Device: Peplink MAX BR1 Pro 5G
Firmware: 8.5.3 build 6030
Connectivity:
Peplink WAN - Starlink
Peplink LAN - Unifi Router WAN
Configuration:
Peplink
IP = 192.168.50.1
Network>WAN>Starlink>WAN Connection = WAN
Advanced>Outbound Policy>Enforeced, Source=Any, Destination=192.168.100.1,Protocol/Port=Any
Unifi
Static Route to pass all 192.168.100.1 traffic out WAN where peplink is connected.
When a WAN is defined as Starlink, Peplink automatically enables local access to the Starlink management IP (192.168.100.1) from Peplink LAN interfaces when I enabled WAN for Starlink. When I connect via Peplink Access Point, I’m able to access 192.168.100.1 of the starlink without any issues when my client has a 192.168.50.xxx address.
However, traffic originating from a downstream router [unifi] (routed via Peplink LAN and obtaining a 192.168.50.xxx address at the WAN port) is not forwarded; even with explicit static routes and firewall allows.
Is the Starlink management IP intentionally restricted to directly connected Peplink LAN clients, and if so:
- At what stage is the traffic dropped (pre-routing vs forwarding)?
- Is this enforced by a security policy or architectural limitation?
- Is there a supported method to allow transit access without full L2 bridging?
I need to be able to access the 192.168.100.1 from my unifi home network when the peplink is connected to the WAN.
I’m able to confirm my static route is working as expected as I see the traffic pass to the peplink on a traceroute.
Any suggestions would be appreciated as I need to be able to manage the Starlink without relying on incontrol2 or specifically connecting a client to the Peplink. I’m looking to ensure my automations, APIs, and reporting all staged within the Unifi network is able to access the Starlink mgmt.
Hey there!
Have you tried enabling the proxy feature?
See here: Port forward and source nat for Starlink dishy - #2 by sitloongs
Cheers
Thank you for sharing. Very interesting but I do not believe this would work for my initial use case. Mainly I want clients to be able to launch the starlink web url (192.168.100.1) or be able to use starlink app to connect to the dish as presented on the local network. This seems to define specific ports based on peplink WAN connected to.
OK - Well, if Starlink is your primary WAN source, and configured correctly (MTU1500, Starlink configured on WAN Port) then the clients should be able to reach the Starlink via the gRPC protocol and Starlink App - and use the Starlink website too.
1 Like
Correct whether I turn it on or not. I only have one Starlink, and when connected directly to the WIFI of the peplink or via LAN port. The app finds the dish right away as well as 192.168.100.1 is accessible. It looks like the gRPC proxy is to solve the issue of having multi starlinks and needing to expose each one.
My issue still persists where my clients on my UNIFI Lan connected via Unifi WAN to the peplink LAN are unable to hit the url or leverage the app, even though I see the traffic leave my network based on my static route and confirmation with traceroute.
What is the source address of the packets to 192.168.100.1 from within your unifi network after it leaves the unifi? if i were peplink, i wouldn’t allow any packets sourced outside of subnets that i know are on my local interfaces access protected routes, such as that to the starlink.
if you disable the starlink setting on that WAN, will it work then (with the peplink thinking it’s a standard WAN interface) ?
Client is 10.0.10.10 w/ 10.0.10.1 gateway. Unifi WAN is 192.168.50.206 on the peplink LAN. Similar occurrence with Starlink setting disabled.
PAT only works for TCP & UDP. Do you know the protocol above IP Starlink uses? It might even use mDNS for discovery. Try turning off NAT/PAT on Unifi and just do it at the Peplink only to test.
The fact I can’t ping it means I’m not even to a point where protocols like mDNS being dropped is an issue. I see traffic leave unifi network but never complete in peplink side. Where a ping works with zero issues.
Can you try pinging it from both Unifi and a client behind the Unifi? Does Unifi have and bogon or private ip filtering turned on?
Double NAT should work. But Starlink is like a cable modem where it is kinda performing a man in the middle transparent proxy for that address.
None of this is pertinent. Clients on unifi are able to leverage internet as provided by the Starlink via peplink when on the unifi network. This purely has to do with how likley peplink handles routing of rfc1918 addresses routed from another network and needing to exit the wan on the peplink that Starlink is on so that mgmt can occur. I was hoping there was a setting or rule that can be defined on the peplink side to permit secondary hop access to a wan mgmt seeing they already have an accommodation to do so when on the peplink LAN.
Placing here for others in case needed. My solution was the following:
I created a Transit VLAN between Unifi Network and Peplink LANs and created a static route pointing to the peplink gateway within the Transit VLAN. This allowed all starlink mgmt traffic to route correctly from clients on the Unifi network > peplink lan > peplink wan > starlink
Attempting to route it out the unifi wan to peplink LAN was unsuccessful.
1 Like
