MikroTik and Starlink Configuration: Complete Setup Guide for Network Engineers

2. Understanding Starlink Network Architecture

2.1 Starlink Hardware Generations

2.2 IP Addressing Behavior

Starlink uses CGNAT (Carrier-Grade NAT) for most residential customers. Key characteristics include:

• IP Range: 100.64.0.0/10 (shared address space)
• DHCP Lease: Varies from minutes to hours
• IPv6: Prefix delegation supported (/56 typical)
• Inbound Connections: Blocked by CGNAT

2.3 Bypass Mode vs. Router Mode

Router Mode: Starlink router handles NAT and DHCP. Your MikroTik sits behind it with double NAT.

Bypass Mode: Starlink router is removed. MikroTik connects directly to the dish via Ethernet adapter.

We recommend bypass mode for professional deployments. Enable it through the Starlink app:

1. Open Starlink app
2. Navigate to Settings → Network
3. Enable “Bypass Mode”
4. Connect Ethernet adapter between dish and MikroTik

3. Hardware Requirements

3.1 Recommended MikroTik Models

3.2 Additional Hardware

• Starlink Ethernet Adapter: Required for Gen 2/3 dishes ($25 from Starlink)
• UPS: Minimum 200W capacity for dish + router
• Cabling: Cat6a shielded recommended for outdoor runs
• Surge Protection: Essential for exposed installations

4. Basic MikroTik Configuration for Starlink

4.1 Initial Security Hardening

Reset your router and apply baseline security before connecting to Starlink:

# Create admin user and remove default
/user add name=netadmin password=YourSecurePassword group=full
/user remove admin

# Disable unnecessary services
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set www disabled=yes
set www-ssl address=192.168.88.0/24

# Set SSH to key-only (optional)
/ip ssh set strong-crypto=yes

4.2 WAN Interface Configuration

Configure the Starlink-facing interface with DHCP client:

# Rename interface for clarity
/interface ethernet set ether1 name=WAN-Starlink

# Configure DHCP client
/ip dhcp-client add \
    interface=WAN-Starlink \
    disabled=no \
    add-default-route=yes \
    use-peer-dns=yes \
    use-peer-ntp=no \
    comment="Starlink DHCP"

4.3 Basic Firewall and NAT

Apply a minimal firewall ruleset:

# Input chain - protect the router
/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=WAN-Starlink action=drop comment="Drop WAN input"

# Forward chain - protect LAN
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward connection-nat-state=dstnat action=accept
add chain=forward in-interface=WAN-Starlink action=drop comment="Drop WAN forward"

# NAT masquerade
/ip firewall nat add chain=srcnat out-interface=WAN-Starlink action=masquerade

4.4 LAN Configuration

# Create bridge for LAN ports
/interface bridge add name=bridge-LAN

# Add ports to bridge
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether5

# Assign IP to bridge
/ip address add address=192.168.88.1/24 interface=bridge-LAN

# Configure DHCP server
/ip pool add name=dhcp-pool ranges=192.168.88.100-192.168.88.254
/ip dhcp-server add name=dhcp-lan interface=bridge-LAN address-pool=dhcp-pool
/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1

4.5 DNS Configuration

# Enable DNS caching
/ip dns set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 cache-size=4096KiB

5. Advanced Configuration Techniques

5.1 IPv6 Configuration with Prefix Delegation

Starlink provides IPv6 via prefix delegation. Configure MikroTik to request and distribute IPv6 addresses:

# Request prefix delegation from Starlink
/ipv6 dhcp-client add \
    interface=WAN-Starlink \
    request=prefix \
    pool-name=starlink-v6-pool \
    add-default-route=yes \
    use-peer-dns=yes

# Assign delegated prefix to LAN
/ipv6 address add \
    interface=bridge-LAN \
    from-pool=starlink-v6-pool \
    address=::1

# Enable IPv6 neighbor discovery
/ipv6 nd set [find interface=bridge-LAN] managed-address-configuration=yes other-configuration=yes

# IPv6 firewall rules
/ipv6 firewall filter
add chain=input connection-state=established,related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=WAN-Starlink protocol=icmpv6 action=accept
add chain=input in-interface=WAN-Starlink action=drop
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=WAN-Starlink action=drop

5.2 Queue Management for Satellite Latency

Starlink latency ranges from 20-60ms under normal conditions. Implement queue management to reduce buffer bloat:

# Simple queue with fq_codel (adjust rates to match your plan)
/queue type add name=fq-codel-down kind=fq-codel
/queue type add name=fq-codel-up kind=fq-codel

/queue tree add \
    name=download \
    parent=bridge-LAN \
    queue=fq-codel-down \
    max-limit=200M

/queue tree add \
    name=upload \
    parent=WAN-Starlink \
    queue=fq-codel-up \
    max-limit=20M

5.3 MTU and MSS Optimization

Starlink uses standard 1500 MTU. Clamp MSS for VPN traffic:

# MSS clamping for PPPoE/VPN compatibility
/ip firewall mangle add \
    chain=forward \
    protocol=tcp \
    tcp-flags=syn \
    action=change-mss \
    new-mss=clamp-to-pmtu \
    passthrough=yes

6. Failover Configuration with Starlink

6.1 Dual WAN Setup: Starlink Primary, LTE Backup

Configure automatic failover between Starlink and a backup LTE connection:

# Rename interfaces
/interface ethernet set ether1 name=WAN-Starlink
/interface ethernet set ether2 name=WAN-LTE

# DHCP clients for both WANs
/ip dhcp-client
add interface=WAN-Starlink disabled=no add-default-route=no use-peer-dns=no comment="Starlink"
add interface=WAN-LTE disabled=no add-default-route=no use-peer-dns=no comment="LTE Backup"

# Static routes with distance (lower = preferred)
/ip route
add dst-address=0.0.0.0/0 gateway=WAN-Starlink distance=1 check-gateway=ping comment="Primary-Starlink"
add dst-address=0.0.0.0/0 gateway=WAN-LTE distance=2 check-gateway=ping comment="Backup-LTE"

# Route monitoring targets
add dst-address=8.8.8.8/32 gateway=WAN-Starlink scope=10 comment="Starlink-Check"
add dst-address=8.8.4.4/32 gateway=WAN-LTE scope=10 comment="LTE-Check"

6.2 Advanced Failover with Netwatch

Use Netwatch for reliable failover detection:

# Monitor external host through Starlink
/tool netwatch add \
    host=1.1.1.1 \
    interval=30s \
    timeout=3s \
    up-script=":log info \"Starlink UP\"; /ip route set [find comment=\"Primary-Starlink\"] disabled=no" \
    down-script=":log warning \"Starlink DOWN\"; /ip route set [find comment=\"Primary-Starlink\"] disabled=yes"

# Email notification on failover (optional)
/tool netwatch add \
    host=1.1.1.1 \
    interval=30s \
    down-script="/tool e-mail send to=\"admin@example.com\" subject=\"Starlink Failover\" body=\"Primary WAN failed. Switched to backup.\""

6.3 NAT for Multiple WANs

# Masquerade for each WAN interface
/ip firewall nat
add chain=srcnat out-interface=WAN-Starlink action=masquerade
add chain=srcnat out-interface=WAN-LTE action=masquerade

7. VPN Configuration Over Starlink

7.1 CGNAT VPN Challenges

Starlink CGNAT blocks inbound connections. VPN solutions must:

• Initiate connections outbound from the Starlink site
• Use NAT traversal mechanisms
• Maintain persistent keepalives

7.2 WireGuard Client Configuration

WireGuard performs well over satellite links due to its lightweight protocol:

# Generate keys
/interface wireguard add name=wg-tunnel listen-port=51820 private-key=auto-generated

# View public key for remote peer
/interface wireguard print

# Add remote peer (your VPN server)
/interface wireguard peers add \
    interface=wg-tunnel \
    public-key="ServerPublicKeyHere=" \
    endpoint-address=vpn.example.com \
    endpoint-port=51820 \
    allowed-address=0.0.0.0/0 \
    persistent-keepalive=25s

# Assign tunnel IP
/ip address add address=10.0.0.2/24 interface=wg-tunnel

# Route traffic through tunnel
/ip route add dst-address=10.0.0.0/24 gateway=wg-tunnel

# Firewall rules for WireGuard
/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept place-before=0

7.3 IPsec IKEv2 Site-to-Site Tunnel

Configure IPsec as initiator (responder must have public IP):

# Phase 1 profile
/ip ipsec profile add \
    name=starlink-ike2 \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    nat-traversal=yes

# Phase 2 proposal  
/ip ipsec proposal add \
    name=starlink-esp \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048

# Peer configuration
/ip ipsec peer add \
    name=headquarters \
    address=203.0.113.1 \
    profile=starlink-ike2 \
    exchange-mode=ike2

# Identity
/ip ipsec identity add \
    peer=headquarters \
    auth-method=pre-shared-key \
    secret="YourStrongPSK"

# Policy
/ip ipsec policy add \
    peer=headquarters \
    src-address=192.168.88.0/24 \
    dst-address=192.168.1.0/24 \
    tunnel=yes \
    action=encrypt \
    proposal=starlink-esp

7.4 Persistent Keepalive Importance

CGNAT drops idle NAT mappings after 60-120 seconds. Configure keepalives:

• WireGuard: persistent-keepalive=25s
• IPsec: DPD interval 30s, maximum failures 3
• OpenVPN: keepalive 10 60

8. Monitoring Starlink Performance

8.1 MikroTik Built-in Tools

# Enable interface graphing
/tool graphing interface add interface=WAN-Starlink

# View real-time traffic
/tool torch interface=WAN-Starlink

# Check connection state
/ip dhcp-client print detail
/ping 8.8.8.8 count=10

8.2 SNMP Configuration for External NMS

# Enable SNMP v2c (use v3 for production)
/snmp set enabled=yes contact="admin@example.com" location="Remote Site A"
/snmp community set public read-access=yes write-access=no addresses=192.168.88.0/24

8.3 Starlink Statistics Access

Access Starlink debug data even in bypass mode:

• Dish IP: 192.168.100.1
• Statistics URL: http://192.168.100.1/statistics
• gRPC API: Available for advanced monitoring

# Add route to reach Starlink dish
/ip route add dst-address=192.168.100.0/24 gateway=WAN-Starlink

# Firewall rule to allow access
/ip firewall filter add chain=forward src-address=192.168.88.0/24 dst-address=192.168.100.0/24 action=accept place-before=0

8.4 Latency Monitoring Script

# Scheduled script to log latency
/system script add name=latency-monitor source={
    :local result [/ping 8.8.8.8 count=5 as-value]
    :local avg ($result->"avg-rtt")
    :log info ("Starlink latency: " . $avg . "ms")
}

/system scheduler add name=latency-check interval=5m on-event=latency-monitor

9. Troubleshooting Common Issues

9.1 No IP Address from Starlink

Symptoms: DHCP client shows “searching” status

Solutions:

1. Verify Ethernet adapter is properly connected
2. Check bypass mode is enabled in Starlink app
3. Release and renew DHCP lease: /ip dhcp-client release [find]; /ip dhcp-client renew [find]
4. Verify dish has clear view of sky (check obstructions in app)
5. Power cycle dish (unplug for 30 seconds)

9.2 Slow Speeds

Diagnostic steps:

1. Test speed directly connected to dish (bypass MikroTik temporarily)
2. Check CPU usage: /system resource print
3. Disable FastTrack if using queues: /ip firewall filter disable [find action=fasttrack-connection]
4. Verify MTU settings are not causing fragmentation

9.3 Intermittent Disconnections

Common causes:

• Obstructions: Check Starlink app for obstruction map
• Firmware updates: Dish reboots during updates (typically 2-5 minutes)
• Satellite handoffs: Brief drops during network transitions
• Weather: Heavy rain or snow degrades signal

9.4 VPN Connection Failures

10. Enterprise Deployment Scenarios

10.1 Remote Office with Starlink Primary

Architecture:

• Starlink dish → MikroTik RB5009 → Office LAN
• LTE backup via USB modem
• WireGuard VPN to headquarters
• Local DNS caching and content filtering

10.2 WISP Backhaul Application

Considerations:

• Starlink ToS restricts resale (use Starlink Business)
• Aggregate multiple Starlink connections for redundancy
• Implement strict bandwidth management per customer
• Monitor latency SLAs carefully

10.3 Temporary Event Connectivity

# Quick deployment template
/system reset-configuration no-defaults=yes skip-backup=yes
/import file=starlink-event-template.rsc

Rapid deployment checklist:

• Pre-configured MikroTik with template
• Starlink dish with portable mount
• Generator or battery backup
• Weatherproof enclosure for router

11. Best Practices Checklist

11.1 Security

• ☐ Default admin account disabled
• ☐ Strong passwords on all accounts
• ☐ Firewall rules block WAN input
• ☐ Management access via VPN only
• ☐ RouterOS updated to latest stable
• ☐ Unused services disabled

11.2 Performance

• ☐ Queue management configured for buffer bloat
• ☐ DNS caching enabled
• ☐ MSS clamping applied
• ☐ FastTrack disabled if using queues
• ☐ Connection tracking timeouts optimized

11.3 Reliability

• ☐ Failover tested and verified
• ☐ Monitoring and alerts configured
• ☐ UPS protecting all equipment
• ☐ Configuration backup scheduled
• ☐ Recovery procedure documented

11.4 Backup Configuration

# Automated daily backup
/system scheduler add name=daily-backup interval=1d on-event={
    /system backup save name=("backup-" . [:pick [/system clock get date] 0 10])
    /export file=("config-" . [:pick [/system clock get date] 0 10])
}

12. Conclusion

MikroTik routers transform Starlink from a consumer product into an enterprise-capable solution. The combination provides:

• Full network control and visibility
• Reliable failover to backup connections
• Secure VPN connectivity despite CGNAT limitations
• Professional monitoring and management capabilities

Key configuration priorities:

1. Enable bypass mode for direct MikroTik connectivity
2. Implement proper firewall rules from day one
3. Configure failover before you need it
4. Use WireGuard for optimal VPN performance over satellite
5. Monitor both MikroTik and Starlink statistics

Starlink continues to evolve with improved latency and throughput. MikroTik RouterOS 7 adds features that enhance satellite deployments. Together, they deliver reliable connectivity to previously unreachable locations.

Additional Resources

• MikroTik Official Documentation
• Starlink Support Center
• MikroTik Community Forum
• r/Starlink Community