I integrate Starlink Maritine antennas on Yachts.
At the time of delivery of the Yacht, the Starlink antenna is not activated.
The antenna is then activated months later.
I need to make a report that demonstrates the correct functioning of the antenna (I don't want advice on how to prove if it works, I want to do it with the Starlink app).
With the Peplink devices that we use, by implementing the following rule it is possible to reach the antenna via the Starlink App even if it is not activated:
- Outbound policy – IP Address 192.168. 100.1 – Enforced WAN 1 (where Starlink is connected).
Installations on Yachts include an antenna, power supply and direct connection to the Fortinet WAN.
The Starlink router is not present.
I tried with a static route 192.168.100.1/255.255.255.255 but it doesn't work.
Is it possible to instruct a Fortinet so that when a user is connected via the App he can reach the antenna even if it is not active?
I hope I was clear.
I'm waiting for your suggestions
Solved! Go to Solution.
When antenna(dish) reaches the Starlink network the WAN apparently gets an IP from 100.64.0.0/10
https://www.starlink.com/support/article/1192f3ef-2a17-31d9-261a-a59d215629f4
You will need to also have a static route toward 100.64.0.0/10 through WAN2.
That policy route will not match anymore since you have put as destination address only the 192.168.100.0/24. You need to also add 100.64.0.0/10 as destination.
If only the outgoing interface is specified in the Policy route, FortiGate will look up the routing table(FIB) to find the gateway for 100.64.0.0/10.
Since network 100.64.0.0/10 is not learned dynamically, you will need to add a static route in order to be able to reach the antenna once it connects to the starlink network.
Also check in the traffic logs what traffic patterns does the Starlink App generate. This way you can properly match that traffic in the policy route.
In believe you can achieve this by using Policy Routes in FortiGate.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/144044/policy-routes
You need to match the traffic patterns that the user through Starlink App is generating and then create the policy route to steer that traffic toward the destination you want.
In the above documentation there is an example that shows how to configure a policy route to send all FTP traffic received at port1 out through port4 and to a next hop router at 172.20.120.23.
You need to do the same for the Traffic Generated by the Starlink App.
Thanks for the tip Hatibi.
I tried to create this rule but it doesn't work.
With app I can't reach the Starlink antenna.
These are the directions from the Starlink website:
https://www.starlink.com/support/article/27802782-944e-10aa-bc29-23ccbc1fce73
If you check with a packet sniffer in FortiGate, is the traffic flow going out of any other interface?
Examples for traffic sniffing are provided in this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
I have only WAN2 - Starlink connected
If antenna don't reach satellite it has 192.168.100.1 and with application it is possible to reach the antenna.
When the antenna reach satellite, it start to give different IP address to the WAN and application in ipad stop to work
In the policy route you have the option to leave only the Outgoing interface. Remove the Gateway IP entry.
Does that still fail when the WAN IP changes?
No way,
Starlink antenna with this IP because it find satellite:
And this is the Policy route:
App not work, from ipad I can't reach the Antenna
When antenna(dish) reaches the Starlink network the WAN apparently gets an IP from 100.64.0.0/10
https://www.starlink.com/support/article/1192f3ef-2a17-31d9-261a-a59d215629f4
You will need to also have a static route toward 100.64.0.0/10 through WAN2.
That policy route will not match anymore since you have put as destination address only the 192.168.100.0/24. You need to also add 100.64.0.0/10 as destination.
If only the outgoing interface is specified in the Policy route, FortiGate will look up the routing table(FIB) to find the gateway for 100.64.0.0/10.
Since network 100.64.0.0/10 is not learned dynamically, you will need to add a static route in order to be able to reach the antenna once it connects to the starlink network.
Also check in the traffic logs what traffic patterns does the Starlink App generate. This way you can properly match that traffic in the policy route.
THANK YOU MAN
YOU ARE MY HERO
:) Happy to have helped.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.