to reduce everything to its simplest "just works/nothing fancy" state, I several times factory reset the hex and did nothing but switch it from router to bridge, just to try to get it sit transparently between the Starlink router and the switch. I can't even get it to do that without causing devices on my home network to randomly lose internet and stop being able to see each other. I think at this point if I can get it to sit quietly without causing disorder, I could get the port filtering going. But I need to get to that point first.

One thing I am concerned about is, my hex has a mac address printed on the back of it, but that's not the real mac address, the actual address I had to determine by ip scanning the network. This makes me concerned the dealer may have given me a refurbished or hacked box advertised as new, and it's simply not going to work no matter how well I set it up.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 3:15 pm

Apparently since you are
a. all on the same LAN
b. hex has a hardware switch chip.

It is difficult, especially because b. means the router will bypass the firewall rules.

SO this is the new config and new rules using bridge filtering vice firewall filtering..........
/interface bridge
add name=bridgehex
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess-5
/interface list
add name=management
/interface bridge port
add bridge=bridgehex interface=ether1  { to starlink }
add bridge=bridgehex  interface=ether2 hw=no  {to switch - note we turn hw switching OFF for this port }
add bridge=bridgehex interface=ether3  { to whatever }
add bridge=bridgehex  interface=ether4  { to whatever }
/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=bridgehex  list=management
add interface=emergaccess-5  list=management
/ip address
add address=192.168.2.X  comment="address of hex on starlink lan subnet"
add address=192.168.5.1/24 interface=emergaccess network=192.168.5.0 comment="ether5 access off bridge"
/interface bridge filter
add chain=forward mac-protocol=ip ip-protocol=udp in-interface=ether1 dst-port=8100-8110 action=drop
add chain=forward mac-protocol=ip ip-protocol=tcp in-interface=ether1 dst-port=8100-8110 action=drop
add chain=forward mac-protocol=ip ip-protocol=udp out-interface=ether1 src-port=8100-8110 action=drop
add chain=forward mac-protocol=ip ip-protocol=tcp out-interface=ether1 src-port=8100-8110 action=drop
/ip dns
set allow-remote-requests=yes servers=192.168.2.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set winbox address=192.168.2.X,192.168.2.Y,192.168.5.0/24  etc. *****
/tool mac-server mac-winbox
set allowed-interface-list=management
Changes
1. MODIFIED ---> /interface bridge port, changed ether2 port to have no hardware chip offload hw=no
2. REMOVED IP Firewall rules
3. ADDED IP Bridge Filter rules
 
JohnnyLightwave
just joined
Topic Author
Posts: 16
Joined: Mon Sep 19, 2022 10:05 pm

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 4:01 pm

Anav, you're a godsend. I believe it was the hardware option that did it. Everything is now working exactly as I'd expect. Thank you for your assistance!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simple Starlink setup doesn't work

Tue Sep 20, 2022 4:07 pm

I had help, believe I am not that good, suffice to say forum users are very supportive...........

Who is online

Users browsing this forum: cdblue, kkeyser and 36 guests