Date: 16 Oct 2023

Author: Byron Paul


Starlink has been a godsend for the rural community in New Zealand that have for many years haven’t had many options if there wasn’t a local WISP available. Slow connection speeds, high latency and prohibitive data caps are now a thing of the past with the Spacex Low Earth Orbit (LEO) satellite service.

This introduction won't cover physical installation of the dish, or cabling but rather the network considerations when adding to or replacing network equipment in conjunction with a Starlink installation. 


Common Hardware

As of writing there are currently two generations of Spacex Starlink kits in circulation in New Zealand with a third on the way. The circular Gen1 and the rectangular Gen2 with the major differences between them being obviously shape of the dish itself, 4 rather than 3 legs for securing the dish but also lower power usage. The major thing from a networking perspective is that by default the bundled router with Gen 2 kits is WiFi only and lacks an Ethernet port which is a separate purchase. 

Gen1 Equipment

Gen2 Equipment

Aftermarket router advantages

By adding an aftermarket router you have access to more advanced networking features compared to the minimal customization available on the bundled Starlink router. Advantages of bypassing the Starlink router include: 

Higher performance, Better mesh speeds 

Today’s best Wifi routers come with Wifi 6 technology and other features that the standard Starlink router doesn’t have. These features can enable faster speeds, greater range, and more reliability.

Starlink sells their own mesh system to expand Wifi coverage, but it is only dual-band, there's a WiFi6 variant in the works but is yet to available in New Zealand. compared to the latest tri or quad band technology. An aftermarket router can provide faster mesh speeds and seamless coverage.

More security features 

Most aftermarket routers come with a comprehensive administration portal that allows you to set up advanced security features, VPN, SD-WAN, Deep Packet Inspection, Traffic Logging, etc..

Load balancing with traffic steering

A part of the nature of the Starlink system is that there will be micro outages at regular intervals, these can vary from hardly noticeable <1 second outages which happen often, and up to 5 seconds or more which would show as video streaming buffering or lowered video quality. Not too much of an issue for every day computing but service outages over 1 second will be very noticeable with VoIP/Video conferencing. Load balancing with traffic steering means that you have certain services like VoIP steered over VDSL or cellular. The secondary circuit can then also act as a backup for the primary Starlink as well


Failover / backup circuit

Longer outages can be due to equipment failure, service provider interruption or obstructions between the dish and the satellite clusters. Failover means to have a spare backup path to the Internet ready for use when your customers need it. A common solution for this is cellular 4G/5G services or fixed DSL services.

As noted earlier, only the Gen1 equipment comes with a native wired/copper Ethernet port. Gen2 and beyond as far as we're aware don't or won't have native copper Ethernet ports and it's is a separate accessory/purchase. If your customer has ordered their own equipment and forgotten to order one it is possible to use WiFi as WAN on some routers to get a temporary solution in place but it's not ideal as a long term solution.

Bypass mode

First things first, you will want to remove some of the complexity of having multiple routers which introduces a triple NAT traversal path for traffic - AfterMarketRouter==>StarlinkRouter==>CGNAT (see notes below for explanation of CGNAT). 

For Gen1 equipment (round dish) you physically remove the Starlink router completely and cable you router into the power injector.

For Gen2 equipment you will want to connect the optional Ethernet adapter and then enable ‘bypass’ mode using your Starlink app.

To turn on bypass mode, open the Starlink app. Tap on Settings. With Router highlighted, scroll down and tap Bypass Mode.  

Slide the toggle to the right. Tap OK to confirm the change to bypass mode.

That’s it! You’ll still have access to the Starlink statistics and settings through the Starlink app. The stats are generated from the dish itself, so you don’t need to be using the Starlink router to do things like stow, pre-heat, etc.

If you want or need to turn off bypass mode you will have to perform a factory reset on the Starlink router. This is done on Gen2 equipment by power cycling the Starlink router (unplug the router from power and then plug back in) 3 times in a row. The router will take a few minutes to reboot, and will interrupt your service until you set up again. You can expect the light on the bottom of the router to be illuminated when complete. There are no lights on the front of the router.

NOTE: Gen1 you can simply re-cable in the Starlink router

Concepts and glossary

CG-NAT Carrier Grade Network Address Translation

Public IP addresses are not included with standard Starlink packages. To get a usable public address you would have to change your plan to a business grade 'Priority’ plan at higher cost. CGNAT addresses are used by carriers to preserve IPv4 resources and are what you typically get assigned when connecting to cellular networks. The easy way to spot them is they start with 100.X.X.X (but to be accurate they range from to If you use a public IP service  reporting tool like it will show a different public IP, this is the public IP address of the carrier not what is allocated to your router.

These addresses are private in the same way that and are, they're not routed on the public internet and so Network Address Translation is applied at the carrier level. As such there's no ability to 'port forward' or run a traditional dial-in VPN which means you need to be a little more creative with workarounds required if your customer has either of these as a requirement.

More information:

Load balancing

Using multiple paths to the Internet at the same time and ‘balancing’ traffic between these two paths. 

Certain traffic can be steered to a particular WAN connection by source/destination addresses, port number, or application aware (DPI) classifiers

Failover / Failback

Automatically selecting a backup internet path in the event of an outage and restoring traffic back to the primary internet path when service restores. 

  • ‘Failover’ sends traffic to a secondary circuit
  • ‘Failback’ sends traffic back via the main/primary path when it is working again


Tunnelled access to private network resources from the outside world (e.g. dial-in) or between offices (site-to-site)

Automated connectivity between sites using a centralised software controller.

As there is a lack of a usable public IP address with Starlink you can only initiate outbound VPN requests or utilise an SD-WAN controller to direct VPN traffic to a CGNAT site. 

Port Forwarding

For the same reason the VPNs are more challenging (no public IP) port forwarding is also problematic. If the only solution is port forwarding and SD-WAN isn't appropriate you can either:

  • host a private VPN server for example in AWS, Azure or DigitalOcean etc to forward traffic over a VPN initiated from the Starlink site to the VPN server
  • There are some VPN hosting providers that now offer port forwarding services as well