Starlink and CGNAT Internet Providers
Port Forwarding on CGNAT gateways is something many internet providers will use. Starlink is one of those providers and with the setup they are adhering to computer security best practices. CGNAT is a firewall that is designed to protect your computers connected to the Internet. The problem is with these security measures items like email can be blocked along with other sites and even ads.
More detail about CGNAT and what it is.
CGNAT (Carrier-Grade Network Address Translation) is used to prevent bandwidth issues and IP exhaustion on the Internet. Internet providers use CGNAT to easily assign a single IP (Internet Protocol) address to multiple users in a home or office. This does cause problems as you are unable to open ports on a router behind CGNAT.
Starlink Specific Information
Some of the information below is nerdy and is directly from Starlink and is important to read at a minimum. It'll give you a good understanding of the two policies that are available from Starlink. Starlink provides two IP policies, "default" and "public".
Each Starlink is allocated one IPv4 address and delegated a /56 IPv6 prefix for network clients. All Starlink network clients are assigned an IPv6 address if the router is IPv6 is capable. IPv6 is not supported on the early generation router in the Circular Starlink Kit. As Starlink continues to expand and upgrade our global internet service infrastructure and rollout new capabilities, some users may see different IP address behavior (for example, publicly routable addresses, IPv6, non-CGNAT).
Default Policy
The default IP configuration is Carrier Grade Network Address Translation (CGNAT) using private address space assigned to Starlink clients with DHCP from the 100.64.0.0/10 network. Network Address Translation (NAT) translates between Starlink private and public IPs.
The default IP policy using CGNAT blocks all inbound ports. Customers requiring inbound ports should consider products with a public IP option. The following outbound ports are blocked for all customers per information security best practices: TCP/25 (SMTP) and TCP/445 (SMB).
Public Policy
The Starlink public IP policy is an optional configuration available to Business and Maritime customers. A public IP is reachable from any device on the internet and is assigned to Starlink network clients using DHCP. Moving the Starlink to another location may cause the public IP to change. Starlink does not currently offer the ability for Residential or Roam customers to receive a public IP. The public IP option can be enabled from the account dashboard.
What Ports are Blocked by Starlink and Most CGNAT Providers?
Commonly, Starlink and CGNAT provider routers block sending and receiving on email ports to help prevent the flood of spam on the Internet. They also do this to protect you and the rest of the Internet from viruses, malware, and other security issues. Below are the ports that are routinely blocked and their suggested alternative ports:
| Description | Port | Recommended Alternative |
Notes |
| SMTP | 25 | 2525 (TLS) | 25 – This port serves to send messages in plain text, although if the mail server supports it, it can be encrypted with TLS. Therefore, many Internet service providers block it, as it represents a security risk. |
| POP3 | 110 | 995 (TLS) | As for what port does POP3 use? POP3 uses two standard ports: Port 110 and Port 995. Port 110 is the default; Port 995 is the designated POP3 encryption port. SSL is being phased out so the encryption used is TLS encryption for messages. |
| SMTP | 465 | 2525 (TLS) | Port 465 works over an implicit SSL connection and if the server does not support it, the operation will be aborted. |
| SMTP Submission | 587 | 2525 (TLS) | 587 – This is the port IANA registered as the secure SMTP port, and it requires an explicit TLS connection. However, if the email server does not support TLS, the message will be sent in plain text. |
| IMAP | 143 | 994 (TLS) | Port 993 is the secure port for IMAP and it works over TLS/SSL encryption. |
How can I open ports that aren't available?
This is where we'll geek out a little, but not much. Get a VPN (Virtual Private Network). These networks will create a tunnel into the internet through one port that is available. Then all the ports you need can become available as you'll have more control, hopefully, with the VPN software. We say "hopefully" as some VPN's will continue to adhere to Internet best practices and some ports will still be blocked, but not as many.
What is a good VPN service?
The VPN that we use that solves most, if not all, of our problems is NordVPN. The reason we like it is the number of devices, ease of use, reliability, great customer support, and it "just works" for us. The cost is also extremely affordable.
Conclusion
Whenever possible use the alternate ports even if you are currently not on a CGNAT or other network as this will help avoid any potential issues in the future. This not only will get around the Starlink and other CGNAT hosts but will not interfere with you when you are on other networks.
Cellular networks often will have some of their towers block and conform to best practices as well.
Knowledge Base Article Categories
Choose from the Knowledge Base category to view the available articles.