Community discussions

MikroTik App
  4. RouterOS
  5. General

CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN

Post Reply
 
schwartzie
just joined
Topic Author
Posts: 1
Joined: Thu Aug 10, 2023 6:38 am

CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN

Wed Mar 20, 2024 11:14 pm

Hello,

We have a mobile manufacturing plant built in a trailer that we tow to clients' sites. The trailer has a Starlink (gen 2) in bypass mode for WAN connectivity and an RB5009 serving its LAN. We have an application hosted on the LAN that folks at our office or working from their homes need to access, so we've deployed Tailscale's VPN service to enable remote access.

We're trying to deploy Tailscale with a site-to-site configuration with our office. We have a machine on the trailer that acts as the Tailscale endpoint/subnet router and we're able to connect to it remotely. Unfortunately, we're running into a conflict in the CGNAT IP range for fully implementing site-to-site as that requires a static route for 100.64.0.0/10 (e.g. the full CGNAT IP range) with the Tailscale endpoint as the gateway, and our Starlink DHCP lease is 100.88.x.x/10 which also claims the full CGNAT IP range.

When we try to activate site-to-site, there's already a dynamic route created directing 100.64.0.0/10 traffic to the router's WAN port, so remote connections can come into the trailer's LAN, but are misrouted to the WAN port instead of to the Tailscale endpoint.

We can tighten up the IP range that Tailscale uses for our machines, but it'll still be in the CGNAT block. From what I've seen on this forum and elsewhere, there's minimal/no configurability of Starlink's DHCP server, but this post has me wondering if we can potentially pick a static IP in the CGNAT range instead of using a DHCP client, which hopefully could let us manually manage/avoid the conflict.

How would you all approach this? Is there anything else we can do to isolate the WAN connection in a VLAN/SDN so the conflicting routing table entries can be separated?

Thank you!
Top
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1068
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN

Thu Mar 21, 2024 1:27 pm

Some suggestions: Set up your own TailScale address pool, use IPv6, or switch to ZeroTier.

RB5009 has built-in support for ZeroTier which allows you to pick any or multiple private subnets and also set individual static addresses on any device. There is no problem running ZeroTier and Tailscale in parallel if you prefer during testing.
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], vanikcz and 31 guests
  4. RouterOS
  5. General