Guide: Starlink Port Forwarding and Workarounds
This post may contain affiliate links. See our policy to learn more.
Port forwarding is a router setting that allows internet traffic to be sent directly to a device on your local network. For example, if you want to set up your own Minecraft server, you would need to open up port 25565, then forward traffic from that port to your Minecraft server IP address.
There are two main challenges to port forwarding with Starlink satellite internet. First, Starlink routers don’t support port forwarding configurations, so you will need to purchase a 3rd party router. Second, Starlink uses CGNAT to hand out IP addresses on most service plans, which aren’t publicly accessible and change often.
To access devices on your Starlink network you will need to use one of the workarounds in this guide.
How to Get a Public IPv4 from Starlink
Before I jump too into all the port forwarding workarounds, there is one way to get true IPv4 port forwarding using Starlink internet. You will need a 3rd party router (see my recommendations) because the Starlink provided router doesn’t have port forwarding settings. You will also need to change your service plan to the more expensive Priority plan.
Starlink’s Priority service plan is meant for business customers, but you can switch to it from Residential using your existing equipment. It starts at $140/month and includes 50GB of Priority data, then unlimited Residential data after that. Essentially you are paying an extra $20/month just to get one Priority feature, a public IPv4 address.
After switching to Priority, go into your Starlink business dashboard. You need to turn on the public IP setting to get assigned an IPv4 address. Once you have it, you can set up port forwarding on your 3rd party router.
One big downside to the public IPv4 address from Starlink Priority is that it isn’t truly static. It can change from time to time, which means you would have to reconfigure your port forwarding settings. Based on reports I see online, the Priority public IPv4 address doesn’t change that often, with some people using the same address for more than a year.
Tailscale Workaround
Tailscale is a free service that lets you create your own private network across different networks. It’s a mesh VPN using the open source WireGuard protocol. Tailscale is a bit different from a normal VPN because traffic is routed peer-to-peer instead of through a central VPN server.
You install Tailscale on all the devices you want to be included in your private network. Once Tailscale is up and running, it’s basically like all the authenticated devices are on the same home network, even if one of the devices is in another country using a different internet connection.
That means you can securely connect with all of your devices, even away from home through another internet connection. Tailscale is a great option for accessing security cameras, a Plex server, NAS, etc. Since everything is routed through Tailscale, you don’t need a 3rd party router or public IP address from Starlink.
There are other services out there similar to what Tailscale offers. For example, you can use a Cloudflare Tunnel to create a secure connection between two different networks.
IPv6 Workaround
Since Starlink uses CGNAT to assign you an IPv4 address, it is dynamic, and can change from time to time. This makes port forwarding a challenge. You can’t set up port forwarding when your IP address changes often.
Thankfully, Starlink also supports IPv6 addresses. Unlike IPv4, there are plenty of IPv6 addresses to go around. Starlink is able to assign each device on your network a public IPv6 address, completely eliminating the need for port forwarding. But IPv6 only solves one problem.
Even if you are assigned a public IPv6 address from Starlink, the default router blocks all outside traffic with a firewall. The Starlink router doesn’t allow for custom firewall rules to open up access to specific devices. Luckily, you can simply bypass the Starlink router and use a 3rd party router that has more firewall options.
Once you have a 3rd party router that supports IPv6 and custom firewall rules, all you need to do is create a rule for the device you want to allow outside access to. You will provide the global IPv6 address of your local device, and specify what kinds of connections to allow from the outside.
The downside to IPv6 is that some ISP’s and devices don’t support it yet, so not all outside devices will be able to connect to your local network using the IPv6 address.
VPN Workaround
Depending on what you are trying to accomplish by port forwarding, another workaround is to use a VPN service. The idea here is to install a VPN client on your devices, and then set up the forwarding in the VPN settings. Your VPN provider will issue you a static IP address that you can use for outside connections.
Using a VPN has some downsides. First, some additional latency is involved. Traffic has to be routed from the device to the VPN server, and then back to your local Starlink network. This isn’t ideal for all situations, such as hosting a game server. Second, some VPN providers limit bandwidth, limit open ports, or randomly assign ports.
The VPN service that I use is Private Internet Access (PIA), which supports forwarding one random port for all subscription tiers, on VPN servers around the world. With PIA you can forward traffic going to the VPN server IP address directly to your local network device using the assigned port number, even with the Starlink’s default router and CGNAT IP addresses.
I recommend reading through PIA’s port forwarding tutorial to learn more about this option.
Summary
Starlink uses CGNAT, which makes port forwarding difficult. The best option is to upgrade to the Priority service plan to gain access to a public IP address. Using a 3rd party router, you can then forward incoming traffic from that IP address to a local network device through an open port.
Depending on what you are trying to do, there are several workarounds to port forwarding with Starlink. Using a traditional VPN service or Tailscale allows you to build your own private network across different networks, which is suitable for remote access to various services.
Hy , I’m totally nerd in config routers and stuff and I’m looking for a simple procedure to access my alarm at home from outside. Before Starlink I could do simply with having an account on no-ip. Com and tracking my ip with that service setting the port forwarding to the router and specifying the ddns provider address to the router. Now, more I read and more I’m confused
Is this possible again only with a 3rd party router? Thank!!
The Starlink router doesn’t have a port forwarding feature, so you would need 3rd party if your security system requires it for access. Your Starlink’s IP is dynamic, so using a VPN or service like no-ip would be necessary for access.
When I used other ISP’s I could port forward my server IP address and add that to my DNS host to get my websites online to the internet. Besides my Starlink router I have a Netgear Nighthawk 7200 router.
How can I get my websites back online now that I am using Starlink?
Of all the things I could recommend in terms of getting your Starlink to do this, hosting your websites with a web hosting service is the cheapest and easiest by far.
I’ve heard that this option can be unsuccessful even with 3rd party routers that support upnp/port forwarding is it guaranteed that this option will work
I can’t guarantee anything because sometimes the software or hardware doesn’t play nice with the various methods here. I suggest trying things until you find something that works with your setup.
Hi, Noah! I JUst installed Starlink at my retirement home which is in a rural part of No. California. There have been some recent breakins in the immediate area and I need to implement some type of “near-real-time” video surveilance. Here is my idea; I have located a cloud based service that allows me to set up a web-folder with a feature that will send me an email os SMS message in near-real-time(probably within 60 seconds of a video file being uploaded successfully) I would set my security cameras to record on a motion trigger event. I would use Starlink to upload the video file through my NVR that would be connected to Starlink. The reason this is tolerable is that I have an alarm system that I self monitor(in my location the local Sheriff Dept. would not be able to respond on-site for 15 to 30 minutes no matter what. IF I can tolerate something like a 5 to 7 minute delay from file upload to cloud to my receipt of an email or SMS text do you see any other downsides related to Starlink or do you have any other possible suggestions?
I don’t see any issues if you aren’t trying to connect directly back to devices on your Starlink network.
You can set up “Tailscale” (www.tailscale.com) for free. Then your Starlink network will VPN into their servers and you can do the same from anywhere… Once both are connected to Tailscale then you can access the remote network like it is your own network… It is the easiest and most secure option that I know of…
One more workaround – Tor. You can easily keep onoin sites and/or remote login to your network. Tor communication uses reverse protocol like ngrok.
Hello,
Very interesting article.
I work at home and moved in remote area. Thus, no internet except via StarLink. My big problem is my server became not accessible from outdoor. I need daily to transfer data from or to my server and the ‘outdoor’ can initiate the transfer when required. I looked for a solution when I found your site about Starlink hardware.
I bought a Starlink Ethernet Adapter and use my old D-Link Dir 825 router with by-pass mode for StarLink device. I get an IPV6 address but port forwarding fails. Thus I have a couple of questions.
My router gets an IPV4 and IPV6 addresses. I can see it on the status page. My first question is my router must be strictly IPV6 to avoid conflict between both protocols ? Then, my second question is there are several options to enable IPV6 (Static IPV6, IPV6 to IPV4 tunnel, …). I selected the ‘auto-detection’ option. But I’m lost a few. Did I do the good config ? I’m fear having to buy a new router. But I’m not sure and I’d prefer to ask advice from you.
Thank you!
You can have both protocols running and be fine. Is there an option for dynamic or DHCP IPV6?
There is well an option “Autoconfiguration (SLAAC/DHCPv6)”. By selecting it my web server is accessible from outdoor now. And I can log by ssh from an other IPV6 capable machine of my network.
I suppose the client machine doesn’t need to be IPV6 capable to access at my web site. But I guess it’s not the case for ssh connection.
Could you please tell me how you managed to connect to your machine via ssh through IPV6? What configurations did you make on your router and on your computer to make this possible? My router is the Huawei Ax3 Pro 6 Plus Wifi. I have been trying for several weeks and I don’t understand how to configure IPv6 on the router.
Could you please tell me how you managed to connect to your machine via SSH using IPv6? What configurations did you make on your router and on your computer to enable this? My router is the Huawei Ax3 Pro 6 Plus WiFi. I’ve been trying for several weeks, and I don’t understand how to configure IPv6 on the router.