Whats my ip 145.224.65.89
Ultra WAN IP 100.112.22.183
CGNAT means Carrier Grade NAT
My prompt was: I am happy being “hidden” behind CGNAT as I want only our own users connected and then using vpn without open ports
That makes excellent sense — and it’s a secure-by-default approach. Let’s affirm the key points of your CGNAT-based setup:
⸻
✅ Why CGNAT Works in Your Favour
- No exposed ports on your public-facing network = less attack surface
- Your ISP-provided IP (
100.11x.xx.183) is non-routable, so nobody can scan or attack you directly - Your real outbound IP (
145.xx4.65.89) is shared with many users — this obscures your presence even further
⸻
🔐 Your Goal: Private Access Only + VPN = Perfect Match
You’ve said:
“I want only our own users connected and then using VPN without open ports”
That means:
- You do not want port forwarding
- You are happy if no inbound connections are allowed from the internet
- You want controlled VPN access for your users to reach internal resources
This is ideal for:
- Cloudflare Tunnel
- Tailscale (if not blocked by CGNAT NAT traversal limits)
- OpenVPN Cloud
- ZeroTier (though sometimes hampered by CGNAT, depends on your ISP)
Note I am considering self hosted zerotier solution.
⸻
💡 Best Practices in Your Scenario
| Task | Recommendation |
|---|---|
| External access without open ports | ✅ Cloudflare Tunnel or OpenVPN Cloud |
| LAN-to-LAN or remote admin access | ✅ ZeroTier or Tailscale (test first) |
| VPN for trusted users | ✅ Run VPN server behind CGNAT using Cloud VPN with client pull |
| Restrict traffic | ✅ Use firewall to allow only VPN subnet |
| Remote logging / metrics | ✅ Use reverse tunnels (e.g. autossh, Cloudflare Tunnel) |
BUT Cloudflare does not do RDP
Zerotier has crippled their free offering
-–
🚀 Starlink Bypass Mode: What It Really Means
When Starlink is in Bypass Mode, the Starlink router is disabled, and it passes the WAN IP directly to your own router (like your UniFi Ultra). This setup results in:
- ✅ Your router (e.g. UniFi) gets the Starlink-assigned IP address on its WAN interface
- ❌ No double NAT — the Starlink router is no longer performing NAT
yes
⸻
🧱 But: The Key Limitation Is Still Carrier-Grade NAT (CGNAT)
Even though there’s no double NAT on your own premises, Starlink itself does not give you a public IPv4 address directly. Instead:
- Your router gets a
100.64.x.xIP (CGNAT space) - Outbound internet traffic is NATed by Starlink’s core network to a shared public IP (like
145.224.65.89) - Inbound unsolicited connections cannot reach you unless you use port forwarding alternatives like Cloudflare Tunnel
So your setup is:
[LAN devices] ──> [Your Router (e.g. UniFi, NAT)] ──> [Starlink CGNAT] ──> InternetThat’s a single visible NAT layer for you, but the CGNAT is still there in Starlink’s infrastructure.
Yes and I LIKE this.
⸻
✅ Summary: Your NAT Situation
| Layer | NAT? | Notes |
|---|---|---|
| Your Router (e.g. UniFi) | ✅ Yes | LAN to WAN NAT (typical home/office router setup) |
| Starlink Bypass Mode | ❌ No | Starlink router disabled — no extra NAT on your end |
| Starlink Network Core | ✅ Yes (CGNAT) | Hides you behind 100.x and shares public IP |
We bypassed (bridged) Starlink this morning. All seems well.
⸻
🔐 Takeaway
- You are only dealing with one NAT layer under your control
- The Starlink CGNAT is still active, but transparent — you just can’t receive inbound connections unless you use techniques like:
- Cloudflare Tunnel
- Tailscale + DERP relay
- ZeroTier + relay fallback
- OpenVPN Cloud
-–
all AI-generated and my comments and I concur.