Firewalla gold wireguard vpn server Starlink
I don't know if this is the right place for this.
I do know why it doesn't work, starlink doesn't allow port forwarding because you arent assigned a public IP.
But I have 2 WANs CenturyLink and Starlink in failover starlink being the default.
My question is:
Is there anyway to specify the vpn server runs on a specific WAN? If not could this be a feature request?
-
Didn't think it would work but I tried it. Problem is port forwarding. Since firewalla can't reach the IP it sees as public it assumes its behind a router and says i need manual setup. I looked at nat settings and it appears you can't set the firewalla as a target and the firewalla is my main router with the modems set to bridge mode.
I'm thinking that this just isn't possible with current settings. I even tried load balancing with a 60/40 in favor of centrylink and that didn't work.
I want starlink to be the main connection because I'm getting 180d/30u vs 20d/2u on my centurylink but starlink isn't as reliable as centurylink so It's nice to fail over. Which actually works very well. I only notice maybe 10 seconds of lag if I'm doing something. It's not even enough for Netflix to start buffering or change playback quality.
-
So I was able to get on my computer and do some additional testing. Connecting to the CL IP again did not work but also did not produce a flow in the log. Then I thought about routing. I ssh'd in to the firewalla and ran some packet captures on both the CL interface and the SL interface and sure enough the requests were coming in to the CL eth0 and going out the SL eth2. obviously for a VPN that is not going to work.
I tried to create a route in the app to ipaddr,udp:port for all devices via CL but that didn't seem to help either still routing the wireguard handshake out of the active interface.
Any ideas? I'm going to leave the route for now on the off chance that it just takes some time to apply but I did give it about 10 mins. I'm sure there is a way to do this at the linux level (ip route/iptables) but I have a feeling that might get reset after an update or after certain changes in the app?
-
This is because wireguard and ddns can only be active on primary wan interface (by default). You may send email to help@firewalla.com that we can help change the config to enable it on backup wan. Before that you will have to opt-in box beta to enable this feature.
-
DDNS is not an issue any more if you use ip directly.
Wireguard will use system routing table for outgoing traffic, it will pick the SL interface, which will be discarded by your wireguard client as illegal traffic. By design, wireguard will not use the interface where the incoming packets come from. This is its limitation.
So in order to fix this, need to configure wireguard to specifically use the CL interface.
-
I wonder if this is the same for anyone with a CG-NAT based connection. I also have Starlink and I can get some things to work but obviously very limited. I mean I can get to my VPNs setup on the FWG. Both WireGuard and Open VPN. I can also connect to Home Assistant through my Nabu Casa account. But I cannot do any port forwards for hosting a game server let say. I’m trying to find a good 3rd party VPN provider that does static IPs and full port forwarding but I have yet to find one.
-
I had this same problem as well with Starlink. I too have CL DSL. What I ended up having to do since Starlink will drop out is bond the two connections using https://www.openmptcprouter.com/.
You will need a VPS some where to terminate the bonded connection and that will be your public facing address. Since this is bonded it will create a pipe that punches through the CGNAT so for all intents and purposes you can port forward internally as well. We use wireguard and the Cisco VPN without issues.
The other good benefit is when the Starlink does decide to hiccup my application sessions continue, download don't get interrupted, and MS Teams calls don't get dropped as MS Teams seems to be the most sensitive to Starlink hiccups. My VPS is currently costing $13/mo.
Please sign in to leave a comment.
Comments
9 comments