I'm coming to the end of my internet and TV contract with Virgin Media in the UK. As I've been on a limited time deal (for about 12 years!), the price is about to triple (really). For the first time, my negotiation skills are failing badly to get another deal and I'll need to call their bluff. This leaves me with issues. Despite being in a well established populous area of town:
There is no FTTP available. It may come at some point but no company has plans as yet
There is not even FTTC available
There is no 5G available
Current provider has the only 'good' service. I use quotes as it's delivered over coax and has had issues the last couple of days
So if I cannot get a decent internet only deal with Virgin Media, I'll have to go with Starlink. As there's no minimum term, I could run with it for 6 months before crawling back to Virgin media as a new customer for a better deal. I'd have their router in bridge mode connected to my Unifi UDR. I keep reading about CGNAT and wonder what issues it might cause for me. Will it affect cloud connections for alarm (port forwarded), CCTV (P2P), Wireguard VPN access, and obviously control of Hubitat from dashboards, Apple Home etc?
Of these, I can comment on Apple Home, Hubitat Remote Access and Wireguard. Apple Home and Hubitat Remote Access work with CGNAT. Wireguard does not (1). I replaced Wireguard with Tailscale, which works with CGNAT.
(1) Admittedly, I didn't try many workarounds to get Wireguard (and OpenVPN) to work with CGNAT once I discovered that Tailscale worked without any workarounds.
openvpm will work if u have a server outside to keep a 24x7 connection up. any service like cameras that open connections from inside will work fine. no unsolicited outside connections will work unless u have tail scale or open vpn running 24x7.
Strangely while I was searching around the internet, I read that Wireguard VPNs were likely to be OK. I originally just used the Unifi Teleport connection to connect home but it was flakey as hell. Since I set up a Wireguard connection in Unifi it's been bulletproof. I mainly use it to access the C8 Pro if I need to check anything that's not worked while I'm away on holiday.
That's good to know. Hikvision NVR establishes the connection to cloud service so should be good. My alarm could be problematic but would still be accessible if I use VPN.
So it was actually Starlinks own site that says Wireguard works....
"We can help ensure your Starlink connection is working as expected, but please note that we cannot troubleshoot VPN connection issues, as they fall outside the scope of our network support. Additionally, the Starlink app might not function properly when a VPN is in use. Below is an overview of expected compatibility status for various VPN protocols in CGNAT and Public IP environments:
Client to Site VPN Protocols that generally work well with CGNAT:
What they are saying is that a Wirguard Client on your home network would be able to reach out and connect to a WireGuard server somewhere else on the Internet.
WireGuard requires port forwarding AND a known WAN IP address for your home network. CGNAT does not assign an Internet routable WAN IP addresses to your home network. Thus, you cannot successfully host any servers from your house that require port forwarding.
Ahh - bugger. I've misunderstood that thinking of my phone as the client and UDR as the site.
Something else that I read was that the Starlink IPV4 address was CGNAT but the connection had a routable IPV6 address. I've never done anything with IPV6 so I'm somewhat clueless, but would that allow any workaround?
I canβt speak for any of the VPN questions but I do have Starlink as failover internet with my UniFi UDR7. Starlink router in bypass mode. I have purposely shut off my main internet to make it switch to Starlink and ran it that way for a couple days. I had zero issues with my Hubitat hubs being able to connect to the internet and zero issues with my Apple Home. I was able to remote admin in to my hubs. If you put a VPN in between that I donβt know how it would react.
Not sure if that helps answer any of your questions or points you in the right direction.
Quick heads up on my setup β I'm running Starlink (CGNAT) as primary and T-Mobile 5G Home (also CGNAT) as backup, with a full homelab behind a Unifi UDM Pro SE including remote access and IPv6. So I've been down this road.
When I lost port forwarding moving away from AT&T, my first step was to inventory exactly what needed to be reachable β public time servers, email, weather services, internal devices β and then find something that could punch out from inside the network and hold a stable tunnel. I tried VPN to a DigitalOcean VPS but multi-WAN failover was never reliable, and routing client devices back in through the VPS added way too much complexity.
The solution that actually worked: Tailscale with subnet routing.
Tailscale doesn't run natively on the UDM Pro, but it doesn't need to. Any always-on Linux, Windows, or macOS device in your network works as the subnet router β a NAS, a Raspberry Pi, whatever you have running 24/7. Once that's in place, any device you install Tailscale on (phone, laptop, etc.) gets seamless access to everything on your internal network.
A few things worth highlighting:
Free for home use and genuinely zero-trust by design
I added my Pi-holes to Tailscale's Split DNS configuration, so I get the same internal name resolution remotely that I have locally
For cross-VLAN routing, you just need firewall rules on the UDM Pro that allow the Tailscale host to forward traffic to your other VLANs β straightforward once you know where to look
Happy to walk you through any part of the setup if it would help.
Well I failed again with my negotiations with Virgin Media today so I've placed my order with Starlink. I'm sure I'll have some more questions so I'll come back and ask once I'm up and running. In the meantime I'll take a look at Tailscale.
Looks like we'll both be using Tailscale in the somewhat near future. T-Mobile Fiber is currently marking all of the existing communications and power wiring in our neighborhood with spray paint on the yards and streets. This will allow them to start installing underground optical fiber conduits and fiber. Finally, I will have a choice other than Sprectrum cable internet. Unfortunately, T-Mobile Fiber uses CGNAT, so I will need to figure out Tailscale as well.
I wish you the best of luck and look forward to hearing how everything turns out.
When I switched from Wireguard to Tailscale, my first reaction was to question why I hadn't switched earlier. Tailscale is so easy to setup and use. And is just as secure as WireGuard.
I've had one problem with tailscale where it took over all traffic . it was only supposed to route to a certain subnet but suddenly started routing all traffic through the vpn.
