Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BMTEC
New Contributor II

Fortinet with Starlink. If not active Starlink application does not reach the disk

I integrate Starlink Maritine antennas on Yachts.

At the time of delivery of the Yacht, the Starlink antenna is not activated.
The antenna is then activated months later.


I need to make a report that demonstrates the correct functioning of the antenna (I don't want advice on how to prove if it works, I want to do it with the Starlink app).


With the Peplink devices that we use, by implementing the following rule it is possible to reach the antenna via the Starlink App even if it is not activated:

- Outbound policy – ​​IP Address 192.168. 100.1 – Enforced WAN 1 (where Starlink is connected).


Installations on Yachts include an antenna, power supply and direct connection to the Fortinet WAN.
The Starlink router is not present.


I tried with a static route 192.168.100.1/255.255.255.255 but it doesn't work.

 

Is it possible to instruct a Fortinet so that when a user is connected via the App he can reach the antenna even if it is not active?


I hope I was clear.


I'm waiting for your suggestions

1 Solution
Hatibi

When antenna(dish) reaches the Starlink network the WAN apparently gets an IP from 100.64.0.0/10

https://www.starlink.com/support/article/1192f3ef-2a17-31d9-261a-a59d215629f4

You will need to also have a static route toward 100.64.0.0/10 through WAN2.

 

That policy route will not match anymore since you have put as destination address only the 192.168.100.0/24. You need to also add 100.64.0.0/10 as destination.

 

If only the outgoing interface is specified in the Policy route, FortiGate will look up the routing table(FIB) to find the gateway for 100.64.0.0/10.

Since network 100.64.0.0/10 is not learned dynamically, you will need to add a static route in order to be able to reach the antenna once it connects to the starlink network.

 

Also check in the traffic logs what traffic patterns does the Starlink App generate. This way you can properly match that traffic in the policy route.

 

View solution in original post

9 REPLIES 9
Hatibi
Staff
Staff

In believe you can achieve this by using Policy Routes in FortiGate.

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/144044/policy-routes

 

You need to match the traffic patterns that the user through Starlink App is generating and then create the policy route to steer that traffic toward the destination you want.

 

In the above documentation there is an example that shows how to configure a policy route to send all FTP traffic received at port1 out through port4 and to a next hop router at 172.20.120.23.

You need to do the same for the Traffic Generated by the Starlink App.

BMTEC
New Contributor II

Thanks for the tip Hatibi.

I tried to create this rule but it doesn't work.
With app I can't reach the Starlink antenna.

 

Policy Rules.png

 

These are the directions from the Starlink website:

 

https://www.starlink.com/support/article/27802782-944e-10aa-bc29-23ccbc1fce73

 

Starlink_third_part.png

Hatibi

If you check with a packet sniffer in FortiGate, is the traffic flow going out of any other interface?

 

Examples for traffic sniffing are provided in this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

BMTEC
New Contributor II

I have only WAN2 - Starlink connected

If antenna don't reach satellite it has 192.168.100.1 and with application it is possible to reach the antenna.

When the antenna reach satellite, it start to give different IP address to the WAN and application in ipad stop to work

Hatibi

In the policy route you have the option to leave only the Outgoing interface. Remove the Gateway IP entry.

Does that still fail when the WAN IP changes? 

BMTEC
New Contributor II

No way,
Starlink antenna with this IP because it find satellite:

 

Starlink0000.png

 

 

And this is the Policy route:
Policy_route000.png

App not work, from ipad I can't reach the Antenna

Hatibi

When antenna(dish) reaches the Starlink network the WAN apparently gets an IP from 100.64.0.0/10

https://www.starlink.com/support/article/1192f3ef-2a17-31d9-261a-a59d215629f4

You will need to also have a static route toward 100.64.0.0/10 through WAN2.

 

That policy route will not match anymore since you have put as destination address only the 192.168.100.0/24. You need to also add 100.64.0.0/10 as destination.

 

If only the outgoing interface is specified in the Policy route, FortiGate will look up the routing table(FIB) to find the gateway for 100.64.0.0/10.

Since network 100.64.0.0/10 is not learned dynamically, you will need to add a static route in order to be able to reach the antenna once it connects to the starlink network.

 

Also check in the traffic logs what traffic patterns does the Starlink App generate. This way you can properly match that traffic in the policy route.

 

BMTEC
New Contributor II

THANK YOU MAN

 

POLICY ROUTE.png

 

YOU ARE MY HERO

Hatibi

:) Happy to have helped.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors