Starlink IP Passthrough using WTI Dual Ethernet and Cellular Interface

Knowledge Base

Starlink IP Passthrough (public ip) Using WTI dual Ethernet and Cellular

Starlink IP Passthrough (public ip) Using WTI dual Ethernet and Cellular

Network Overview WTI Upstream device

Interface Purpose Example IP Notes
qmimux0 Cellular backup 166.130.74.223 For remote access
Eth0 Starlink (WAN) 98.97.123.99 set default gateway
Eth1 Downstream connection 192.168.1.1 DHCP server + IP Passthrough to downstream

Network Overview WTI Downstream device

Interface Purpose Example IP Note
Eth0 DHCP Client 192.168.1.3 (get DHCP lease from upstream Eth1)
In this scenario, the upstream device will maintain both the Starlink and cellular connections. The downstream device will use Starlink for internet access via the upstream device’s Eth0 interface. The cellular link will remain active and serve as a failover path if Starlink becomes unavailable. The user can access both the upstream and downstream devices either through the Starlink public IP or by reaching the upstream device over the cellular connection. If Starlink goes down, the user will still be able to access the upstream device using the cellular network.

Complete the following steps to setup IP passthrough. The following steps will pass the WTI’s unit’s public IP through a device connected to Eth1. Similarly, Eth0 can be used.

WTI Upstream Device configuration

1. Configure Eth1

At the WTI CLI, enter /N1, configure the IP. Any dedicated private IP will work (i.e. 192.168.1.1), as it will normally not be accessible and only exists between the WTI upstream device and the downstream device.

2. Configure DHCP server

  • At the WTI CLI, enter /N1
  • Select 4 for DHCP
  • Select 2 for DHCP Server
  • Enable DHCP Server
  • Set the gateway as the IP of eth1 (i.e. 192.168.1.1)
  • Enter a Primary/Secondary DNS server (i.e. 8.8.8.8/8.8.4.4 for google DNS)
  • Modify Domain Name, Default Lease, and Maximum Lease if desired
  • Modify Pool Start/End to define the IP range that will be served to LAN clients. Ensure that the pool range does not contain the IP of eth1 (i.e. Start = 10, End = 30)

3. Enable IP Passthrough

  • At the WTI CLI, enter /N
  • Select 35 for IP Passthrough
  • Select 1 to enable IP Passthrough (LTPs will automatically be configured when feature is enabled)
  • Select 2 set Upstream Interface as eth0
  • Select 3 set Downstream Interface as eth1
  • Select 4 to set the MAC address for the downstream device which you would like to pass the ip address to. If no MAC is selected, the last device to request a DHCP lease will be used.
Note: that when IP passthrough is enabled, Locally Terminated Ports are automatically configured to the original port number plus 5000 for HTTP, HTTP, and SSH. This is to prevent the unit from being put into an inaccessible state, and guarantees users have a way to access the unit for out of band management. Use options 5/6/7 to enable/disable the services, or change the locally terminated port numbers. When the feature is turned off, the ports are automatically returned to their original states.

4. Add Static Route

  • At the WTI CLI, enter /N
  • Select 6 for static route
  • To allow your network to access cellular ip remotely.
  • i.e. what is my ip: 74.125.147.123
  • i.e. cellular gateway ip: 166.130.74.125
route add 74.125.147.123 gw 166.130.74.125
• Make Starlink a primary route using a lower metric.
ip route add default via 98.97.123.1 dev eth0 metric 100
• Make Cellular (WAN) the backup route using a higher metric.
ip route add default via 166.130.74.125 dev qmimux0 metric 200
Notes: metric determines priority — lower = preferred.
When Eth0 fails, the kernel will automatically switch to the higher-metric route.

WTI Downstream Device configuration

1. Configure Eth0 as a DHCP (Client)

  • At the WTI CLI, enter /N
  • Select 4 DHCP
  • Select 1 DHCP Client
  • Select 1 enable DHCP
  • Select 2 Host Name (optional)
  • Select 3 Lease Time Off
  • Select 4 Obtain DNS address auto set to On
  • Select 5 DNS Server Update set to On
  • Select 6 Default Gateway set to On

Connect Downstream Device

Connect downstream device to the upstream device on eth1. Make sure the device is configured to acquire an IP address via DHCP. If downstream device is another WTI device, set options 4, 5, and 6 to ON. Your downstream device should acquire an IP address in the range set in upstream device step 2 DHCP Configuration Pool start/End range above. The downstream device should now behave as if directly connected to the internet at the upstream device starlink router public IP.

Test Internet Connectivity

Ping 8.8.8.8 or google.com from downstream device

Test Connecting to upstream device via cellular ip (where x.x.x.x is cellular ip)

http://x.x.x.x should connect to the web interface of the upstream device (connection not passed to downstream device)
http://x.x.x.x should securely connect to the web interface of the upstream device (connection not passed to downstream device)
ssh super@x.x.x.x should securely connect to the command line interface of the upstream device (connection not passed to downstream device)

Test Connecting to downstream device (where x.x.x.x is the starlink ip)

http://x.x.x.x should connect to downstream interface's web interface
https://x.x.x.x should securely connect to downstream interface's web interface
ssh super@x.x.x.x should securely connect to downstream interface's command line interface

Test Locally Terminated Ports (where x.x.x.x is the starlink ip)

http://x.x.x.x:5080 should connect to the web interface of the upstream device (connection not passed to downstream device)
https://x.x.x.x:5443 should securely connect to the web interface of the upstream device (connection not passed to downstream device)
ssh super@x.x.x.x -p 5022 should securely connect to the command line interface of the upstream device (connection not passed to downstream device)

Starlink IP Passthrough (private ip) Using WTI dual Ethernet and Cellular

Network Overview WTI Upstream device

Interface Purpose Example IP Notes
qmimux0 Cellular backup 166.130.74.223 For local and remote access
Eth0 Starlink (LAN) 172.10.10.10 set default gateway
Eth1 Downstream connection 192.168.1.1 DHCP server + IP Passthrough to downstream
VPN Tunnel (optional) Secured connection IPSec or Open VPN Remote User Access

Network Overview WTI Downstream device

Interface Purpose Example IP Note
Eth0 DHCP Client 192.168.1.3 (get DHCP lease from upstream Eth1)
VPN Tunnel (optional) Secured connection IPSec or Open VPN Remote User Access
In this scenario, the upstream device will maintain both the Starlink and cellular connections. The downstream device will use Starlink for internet access via the upstream device’s Eth0 interface. The cellular connection will remain active and act as a failover if Starlink fails. A local user can access both the upstream and downstream devices using the Starlink private IP or by reaching the upstream device over the cellular connection. A remote user can access the downstream device using a VPN virtual IP, and can reach the upstream device both over the cellular connection and via the VPN virtual IP. If Starlink goes down, the user will still be able to access the upstream device using the cellular network.

Complete the following steps to setup IP passthrough. The following steps will pass the WTI’s unit’s public IP through a device connected to Eth1. Similarly, Eth0 can be used.

WTI Upstream Device configuration

1. Configure Eth1

At the WTI CLI, enter /N1, configure the IP. Any dedicated private IP will work (i.e. 192.168.1.1), as it will normally not be accessible and only exists between the WTI upstream device and the downstream device.

2. Configure DHCP server

  • At the WTI CLI, enter /N1
  • Select 4 for DHCP
  • Select 2 for DHCP Server
  • Enable DHCP Server
  • Set the gateway as the IP of eth1 (i.e. 192.168.1.1)
  • Enter a Primary/Secondary DNS server (i.e. 8.8.8.8/8.8.4.4 for google DNS)
  • Modify Domain Name, Default Lease, and Maximum Lease if desired
  • Modify Pool Start/End to define the IP range that will be served to LAN clients. Ensure that the pool range does not contain the IP of eth1 (i.e. Start = 10, End = 30)

3. Enable IP Passthrough

  • At the WTI CLI, enter /N
  • Select 35 for IP Passthrough
  • Select 1 to enable IP Passthrough (LTPs will automatically be configured when feature is enabled)
  • Select 2 set Upstream Interface as eth0
  • Select 3 set Downstream Interface as eth1
  • Select 4 to set the MAC address for the downstream device which you would like to pass the ip address to. If no MAC is selected, the last device to request a DHCP lease will be used.
Note: that when IP passthrough is enabled, Locally Terminated Ports are automatically configured to the original port number plus 5000 for HTTP, HTTP, and SSH. This is to prevent the unit from being put into an inaccessible state, and guarantees users have a way to access the unit for out of band management. Use options 5/6/7 to enable/disable the services, or change the locally terminated port numbers. When the feature is turned off, the ports are automatically returned to their original states.

4. Add Static Route

  • At the WTI CLI, enter /N
  • Select 6 for static route
  • To allow your network to access cellular ip remotely.
  • i.e. what is my ip: 74.125.147.123
  • i.e. cellular gateway ip: 166.130.74.125
  • route add 74.125.147.123 gw 166.130.74.125
• Make Starlink a primary route using a lower metric.
ip route add default via 98.97.123.1 dev eth0 metric 100
• Make Cellular (WAN) the backup route using a higher metric.
ip route add default via 166.130.74.125 dev qmimux0 metric 200
Notes: metric determines priority — lower = preferred.
When Eth0 fails, the kernel will automatically switch to the higher-metric route.

5. Add IPTABLES

  • At the WTI CLI, enter /N
  • Select 5 for IPTABLES and add the below
#Enable NAT on both eth0 and cellular so traffic from LAN (eth1) gets masqueraded properly
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o qmimux0 -j MASQUERADE
#Allow forwarding eth0 and eth1
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

WTI Downstream Device configuration

1. Configure Eth0 as a DHCP (Client)

  • At the WTI CLI, enter /N
  • Select 4 DHCP
  • Select 1 DHCP Client
  • Select 1 enable DHCP
  • Select 2 Host Name (optional)
  • Select 3 Lease Time Off
  • Select 4 Obtain DNS address auto set to On
  • Select 5 DNS Server Update set to On
  • Select 6 Default Gateway set to On

Connect Downstream Device

Connect downstream device to the upstream device on eth1. Make sure the device is configured to acquire an IP address via DHCP. If downstream device is another WTI device, set options 4, 5, and 6 to ON. Your downstream device should acquire an IP address in the range set in upstream device step 2 DHCP Configuration Pool start/End range above. The downstream device should now behave as if directly connected to the internet at the upstream device starlink router public IP.

Test Internet Connectivity

Ping 8.8.8.8 or google.com from downstream device

Test Connecting to upstream device via cellular ip (where x.x.x.x is cellular ip)

http://x.x.x.x should connect to the web interface of the upstream device (connection not passed to downstream device)
http://x.x.x.x should securely connect to the web interface of the upstream device (connection not passed to downstream device)
ssh super@x.x.x.x should securely connect to the command line interface of the upstream device (connection not passed to downstream device)

Test Connecting to downstream device (where x.x.x.x is starklink ip)

http://x.x.x.x should connect to downstream interface's web interface
https://x.x.x.x should securely connect to downstream interface's web interface
ssh super@x.x.x.x should securely connect to downstream interface's command line interface

Test Locally Terminated Ports (where x.x.x.x is starklink ip)

http://x.x.x.x:5080 should connect to the web interface of the upstream device (connection not passed to downstream device)
https://x.x.x.x:5443 should securely connect to the web interface of the upstream device (connection not passed to downstream device)
ssh super@x.x.x.x -p 5022 should securely connect to the command line interface of the upstream device (connection not passed to downstream device)

Test Connection via VPN Tunnel for upstream device for remote access (where x.x.x.x is vpn virtual ip)

http://x.x.x.x:5080 should connect to the web interface of the upstream device (connection not passed to downstream device)
https://x.x.x.x:5443 should securely connect to the web interface of the upstream device (connection not passed to downstream device)
ssh super@x.x.x.x -p 5022 should securely connect to the command line interface of the upstream device (connection not passed to downstream device)

Test Connection via VPN Tunnel for downstream device for remote access (where x.x.x.x is vpn virtual ip)

http://x.x.x.x should connect to downstream interface's web interface
https://x.x.x.x should securely connect to downstream interface's web interface
ssh super@x.x.x.x should securely connect to downstream interface's command line interface