I'm trying to set up a tunnel between sites that use Starlink and Fortinet firewalls. We have a hub-and-spoke setup already in place with other secondary sites connected to the hub firewall, but adding Starlink sites has proven challenging due to the CGNAT configuration. Business Starlink isn't an option for us. I've been considering the possibility of spinning up a VPS server to help facilitate the connection. I'm looking for any advice or ideas on making this work!
9 Answers
I looked into this a while back and ultimately decided it wasn't feasible. I kept Starlink as a secondary internet option only because CGNAT doesn't support IPSEC tunnels, which is a major limitation.
Yes, it's definitely possible! You can request a static CGNAT IP from Starlink. I've managed to set this up successfully using a public address.
To make this work, the hub site ideally needs a static public IP on the firewall. Alternatively, you can use dynamic with DDNS, but be cautious. Each tunnel from the hub to the remote sites needs a unique definition, and configure the remote sites as 'dialup' for the IPsec tunnels.
From my experience, using a dynamic (dial-up) VPN works well, but site-to-site won't. We also have setups behind Starlink at some customer locations, and it runs similarly to Tailscale.
Have you considered using an edge router in front of your Fortinet? It might simplify things while still allowing you to run IPv4 over IPv6.
While I'm currently having some IPv6 issues with Fortinet, you might be able to set up a connection using native IPv6. I've had success with similar setups on opnsense using WireGuard and IPsec to navigate around CGNAT endpoints, like with T-Mobile.
Have you thought about Tailscale? It's an interesting option that might suit your needs for a simpler setup with Starlink.
You could also look into using an Aggressive mode IPSec tunnel; it might help with the connectivity issues you’re facing.
Right, and if you have multiple tunnels, don't forget to apply an identifier for each tunnel on both ends. It can get tricky!