Definitely true but this was some peice of network gear or something... shoot. I can't remember now though. I should have made note of it at the time because it was really a surprise to me.
Starlink. It’s the internet, from space!
- Thread starter MaHawkma
- Start date
If you use a VPN provider that will let you allocate an open port (Mullvad no longer allows this, for example), then you can assign yourself one, and then have your local VPN host listen on that interface and port. With systems that use Wireguard, both the local and remote IP will usually be static, so you can just hardcode your home connection to the external IP and port pairing you have. If you're on an OpenVPN provider, your local IP is usually not static, so you have to either listen to the interface on a port, or else determine the IP with a script and then modify your VPN config to listen on that local IP. (usually interface listening is easier.)
If your external IP can change, like with using a pool of VPN servers instead of a specific one, then you can run dynamic DNS registration to update some provider with where you are. That would let you connect to, say, "yourtarget.dnsprovider.com:37281".
CGNAT is a real pain in the ass, and a real IPv4 address is a lot easier, but you can work around its lack and still initiate connections into your home network. But it will probably take an open source OS, some finesse to get it working, and careful selection of VPN provider.
If you're a Unix noob, that's gonna be a tall hill to climb, particularly if your intended VPN host is not your external firewall/router. That makes things a lot more complex. But even hosting a chained VPN like that on a single device can involve some trickery. For instance, you would probably not want to set your default route to go out the outbound VPN connection. And the two layers of VPN are gonna require a pretty small MTU.
Actually, now that I think about it, that's gonna be hard whether it's on the firewall or on a separate box. It'll take a pretty good understanding of static routing to make it work well in either case. Definitely doable, but will take substantial thought and troubleshooting.
tl;dr: CGNAT sucks, but you should be able to work around it with sufficient cleverness. IPv6, however, would probably be easier.
Last edited:
Yes, as I understand it, you are effectively double NATed, your router gets an IP from your ISP that is in the CGNAT address space, so hundereds of customers can share a single 'real' IPv4 address. It's now fairly common. So your router gets e.g 100.64.1.1 which is the CGNAT adress, and then the ISP will give a group of CGNAT addresses like e.g 100.64.1.0/24 a single public IPv4 address. I hope that explains it fairly well.
Doing this obviously causes many isseus, mainly caused by the fact you now have 100s or 1000s of users on a single public IP when makes IP bans impossible. Sadly, many ISPs in the UK such as TalkTalk and Virgin Media refuse to implement IPv6, but at least TT (my ISP) isn't doing CGNAT due to the large allocation of IPs they have due to their age.
Doing this obviously causes many isseus, mainly caused by the fact you now have 100s or 1000s of users on a single public IP when makes IP bans impossible. Sadly, many ISPs in the UK such as TalkTalk and Virgin Media refuse to implement IPv6, but at least TT (my ISP) isn't doing CGNAT due to the large allocation of IPs they have due to their age.
That's exactly right. If your router gets an address within 100.64.0.0/10, i.e. IP addresses from 100.64.0.0 to 100.127.255.255, then you can assume that you are behind a CGNAT and you do not have a way to get to your network from the internet or any way to do any port forwards. Dynamic DNS services won't work, etc. You have no control over the "real" public IP that your traffic NATs to, either. This means that, for example, if you want set up an outbound VPN from your CGNAT network, you cannot put any rules on your VPN server that would limit VPN access to a specific range of IPs because, in theory, that IP may change at any time.
None of this usually matters unless you need to VPN into your LAN, in which case you would need to host a VM somwhere on a public IP that you can use as a bridge to tunnel into your network.
Also to clarify, CGNAT is a bit more involved than your router at home, specifically around things like mapping ranges of ports to customers, and most importantly logging for legal reasons.
CGNAT can be used in any IP space, but 100.64.0.0/10 is common. If a carrier wants to use some of their public space for it they're more than welcome to.
Site to site VPNs are possible, but one end will need a non-NAT public IP and your VPN solution will need to use some cleverness (UDP Hole punching), coordinated by some cloud endpoint. Meraki's AutoVPN is the most common but most SDWAN vendors can do this.
CGNAT can be used in any IP space, but 100.64.0.0/10 is common. If a carrier wants to use some of their public space for it they're more than welcome to.
Site to site VPNs are possible, but one end will need a non-NAT public IP and your VPN solution will need to use some cleverness (UDP Hole punching), coordinated by some cloud endpoint. Meraki's AutoVPN is the most common but most SDWAN vendors can do this.
Why would this be required if the network behind the CGNAT can connect directly with a network that has a public IP? Don't you only need this when both ends are behind a NAT?
You're welcome, I'm quite chuffed that my explanation was correct, considering I'm by no means a network professional
I thought it works just fine when at least one side has a public IP. That one listens and the other end actively reaches out to connect.
Yes it requires IPSEC NAT-T support but pretty much everything supports that and just wrap all IPSEC packets into UDP/4500 instead of ESP.
For anyone with Starlink is it worth it to spend the $2500 to go with the FLAT HIGH PERFORMANCE package vs. the standard?
Are the upload and download speeds that much better?
Are the upload and download speeds that much better?
It might do something it if your cell is overloaded, but at $2500 a month you would try everything else first including trying to get a fiber strung for $10k+ or a new pole/tower for fixed wireless.
They can't sell too much of them too or it just won't work, you can QoS if everyone has the premium package.
It's not $2500/month, that's the cost for the high performance receiver.
9f2c97b-starlinkserviceplans_UPDATED.png
9f2c97b-starlinkserviceplans_UPDATED.png
Ooh. So $250 - $5k monthly depending on data volume, makes more sense than a flat rate plan. Premium QoS is pricey...
The key item on the mobile priority is maritime use. The fixed plans will not work in motion (artificial software/firmware limitation), and the mobile standard will not work off the mainland.
The $5k/month plans are for Yachts that rent out for $250k a week.
I follow M/V Loon on youtube and they've got a pair of them for redundancy dedicated solely to guest internet.
The $5k/month plans are for Yachts that rent out for $250k a week.
I follow M/V Loon on youtube and they've got a pair of them for redundancy dedicated solely to guest internet.
It's faster, more data and cheaper than Inmarsat's Fleet"Broadband" for sure, those pricing are totally reasonable if you want the best internet on the go.
A 10GB plan there is like $3k. A minute of silence please for those resellers...
A 10GB plan there is like $3k. A minute of silence please for those resellers...
For anyone who has Starlink and works from home. Are you seeing issues with Zoom/Teams calls?
On the personal usage side: Any issues streaming from multiple devices at the same time ie: an iPad + Apple TV? Any issues downloading large games from Steam? Or a full OS reinstall for a Mac?
Right now I'm at 30-45 minutes for a 100GB download from Steam on FIOS.
Am I going to run into issues with anything that I described?
**Starlink is my backup if my local fiber company can't come through in 30 days. They have told me numerous times they would and they are about .5 miles away in terms of U/G work.
On the personal usage side: Any issues streaming from multiple devices at the same time ie: an iPad + Apple TV? Any issues downloading large games from Steam? Or a full OS reinstall for a Mac?
Right now I'm at 30-45 minutes for a 100GB download from Steam on FIOS.
Am I going to run into issues with anything that I described?
**Starlink is my backup if my local fiber company can't come through in 30 days. They have told me numerous times they would and they are about .5 miles away in terms of U/G work.
It all depends on how crowded your particular cell is (how many Starlink users around you), and how many users are online simultaneously. Like cable systems back in the late 90s, early 2000s, Starlink is a shared medium. The more users, the slower it gets for everyone.
Two year ago, when we moved to our little village 60 km away from the "big" city, we switched to Starlink. There's a DSL ISP that's horribly expensive for shit service, and a cable ISP that had issues at that time (single 1 Gbps gateway for the whole area, reliability wasn't great, etc). Back then, we consistently got 200+ Mbps downloads pretty much any time of day, with 20+ Mbps uploads. No issues working from home, using VPNs, Zoom, Teams, video streaming, gaming (Nintendo Switch), downloading via bittorrent, etc.
Last winter, after every other house sprouted a Dishy on the roof, downloads dropped to under 30 Mbps after 5 pm, and uploads dropped to single digits. During the day was better, so work from home wasn't affected. But, I had to schedule bittorrent to only run after 11 pm, and make sure we only ran 2 simultaneous video streams (taught the kids to download episodes in the morning to watch in the evenings to mitigate this).
We switched back to cable Internet in January, as the cable ISP upgraded to 2x 10 Gbps links for their gateway. We suffer through connectivity issues every few weeks requiring a reboot of the modem to resync, usually preceded by our throughput dropping under 30 Mbps. But we consistently get over 300/30 Mbps anytime of day. Cable infrastructure in the village is very neighbourhood dependent whether it works at all, works well, or requires daily reboots. We're in the works-most-of-the-time area.
Two year ago, when we moved to our little village 60 km away from the "big" city, we switched to Starlink. There's a DSL ISP that's horribly expensive for shit service, and a cable ISP that had issues at that time (single 1 Gbps gateway for the whole area, reliability wasn't great, etc). Back then, we consistently got 200+ Mbps downloads pretty much any time of day, with 20+ Mbps uploads. No issues working from home, using VPNs, Zoom, Teams, video streaming, gaming (Nintendo Switch), downloading via bittorrent, etc.
Last winter, after every other house sprouted a Dishy on the roof, downloads dropped to under 30 Mbps after 5 pm, and uploads dropped to single digits. During the day was better, so work from home wasn't affected. But, I had to schedule bittorrent to only run after 11 pm, and make sure we only ran 2 simultaneous video streams (taught the kids to download episodes in the morning to watch in the evenings to mitigate this).
We switched back to cable Internet in January, as the cable ISP upgraded to 2x 10 Gbps links for their gateway. We suffer through connectivity issues every few weeks requiring a reboot of the modem to resync, usually preceded by our throughput dropping under 30 Mbps. But we consistently get over 300/30 Mbps anytime of day. Cable infrastructure in the village is very neighbourhood dependent whether it works at all, works well, or requires daily reboots. We're in the works-most-of-the-time area.
Thanks. That makes me feel better. There are a few Starlink dishes in the area but not a ton as far as I've seen. And I'm still hoping our Fiber company comes through before I move in a couple weeks.
I haven't read too much into this stuff, but jitter can murder real time communication. I want to say starlink has been suffering pretty badly from high jitter for various reasons which can cause VoIP, teams, zoom, etc to be absolutely horrible to use.
Yep, jitter is the key.
I am now in a very crowded area and Starlink connects to its network about 20 minutes!
And ping is not stable. So real-time video quality jumps from good to bad and sometimes freezes.
First hop ping is about 35 msec, but sometimes it can be 2000 msec.