Hello everyone! I'm excited to be back to the discourse after an extended hiatus in which I moved 500 miles from Los Angeles, where I was using commercial fiber for internet access, to a northern California rural property for which StarLink was my only possible Internet option with any performance capability. Not only am I now 100% relying on StarLink for data, but I have barely a 2G wireless data connection at best here, so StarLink is carrying the load for voice calls, data, everything.
A couple of context points and the list of what I'm trying to understand:
I read the existing threads completely for other topics related to StarLink and the user who was using some unnamed satellite provider with all the timeout issues, so before posting this I did my best to do homework first.
Regarding latency and performance, even in the latest atmospheric river storms and with less than perfect obstruction of my antenna, I get a minimum of 160mbps download and 10mbps upload, and during better weather I average 800mbps download and about 80mbps upload. Ping latency is about 30-36ms in all conditions. While this is not as perfect as my fiber connection was, it's incredibly good in a relative sense and shouldn't present a problem (right?).
The new issue for me to overcome (vs a commercial ISP account with a dedicated IP4 IP address) is that StarLink does some sort of internally opaque thing with IP address assignments, and even a dyndns setup makes no difference (I have a script running that updates my public DNS to my detected StarLink IP address successfully). Your StarLink IP address is not accessible from inbound connections at all. All inbound traffic must essentially be initiated from the StarLink side as far as I've been able to discern.
I currently have a running ziti controller on its own hardware on a pfsense firewall DMZ segment all on its own from my previous configuration. I have yet to modify it in any way since the move. I need to figure out the steps to configure that controller for this use case, which is enabling authorized devices to access my homelab servers.
While I have experimented with the hosted aspects of CloudZiti, I don't currently have a presence there and I'd like to know if it's possible to do this in a 100% self-hosted way. If not, I'll go the CloudZiti route again.
I did have a separately running ziti edge router on my server lan, but that's no longer in place. Will I need to set one up there as well, or can I do everything on my dedicated ziti controller device / OS?
I'll leave it there for comment at this stage. I'll add a diagram in the next day or 2 if that helps. The simple use case goal is to allow users or devices with the ziti client to access my network services. If we can get that running again, I'd then like to get back into my BrowZer experimentation!
P.S. I have found that even WireGuard, which previously worked flawlessly for me, does not work in this new environment. I know that has nothing to do with ziti, but it does possibly illuminate the lack of 2 way access I face now. I really don't want to start paying for cloud hosted things that I've invested years into building on my self-hosted network, no matter how easy that may be by comparison. I'm stubborn and philosophically lean toward self-hosting as a way of life.
Shouldn't! Almost sounds too good to be true tbh!!!
Either way. You need one for sure, and if you want remote access from 'anywhere' it'll need to be somewhere public -- same for the controller.
Did you find this big thread? Create private router on linux machine It had a user on satellite access. I recommended they use a router at home but their latency was way higher than what you're describing.
You might need to have a VPS somewhere if starlink truely only allows traffic from "intra" starlink but that seems somewhat hard to believe, but also not hard to believe...
We'll wait for further updates from you. I don't blame you for not wanting to have a cloud hosted thingy, but if starlink blocks incoming traffic, you'll be out of luck. A quick google makes me think that all starlink nodes are CGNAT. If that's the case, yeah you'll be out of luck and you'll need a VPS of some kind...
Thanks for the info. I was hoping there was some outbound magic that might make things work but I guess I'll need to bite the bullet and evaluate my options for a hosted / external presence. Maybe I'll ask a friend to plug a pre-built server into their network for me...
Yes- that's one of the threads I read before I posted, but I guess I still didn't know for sure that there wasn't some workaround to having an externally "reachable" edge router and controller. Now I get it.
Hey again @jfj ! Welcome back and good to see you. A few NFians use starlink so there’s no shortage of experience there. As for the opaque ip, yep, you nailed it. Starlink is preserving address space and basically LB NATs everything out making inbound pinning using dynamic or static IP a nightmare at best.
The minimum viable setup with Ziti would be at least a controller and ER in the “public space” (aka static and consistently reachable). The rest can be in the dark and behind a mess of infrastructure without issue.
There are solutions out there that use stun/ice but they won’t work reliably in this situation. Why is because of the speed and variability in which the egress occurs. This would also require full cone nat and well, why would Elon (I mean starlink) want to make their lives harder to make yours easier?
The future of connectivity is converging on this in other providers soon too. Already the case for many cell networks data access.
Yes, understood. Since this is all primarily for hobby level experimentation, I can't justify the VPS costs so I'm trying to get creative. I do understand why a provider would do this- it has multiple positive outcomes for them. I can get a public IP with StarLink, but it would move my service costs from $120/mo to $250/mo. Currently seeking workarounds to that or paying for hosted data, especially on a bit by bit cost model!
Almost sounds too good to be true tbh!!!