A few weeks ago I wrote about my first experiences with Starlink, now here are the concrete instructions on how to configure OPNsense or pfSense instead of the router supplied with Starlink. Finally, you connect the satellite dish together with the PoE injector directly to the WAN port of OPNsense. The Starlink router can then be stowed away. You can read why I prefer this setup in this article.
If you have read this article, you will know how to configure OPNsense or pfSense so that you can do without the Starlink router that comes with it. I also explain what is needed to keep the Starlink status page at http://192.168.100.1 working, as well as the Starlink app. I explain the procedure using OPNsense, with pfSense it is mainly the menu structure that is different, but with small deviations you can also follow these instructions for pfSense.
Before we can start, Starlink must be set up together with the Starlink App and the Starlink Router. Only when this has been ensured can we unplug the Starlink router and plug the WAN port of OPNsense into the PoE injector. The PoE injector will no longer light up, but that is normal.
Here we go
We start in the menu item System -> Settings -> General. Here we make sure that the checkbox "Do not use the local DNS service as a nameserver for this system" is set and save the page.
Now we switch to Interfaces -> [WAN]. First, we make sure that the setting "Block private networks" is not set, and second, we set "IPv4 Configuration Type" to DHCP. In the section "DHCP client configuration" we set the configuration mode to "Advanced" and then enter the IP 192.168.100.1 for "Reject Leases From". The reason for this is that the dish assumes the IP 192.168.100.1 while it is not connected to the SpaceX satellite network and also assigns DHCP leases in this network range. However, this is only a temporary lease that expires as soon as the dish receives a connection. This leads to problems in practice, so we directly prevent OPNsense from accepting such a temporary lease.
Now we have to take care of the status page under the IP 192.168.100.1. This IP should also route to the dish. To solve this, we go to the menu "Interfaces -> Virtual IPs -> Settings" and add a virtual IP:
Mode: IP Alias
Type: Single Address
Address: 192.168.100.2 / 24
Description: Starlink Subnet
This IP address is only a placeholder. We do not need the address itself, but we need it to access the subnet in which the IP 192.168.100.1 can be reached.
To reach the subnet, we need another rule, which we create here: Firewall -> NAT -> Outbound. First we check that the mode is either Hybrid or Manual. If this is not yet the case, we select e.g. "Hybrid" and save the change.
Now we add a rule:
TCP/IP Version: IPv4
Source Address: Single host or network -> The network in which OPNsense is located. If OPNsense has the IP 192.168.15.1, we enter 192.168.15.0 / 24 here
Source port: any
Destination Address: Single host or network -> 192.168.100.0 / 24
Destination port: any
Translation / target: 192.168.100.2 (from the dropdown)
For OPNsense we are done here. For pfSense, we now have to move the newly created rule up over the automatically created rule.
Then restart OPNsense / pfSense and from then on you can surf via Starlink in interaction with OPNsense / pfSense.