popov/scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openwrt routing

Browse Source
This commit is contained in:
Dobromir Popov
2026-02-16 14:13:35 +02:00
parent b92a02a770
commit a2c33734fb
3 changed files with 351 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
linux/openwrt/openwrt-starlink-luci-setup.md Normal file
View File

@@ -0,0 +1,148 @@
# OpenWrt: Connect to Starlink WiFi (client) and route blocked sites via it (LuCI)
Step-by-step using the LuCI web UI where possible. Router: Archer C6, OpenWrt/LuCI. Goal: main WAN stays default; traffic to polymarket (and similar) goes via Starlink WiFi.
---
## Part 1: Connect router to Starlink WiFi (client mode)
You need one radio as **AP** (your LAN WiFi) and one as **Client** (Starlink). Archer C6 has 2.4 GHz and 5 GHz; use one for Starlink client.
### 1.1 Install WiFi client (if needed)
SSH into the router, then:
```bash
opkg update
opkg install wpad-mesh-openssl
```
(Some images already include this. If "Scan" works in LuCI, skip.)
### 1.2 Create the Starlink client interface in LuCI
1. Log in to LuCI (e.g. `http://192.168.0.1`).
2. Go to **Network****Wireless**.
3. You should see two radios (e.g. "Radio0 (2.4 GHz)", "Radio1 (5 GHz)").
4. On the radio you will use for Starlink (e.g. **Radio1 (5 GHz)**):
- Click **Scan**.
- Wait for the list; find your **Starlink WiFi SSID**.
- Click **Join network** next to it.
5. In the dialog:
- **Network**: leave as new (e.g. `wwan`) or set a name like `starlink`.
- **Wireless Security**: choose the encryption (usually **WPA2-PSK**) and enter the **Starlink WiFi password**.
- Leave other options default. Submit.
6. The new interface (e.g. `wwan` or `starlink`) appears under **Network****Wireless** as a **Client** network. Ensure it is **Enabled** and not disabled.
### 1.3 Create a WAN interface for Starlink and assign firewall
The client connection gets an IP via DHCP from Starlink. You must create a protocol interface for it and put it in the **wan** firewall zone so it is used as a WAN.
1. Go to **Network****Interfaces**.
2. Click **Add new interface**:
- **Name**: `wan2` (or `starlink`).
- **Protocol**: **DHCP client**.
- **Device**: select the device that corresponds to the Starlink client (e.g. `wwan` or the wireless device name shown for that client network). If unsure, check **Network****Wireless** and see which device the client is on (e.g. `wlan1`).
- Submit.
3. On the new interfaces page:
- **General Setup**: ensure "Bring up on boot" or similar is checked.
- **Firewall Settings**: assign to **wan** (same zone as your main WAN). This is required for NAT and mwan3.
- **Save & Apply**.
### 1.4 Verify Starlink connectivity
- In **Network****Interfaces**, `wan2` should show an IP (from Starlinks DHCP).
- From a device on your LAN, you can ping 8.8.8.8 (main WAN is still default). To test Starlink alone youll confirm after Part 2 with a policy.
---
## Part 2: Install and configure mwan3 (Load Balancing)
mwan3 will use both WANs: default traffic via main WAN, and specific destination IPs (polymarket) via Starlink.
### 2.1 Install mwan3 (SSH)
LuCI app for mwan3 is not always preinstalled. On the router via SSH:
```bash
opkg update
opkg install mwan3 luci-app-mwan3
```
Then in LuCI you should see **Network****Load Balancing** (or **Multi-WAN**).
### 2.2 Configure interfaces (LuCI)
1. Go to **Network****Load Balancing****Configuration** (or **Interfaces** tab).
2. **Interfaces**:
- You should see **wan** (main) and **wan2** (Starlink). If not, add **wan2**:
- **Interface**: `wan2`
- **Enable**: checked
- **Track IP**: e.g. `8.8.8.8` or `1.1.1.1` (used for health check).
- **Metric**: `20` (higher than wan so default route prefers main WAN).
- **Reliability**: e.g. `1`.
- Save.
- For **wan** (main WAN):
- **Metric**: `10` (lower = preferred for default).
- **Track IP**: e.g. `8.8.8.8`.
- Save.
3. **Members** tab:
- **wan** → member e.g. `wan_m1`, metric `1`.
- **wan2** → member e.g. `wan2_m1`, metric `1`.
4. **Policies** tab:
- **default_policy**: last resort; assign only **wan_m1** (main WAN only). So all traffic that doesnt match a rule uses main WAN.
- Add policy **starlink_only**: assign only **wan2_m1**. This will be used for polymarket IPs.
5. **Rules** tab (order matters; more specific first):
- Add a rule for polymarket:
- **Name**: e.g. `polymarket_via_starlink`
- **Destination address**: see below (polymarket IPs). You can add one rule with multiple IPs/CIDRs or several rules.
- **Policy**: **starlink_only**
- **Sticky**: optional (e.g. 1 minute) so the same connection stays on Starlink.
- Ensure there is a **default** rule:
- **Destination address**: `0.0.0.0/0`
- **Policy**: **default_policy**
- Default rule must be **last** (lowest priority). Polymarket rule must be **above** it.
### 2.3 Polymarket destination IPs
mwan3 matches by **destination IP**, not domain. You need to add the IPs (or CIDRs) for polymarket.com and any related hostnames.
- Resolve from a PC (that can reach polymarket, or use any DNS):
- `nslookup polymarket.com`
- `nslookup www.polymarket.com`
- Add any other subdomains you use (e.g. `gamma-api.polymarket.com`).
- In LuCI **Load Balancing****Rules**, in the polymarket rule set **Destination address** to one of:
- Single IP: `a.b.c.d/32`
- Several IPs: add multiple rules with the same policy, or use a space-separated list if LuCI allows (e.g. `1.2.3.4/32 5.6.7.8/32`).
- CDN IPs can change. If the site stops working via Starlink, resolve the domains again and add/update the IPs in the rule. You can later automate this with a script that updates the mwan3 config or uses ipset.
**Example** (replace with real IPs you resolved):
- Destination address: `104.18.2.2/32 172.67.1.1/32` (example only; get real IPs for polymarket.com).
### 2.4 Save and apply
- **Save & Apply** in **Load Balancing** and in **Network****Interfaces** if you changed anything.
- Test: from a LAN device, open polymarket.com; it should go via Starlink. Other sites still via main WAN.
---
## Part 3: Quick reference (LuCI locations)
| Step | LuCI path |
|-------------------------|-------------------------------------|
| Create Starlink client | Network → Wireless → Scan → Join |
| WAN interface for WiFi | Network → Interaces → Add (DHCP, wan zone) |
| Load Balancing config | Network → Load Balancing |
| Interfaces (wan, wan2) | Load Balancing → Interfaces |
| Policies | Load Balancing → Policies |
| Rules (polymarket, default) | Load Balancing → Rules |
---
## Troubleshooting
- **Starlink client not getting IP**: Check WiFi password; ensure Starlink router is in range; check **Network****Wireless** that the client network is enabled and associated.
- **All traffic still via main WAN**: Ensure the polymarket rule is **above** the default rule; check **Destination address** uses the correct IPs/CIDRs; ensure **starlink_only** policy uses only **wan2_m1**.
- **Polymarket works then stops**: CDN IPs changed; re-resolve the domain(s) and update the rules destination IPs.
- **LuCI "Load Balancing" missing**: Install `luci-app-mwan3` via SSH and refresh the page.

83
linux/openwrt/policy-route-starlink.sh Normal file
View File

@@ -0,0 +1,83 @@
#!/usr/bin/env bash
# Policy routing: send traffic to specified domains via Starlink interface.
# Run on Linux host (e.g. Linux Mint) that has both main connection and WiFi to Starlink.
# Usage: sudo ./policy-route-starlink.sh [setup|remove]
# Configure STARLINK_IF, STARLINK_GW, DOMAINS below or via env.
set -e
# Starlink WiFi interface (e.g. wlan0)
STARLINK_IF="${STARLINK_IF:-wlan0}"
# Starlink gateway IP (get from: ip route show dev "$STARLINK_IF" | head -1)
STARLINK_GW="${STARLINK_GW:-}"
# Domains to route via Starlink (space-separated)
DOMAINS="${DOMAINS:-polymarket.com www.polymarket.com}"
# Routing table id for Starlink
TABLE_ID=200
action="${1:-setup}"
resolve_domains() {
local list=""
for d in $DOMAINS; do
local ips
ips=$(getent ahosts "$d" 2>/dev/null | awk '$1 !~ /^:/ {print $1}' | sort -u) || true
for ip in $ips; do
[[ -n "$ip" ]] && list="$list $ip"
done
done
echo "$list"
}
get_starlink_gw() {
if [[ -n "$STARLINK_GW" ]]; then
echo "$STARLINK_GW"
return
fi
ip route show dev "$STARLINK_IF" 2>/dev/null | awk '/default via/ {print $3; exit}'
}
do_setup() {
if ! ip link show "$STARLINK_IF" &>/dev/null; then
echo "Interface $STARLINK_IF not found. Set STARLINK_IF (e.g. wlan0)."
exit 1
fi
local gw
gw=$(get_starlink_gw)
if [[ -z "$gw" ]]; then
echo "Could not determine Starlink gateway. Set STARLINK_GW or ensure $STARLINK_IF has a route."
exit 1
fi
# Ensure table 200 has default via Starlink (idempotent)
ip route replace default via "$gw" dev "$STARLINK_IF" table "$TABLE_ID" 2>/dev/null || true
local ips
ips=$(resolve_domains)
if [[ -z "$ips" ]]; then
echo "No IPs resolved for domains: $DOMAINS. Check DNS/connectivity."
exit 1
fi
for ip in $ips; do
ip rule add to "$ip" table "$TABLE_ID" 2>/dev/null || true
done
echo "Routing via Starlink ($STARLINK_IF): $ips"
}
do_remove() {
local ips
ips=$(resolve_domains)
for ip in $ips; do
ip rule del to "$ip" table "$TABLE_ID" 2>/dev/null || true
done
ip route flush table "$TABLE_ID" 2>/dev/null || true
echo "Removed policy rules for table $TABLE_ID."
}
case "$action" in
setup) do_setup ;;
remove) do_remove ;;
*)
echo "Usage: $0 [setup|remove]"
echo "Env: STARLINK_IF ($STARLINK_IF), STARLINK_GW, DOMAINS"
exit 1
;;
esac

120
linux/openwrt/policy-route-via-starlink.md Normal file
View File

@@ -0,0 +1,120 @@
# Policy routing: send blocked sites via Starlink (WiFi)
Your main connection blocks some sites (e.g. polymarket.com). Starlink is available over WiFi. This routes only selected traffic via Starlink; the rest stays on the main link.
## Where to implement
| Place | When to use |
|-------|-------------|
| **OpenWrt router** | Starlink is a second WAN on the same router. One config, all LAN devices benefit. |
| **Linux host (Mint)** | Starlink is only reachable from this machine (e.g. WiFi to Starlink, Ethernet to main LAN). |
| **Docker** | No separate step. Containers use the hosts routing; fix it on the host (or router). |
So: **router** if Starlink is second WAN on OpenWrt; otherwise **Linux host**. Docker follows the host.
---
## Router as WiFi client to Starlink
Using the router to connect to Starlinks WiFi as a client gives you one device with two WANs (main + Starlink over WiFi). Then policy routing can send only blocked sites via Starlink.
**Stock TP-Link (e.g. Archer C6):**
Most stock firmwares do **not** support “connect to another WiFi as client and use it as a **second** WAN”. They may have “WISP” / “Wireless ISP” mode, which uses WiFi-as-WAN but typically **replaces** the main WAN, not adds a second one. So dual-WAN with one being WiFi client is usually **not** available on stock.
**OpenWrt:**
Supports this. You use one wireless interface in **Client** mode, connected to Starlinks SSID (and password). That interface gets an IP via DHCP from Starlink and acts as a second WAN. Your existing Ethernet WAN stays the first. Requirements:
- Router has OpenWrt installed (Archer C6 is supported; check [OpenWrt Table of Hardware](https://openwrt.org/toh/start)).
- Two wireless “sides”: one stays in AP mode for your LAN WiFi, the other is in **Client** mode to Starlink. On dual-band routers (e.g. 2.4 GHz + 5 GHz) you use one band for AP and the other for client, so both can run at once.
- Then configure mwan3 with two WANs and policy routing as in Option A. **Step-by-step LuCI guide:** see `openwrt-starlink-luci-setup.md`.
So: **yes, you can configure the router to connect to Starlink as a client**, but you need **OpenWrt** (or similar) to both join Starlink WiFi and use it as a second WAN next to your main connection.
---
## Option A: OpenWrt (router level)
Requirements:
- OpenWrt with two WANs: main (blocking) + Starlink.
- Starlink connected to OpenWrt: **Ethernet** to Starlink router, or **WiFi client** (router joins Starlinks WiFi as above).
Steps (short):
1. **Multi-WAN**: Install `mwan3`, configure two interfaces (e.g. `wan`, `wan2`), each with its gateway and metric.
2. **Policy**: In mwan3, add a policy that uses only the Starlink member for a specific rule.
3. **Matching traffic**:
- Either assign **source IP** of the Linux host (and optionally other devices) to use that policy, or
- Use **destination IP** (see “Domain → IP” below) in firewall/routing so only those IPs go via Starlink.
Domain → IP on OpenWrt: resolve the domain (e.g. via `nslookup polymarket.com` or a script), then add those IPs to a firewall fwmark or an mwan3 rule. Some use `dnsmasq` with `ipset` + firewall to mark by domain and then mwan3 routes by mark.
---
## Option B: Linux host (Mint) two interfaces
Your machine has:
- Main: e.g. Ethernet (default route, blocking).
- Starlink: WiFi to Starlink.
Idea: keep default route on main; add a second routing table whose default is via Starlink; use `ip rule` so that traffic to specific IPs (resolved from polymarket.com etc.) uses that table.
Steps:
1. **Identify interfaces and gateways**
- Main: `ip route show default` (e.g. `eth0`, gateway `192.168.0.1`).
- Starlink: connect WiFi, then `ip route` and note gateway on `wlan0` (e.g. `192.168.1.1`).
2. **Starlink routing table**
- Pick a table id, e.g. `200`.
- Add default via Starlink gateway in table 200 (see script).
3. **Which IPs to send via Starlink**
- Resolve domains (e.g. `polymarket.com`, `www.polymarket.com`, `gamma-api.polymarket.com` if needed). IPs can change (CDN), so either:
- Run a small script periodically (cron) that resolves domains and updates `ip rule`/routing, or
- Add a known set of IPs and update when blocking starts again.
4. **Rules**
- `ip rule add to <IP> table 200` for each IP (or use `ipset` + one rule `ip rule add to match set <setname> table 200`).
Use the script `policy-route-starlink.sh`: it wraps the above and can be run at boot and on a timer.
**Script usage (host):**
```bash
# One-time: set gateway if auto-detect fails
export STARLINK_IF=wlan0
export STARLINK_GW=192.168.1.1 # optional, else from default route on wlan0
export DOMAINS="polymarket.com www.polymarket.com" # optional
sudo ./policy-route-starlink.sh setup
# To remove: sudo ./policy-route-starlink.sh remove
```
Because CDN IPs can change, run `setup` after boot (e.g. systemd service or @reboot cron) and optionally every 1015 min via cron so new IPs get added.
---
## Option C: Docker
No extra layer. Containers use the hosts routing and DNS. Once policy routing works on the host (or router), traffic from Docker to polymarket.com will go via Starlink if the rule matches that traffic (same destination IPs).
---
## Summary
- **Router (OpenWrt):** Yes, if Starlink is second WAN; use mwan3 + policy + (optionally) domain→ipset.
- **Host (Linux Mint):** Yes; two interfaces, second routing table, `ip rule` for destination IPs of blocked domains; script can maintain IP list.
- **Docker:** No separate config; host (or router) handles it.
If only the Linux Mint box has Starlink WiFi, implement on the host with the script. If Starlink is a second WAN on OpenWrt, implement on the router.
---
## Pi-hole DNS on the Linux host
**Does Pi-hole help route blocked sites through Starlink?**
No. Pi-hole only does DNS (answers and forwarding). It does not decide which WAN is used for the actual traffic. Routing is done by the kernel (policy routing / mwan3).
- **If the block is DNS-only** (ISP DNS returns NXDOMAIN or a block page): Using a different DNS (e.g. Pi-hole with upstream 1.1.1.1 / 8.8.8.8) can give clients the real IP. Traffic still goes out the main WAN; if the ISP also blocks by IP or SNI, you still need policy routing.
- **If the block is IP/SNI/DPI**: You need policy routing so traffic to polymarkets IPs goes via Starlink. Pi-hole does not do that.
Pi-hole is useful for ad blocking and DNS control; use it together with policy routing (OpenWrt or host script), not as a substitute for it.