Starlink Port Forwarding

Starlink is a great enabler. Remote sites suddenly have access to good bandwidth and good latency. Formerly the domain of geosynchronous satellites with high-cost and long latency, or long-loop DSL with poor bandwidth, these remote areas now have a new lease on life, no longer digital have-nots, except for one key limitation: lack of consistent public IP means no inbound traffic, no Starlink port forwarding, no ability to remote desktop, reach a security camera, etc. Until now. Introducing Agilicus AnyX, remote access for the ‘good enough’ Starlink. Seamless port forwarding, from anywhere, without the need for a public, static IP address.

Do you have a small office, Starlink-driven, that is remote from your headquarters, and you need to allow staff to remote desktop in? Or perhaps there is a router that needs SSH maintenance. Maybe a building management system (BMS) to be monitored.

Have you tinkered with roll-your-own VPN solutions involving cloud-run virtual-machines to provide rendezvous points? Closed your eyes and hoped for network security? A small sea of OpenWRT and OpenVPN and Digital Ocean Droplet’s strewn around in frustration? Been trying to sync your ssh-keys on both ends? Trying to decipher what CGNAT means? Losing patience sketching this out?

Starlink possible CGNAT path

Typical Home And Small Office Port Forwarding

In a typicall home and small office environment, we run Network Address Translation (NAT). This allows multiple devices to share the one public, routeable IP you are allocated by your ISP. Typically these IP (called RFC 1918) look like 192.16.X.X, or 10.X.X.X, or 172.16.X.X.

On the outbound path, your ‘source IP’ and ‘source port’ are overwritten by your router (thus translating the network address from one network to another, or NAT). If you were to capture the traffic at point (1) and point (2) below (on the left and right-hand side of your router), you will see two unlike network addresses due to this translation.

Now, assume the server you are reaching is also in a home or small office environment. In this case, the administrator of the router configures a ‘port forward’, a type of inbound rule that says “traffic to me, on a certain port, rewrite it to an internal IP and port”. This port-forwarding is similar to NAT, but occurs on the inbound direction.

This type of inbound access only functions if the work router has a publicly addressable IP. And, in the Starlink case, this is not true, rendering the technique unusable.

So in the example below, a user at home wishing to reach a server in their small office, has 3 different TCP flows involved. The first has source-IP/port from their PC, and destination IP/port of the work router. The second TCP flow has source IP/port of the home router, destination IP/port of the work router. The third has the source IP/port of the home router, and the destination IP/port of the work server.

Typical Home & Small Office Port Forwarding

Carrier Grade NAT (CGNAT) And Starlink Port Forwarding

Starlink CGNAT

In a Starlink-environment (and some other networks, common for example in mobile networks), there is a second Network Address Translation point. This is often called a Carrier-Grade NAT (CGNAT). As a consequence of this, two or more customers share the same public IP address. In this environment it is impossible to do inbound port-forwarding (since your router does not have a publicly addressable IP).

The limitation present here is all network connections (whether from the network on the left, or the network on the right) must be outbound: initiated from inside. And this creates a challenge for running a server or service.

Agilicus Solves Starlink Port Forwarding

SSH Animated Data Flow
Agilicus Outbound Path - Starlink CGNAT

Would you like to learn more? Smash that ‘chat’ icon to talk to our team. Email us (, or just try it out yourself without risk.

The Agilicus AnyX platform provides a seamless, zero-maintenance means of achieving remote-access to any resource inside that remote Starlink location. The effect of port-forwarding or a VPN, without the need of a static IP address. Remote desktop to that internal PC. SSH to that router. Read and Write files on that Share. Monitor the BMS and Alarm system. The Agilicus Connector uses an outbound-only connection to our cloud where your users will meet it and be tunneled back in. Without complex configuration or client-software to install. With a seamless single-sign-on experience (and optional multi-factor authentication).