Firewalla to Firewalla VPN behind Starlink/Double NAT
Hi everyone,
I’m setting up a Firewalla-to-Firewalla VPN tunnel between a ship (connected via Starlink Maritime) and our office network in Norway.
Goal:
We want only specific devices onboard (e.g., a mobile phone) to route through the VPN to the office so that services like WiFi Calling (VoWiFi) see the traffic as coming from Norway. Everything else onboard should continue using Starlink normally.
Setup:
• Ship: Firewalla (VPN Client) behind Starlink (Public IP or in Bypass Mode)
• Office (Norway): Firewalla (VPN Server) behind another router (double NAT), with a fiber connection and a Norwegian public IP
Questions:
1. Will the routed device(s) onboard actually appear as if they’re in Norway (i.e., will traffic exit via the office network/IP)?
2. Since the office Firewalla is behind another router (double NAT), will that interfere with incoming VPN connections from the ship?
3. If either side’s IP changes, will Firewalla handle that automatically? Or do I need to configure Dynamic DNS, static IPs, or anything else to keep the VPN stable and reconnecting?
Would really appreciate insights from anyone who’s done something similar —
thanks in advance!
-
We want only specific devices onboard (e.g., a mobile phone) to route through the VPN to the office so that services like WiFi Calling (VoWiFi) see the traffic as coming from Norway. Everything else onboard should continue using Starlink normally.
No issue. Just select which devices you want to be routed through the VPN.
Will the routed device(s) onboard actually appear as if they’re in Norway (i.e., will traffic exit via the office network/IP)?
Yes, if the devices are routed though the office network via VPN.
Since the office Firewalla is behind another router (double NAT), will that interfere with incoming VPN connections from the ship?
For the office network you will need a public IP and to forward the VPN port from the edge router to Firewalla.
If either side’s IP changes, will Firewalla handle that automatically? Or do I need to configure Dynamic DNS, static IPs, or anything else to keep the VPN stable and reconnecting?
Firewalla has a built in DDNS. The VPN client (ship) will use that to locate the Office VPN and will always be in sync.
-
Hi.
I would just like to follow up on this.
I had very minimal issues with setting up Firewalla -> Firewall VPN.
Setting up the actual VPN was dead easy. I am impressed.- I did have some outside issues, but it seems like disabling IPv6 on the firewalla might have fixed it (Might be coincidental).
- I did change from CGNAT to Public IP on our Starlinks (Not sure if this helped)
- The ship firewalla is double-nat behind a Starlink router. But it seems this was not an issue for Firewalla. (I will remove the double-nat issue in the future).
-
It's Okay that the Firewalla in the shop network is double-nat. No worries.
One key is the office firewall, which needs to get a public IP that has the ability to receive requests from clients. If it's double NAT, you may need to set port forwarding for the VPN server. Here is a guide to help. Setting Up VPN Server Port Forwarding
-
To the Firewalla Team.
I might have found the error. (It works for now anyway)
And its probably user error.
Previously I had set up routes with "preferred" routings.
https://help.firewalla.com/hc/en-us/community/posts/36229485409555-Two-WAN-s-One-Firewalla
and
https://help.firewalla.com/hc/en-us/community/posts/36306992118291-Dual-WAN-routes-and-load-balancingEven though the VPN is active, and has data (a lot, several hundred GB) flowing through it, could it be that I have confused the Firewalla by having preferred routes going to the Starlink ISP AND trying to route all traffic through the VPN at the same time?
Because the VPN worked when I initially set it up (showing our location in Norway) , then the next day it was showing us in Germany (starlinks location, not our VPN), even though the VPN was active.
Please sign in to leave a comment.
Comments
4 comments