How to Port Forward Starlink Router and Bypass CGNAT

  • 6 January 2025
  • 20 mins read

Can’t open ports on your Starlink router? Some ISPs perform CGNAT on routers to assign the same IPs to most consumers, and this can make it difficult for you to port forward Starlink routers. This guide explains how you can port forward Starlink routers and bypass CGNAT without hassle. 

What is Port Forwarding?

Port forwarding is a networking solution that helps you open ports on a router and redirect incoming traffic to specific devices or services. You can open ports for various reasons that include hosting websites or gaming servers, using a remote desktop from a different location, or accessing your CCTV.

What is CGNAT?

CGNAT, a technique used by many ISPs to conserve IPv4 addresses, assigns multiple customers the same public IP address. This shared IP address makes it challenging to set up online services that rely on port forwarding, as the specific port you need may be in use by another customer.

Port forwarding is a challenge for Starlink users. The primary reason is Starlink's use of Carrier-Grade Network Address Translation (CGNAT).

CGNAT is efficient in conserving IP addresses, it makes traditional port forwarding difficult because with CGNAT, multiple Starlink users share the same public IP address. This means that when you try to forward a port to a specific device on your network, the traffic is directed to the shared IP address.

To establish a connection, the incoming traffic needs to traverse multiple layers of NAT, making it challenging to route the traffic to the correct device. Starlink often assigns dynamic IP addresses, which change periodically. This further complicates port forwarding, as the public IP address used for forwarding might change, making the previous configuration ineffective.

To determine if your Starlink connection is behind CGNAT (Carrier-Grade Network Address Translation), you can use the following methods:

Method 1: Check the Router's WAN IP Address

  1. Open a web browser and enter your router's IP address (usually 192.168.100.1) in the address bar.
  2. Log in with your router's username and password.
  3. Go to the "Status" or "Internet" section of your router's dashboard.
  4. Look for the "WAN IP Address" or a similar label. This is the IP address assigned to your router by your ISP (Starlink).

If the WAN IP address falls within the range of 100.64.0.1 to 100.127.255.254, your connection is likely behind CGNAT. This IP range is commonly used for CGNAT.

Method 2: Compare WAN IP and Public IP Address

If they are the same, you have a direct public IP address and are not behind CGNAT.

Follow steps 1 and 2 from Method 1 to find your WAN IP address.

Open a web browser and search for "What is my IP address."

The search results will display your public IP address.

If the WAN IP address and the public IP address are different, your connection is likely behind CGNAT.

Due to Starlink's use of CGNAT, direct port forwarding on the Starlink router itself is not possible. However, you can achieve this by using a third-party router.

Here's how:

Step 1: Connect Your Third-Party Router

Physically connect your Starlink router to your third-party router's WAN port and configure your third-party router to obtain an IP address from the Starlink router via DHCP.

Step 2: Access Your Third-Party Router's Settings

Open a web browser, enter your router's IP address in the address bar and use the credentials provided with your router or set during initial setup.

Step 3: Assign a Static IP to Your Device

  • Determine the device (e.g., gaming console, server) that requires a static IP.
  • In your router's settings, find the DHCP or LAN settings. Assign a static IP address to the device's MAC address.

Step 4: Configure Port Forwarding

  • Find the port forwarding or virtual server section of your router's settings.
  • Create a New Rule
  • Enter a name for the service or application, such as PS5 Gaming.
  • Specify the port number or range that needs to be forwarded.
  • Enter the static IP address assigned earlier to the device that will receive the traffic.
  • Select the appropriate protocol, whether it is TCP, UDP, or both.
  • Save to apply changes.

Step 5: Test Port Forwarding

Attempt to access your application or service from the internet to confirm successful port forwarding.

PureVPN provides a dedicated IP address and port forwarding VPN that allows you to change your IP address assigned by your ISP and open ports on Starlink. Here’s how to do it on your own:

  1. Access your PureVPN Members area.
  2. Click on the "Subscription" tab.
  3. Select the "Configure" option.
  4. Input your desired port settings.
  5. Click "Apply settings" to activate the new configuration.

Here's a table summarizing the ports blocked by Starlink, along with their common uses:

  • SMTP Port 25
  • POP3 Port 110
  • SMTP over SSL Port 465
  • SMTP submission Port 587
  • IMAP Port 143

Starlink offers a unique network configuration that includes both IPv4 and IPv6 addresses. By default, Starlink uses Carrier-Grade NAT (CGNAT), which assigns private IP addresses to your devices. This means that while your devices can access the internet, they are not directly visible from the outside world.

  • Default: Uses CGNAT with private IP addresses.
  • Public: Available for Priority and Mobile Priority plans, this option provides a public IP address that is accessible from anywhere on the internet.

While the public IP address is reserved even when the system is off, it may change due to moves or software updates. Standard and Mobile plans do not offer public IPv4.

  • Starlink routers support IPv6, assigning IPv6 addresses to compatible devices.
  • This offers a larger address space and can improve network performance in some cases.

Port Forwarding and Firewall Rules:

  • Starlink routers do not support port forwarding or firewall rules for either IPv4 or IPv6.
  • If you need to open ports for specific applications or services, you may need to use a third-party router.

Security Considerations:

  • Starlink blocks outbound traffic for TCP/25 and TCP/445 for security reasons.

Starlink offers two IPv4 policies:  

Default (CGNAT)

This is the default policy for most users. It uses Carrier-Grade Network Address Translation (CGNAT) to assign private IP addresses from the 100.64.0.0/10 prefix to Starlink clients. 

This means that your device will have a private IP address, and Starlink's network will translate it to a public IP address when communicating with the internet. This policy blocks inbound traffic, so you cannot host servers or other services that require inbound connections.  

Public IP

This is an optional policy available to Priority and Mobile Priority customers. It assigns a public IPv4 address to your Starlink device, allowing you to receive inbound traffic.  

In addition to IPv4, Starlink also supports IPv6. All Starlink routers and clients are assigned IPv6 addresses. IPv6 is a more flexible and future-proof protocol than IPv4.  

Note:

  • Starlink does not provide static IP addresses. The IP address assigned to your device may change from time to time.  
  • If you have a mobile Starlink, your IP address may change when you move to a new location.  
  • Starlink blocks outbound traffic to ports 25 (SMTP) and 445 (SMB) for all customers.  

If you need a public IP address or have other specific IP address requirements, you should consider upgrading to a Priority or Mobile Priority service plan.

What Else Can You Do With PureVPN?

  • Easily open ports and bypass firewalls with a few clicks.
  • Enjoy a dedicated IP address for remote work and access to client servers.
  • Experience fast downloads, multiplayer gaming, and seamless browsing across multiple devices.
  • Enjoy unrestricted internet usage without additional charges.
  • Prevent ISP-imposed speed limitations and maintain stable connections.
  • Bypass VPN blocks and access local game servers.

Frequently Asked Questions (FAQs)

There are primarily two methods to bypass CGNAT on Starlink. A reliable VPN with dedicated IP addresses along with port forwarding capabilities. Set up a DDNS service like No-IP or DynDNS to obtain a dynamic domain name.

No, traditional port forwarding is not directly possible on Starlink due to CGNAT. You can use a third party router or a PureVPN’s dedicated IP address with port forwarding features to port forward on your Starlink router.

Is it possible to port forward on CGNAT?

No, direct port forwarding is not possible on CGNAT. CGNAT shares a single public IP address among multiple users, making it challenging to route incoming traffic to a specific device.  

Yes, Starlink typically operates behind CGNAT. This means that multiple users share a single public IP address, which can limit certain network functionalities, such as port forwarding.

Yes, you can change the Starlink IP address but with limitations.

  • For certain plans (like Priority and Mobile Priority), you can request a public IP address, which is static and can be used for port forwarding.  
  • If you're on a standard plan, you'll have a CGNAT IP address, which is shared with other users. In this case, you cannot directly change the IP address.

What is Starlink's IP address?

The Starlink IP address is the address that your device uses to communicate with the internet. It can be either a public IP address or a CGNAT IP address, depending on your plan.

The primary issue with Starlink port forwarding is CGNAT. Other potential issues include:

  • Even dynamic IP addresses might change periodically.  
  • Starlink's network might have firewall rules that interfere with port forwarding.
  • Incorrect router configuration can prevent successful port forwarding.

Not directly! Starlink doesn't actively block port forwarding. However, CGNAT used by Starlink, makes it difficult to implement traditional port forwarding.

Yes, Starlink does use Carrier-Grade Network Address Translation (CGNAT) to manage its IP address pool efficiently. This means that multiple users share a single public IP address.

Unfortunately, there's no direct way to bypass CGNAT on Starlink. You can use a reliable VPN to change your IP address and bypass CGNAT.

Starlink primarily uses IPv4 addresses. However, it also supports IPv6, which can be beneficial for certain applications and network configurations.

What is the CGNAT range for Starlink? 

Starlink's CGNAT IP range is not publicly disclosed. It's a dynamic range that changes over time.

While you can't completely bypass CGNAT, here are some workarounds to improve your network experience:

  • A VPN can help you establish a secure connection to a remote server, allowing you to bypass some CGNAT restrictions.  
  • While port forwarding is not always reliable with CGNAT, you can try configuring port forwarding on your router to see if it works for specific applications.
  • Some Starlink plans offer reserved IP addresses, which can help with certain network configurations.
  • Reach out to Starlink support for specific advice and potential solutions tailored to your needs.

CGNAT can interfere with port forwarding, as it masks your device's public IP address. Even with a VPN, the traffic may still be routed through CGNAT, as your IP address might have been exposed. Try using a reliable VPN, so that your IP address is never exposed!

Summing Up 

Port forwarding on Starlink can be a challenge due to CGNAT. However, by using a compatible third-party router or PureVPN you can overcome these restrictions and enjoy the benefits of port forwarding. Reach out to our support reps if you need a helping hand in opening ports on your Starlink router.