# Policy routing: send blocked sites via Starlink (WiFi)

Your main connection blocks some sites (e.g. polymarket.com). Starlink is available over WiFi. This routes only selected traffic via Starlink; the rest stays on the main link.

## Where to implement

| Place | When to use |
|-------|-------------|
| **OpenWrt router** | Starlink is a second WAN on the same router. One config, all LAN devices benefit. |
| **Linux host (Mint)** | Starlink is only reachable from this machine (e.g. WiFi to Starlink, Ethernet to main LAN). |
| **Docker** | No separate step. Containers use the host’s routing; fix it on the host (or router). |

So: **router** if Starlink is second WAN on OpenWrt; otherwise **Linux host**. Docker follows the host.

---

## Router as WiFi client to Starlink

Using the router to connect to Starlink’s WiFi as a client gives you one device with two WANs (main + Starlink over WiFi). Then policy routing can send only blocked sites via Starlink.

**Stock TP-Link (e.g. Archer C6):**  
Most stock firmwares do **not** support “connect to another WiFi as client and use it as a **second** WAN”. They may have “WISP” / “Wireless ISP” mode, which uses WiFi-as-WAN but typically **replaces** the main WAN, not adds a second one. So dual-WAN with one being WiFi client is usually **not** available on stock.

**OpenWrt:**  
Supports this. You use one wireless interface in **Client** mode, connected to Starlink’s SSID (and password). That interface gets an IP via DHCP from Starlink and acts as a second WAN. Your existing Ethernet WAN stays the first. Requirements:

- Router has OpenWrt installed (Archer C6 is supported; check [OpenWrt Table of Hardware](https://openwrt.org/toh/start)).
- Two wireless “sides”: one stays in AP mode for your LAN WiFi, the other is in **Client** mode to Starlink. On dual-band routers (e.g. 2.4 GHz + 5 GHz) you use one band for AP and the other for client, so both can run at once.
- Then configure mwan3 with two WANs and policy routing as in Option A. **Step-by-step LuCI guide:** see `openwrt-starlink-luci-setup.md`.

So: **yes, you can configure the router to connect to Starlink as a client**, but you need **OpenWrt** (or similar) to both join Starlink WiFi and use it as a second WAN next to your main connection.

---

## Option A: OpenWrt (router level)

Requirements:

- OpenWrt with two WANs: main (blocking) + Starlink.
- Starlink connected to OpenWrt: **Ethernet** to Starlink router, or **WiFi client** (router joins Starlink’s WiFi as above).

Steps (short):

1. **Multi-WAN**: Install `mwan3`, configure two interfaces (e.g. `wan`, `wan2`), each with its gateway and metric.
2. **Policy**: In mwan3, add a policy that uses only the Starlink member for a specific rule.
3. **Matching traffic**:  
   - Either assign **source IP** of the Linux host (and optionally other devices) to use that policy, or  
   - Use **destination IP** (see “Domain → IP” below) in firewall/routing so only those IPs go via Starlink.

Domain → IP on OpenWrt: resolve the domain (e.g. via `nslookup polymarket.com` or a script), then add those IPs to a firewall fwmark or an mwan3 rule. Some use `dnsmasq` with `ipset` + firewall to mark by domain and then mwan3 routes by mark.

---

## Option B: Linux host (Mint) – two interfaces

Your machine has:

- Main: e.g. Ethernet (default route, blocking).
- Starlink: WiFi to Starlink.

Idea: keep default route on main; add a second routing table whose default is via Starlink; use `ip rule` so that traffic to specific IPs (resolved from polymarket.com etc.) uses that table.

Steps:

1. **Identify interfaces and gateways**
   - Main: `ip route show default` (e.g. `eth0`, gateway `192.168.0.1`).
   - Starlink: connect WiFi, then `ip route` and note gateway on `wlan0` (e.g. `192.168.1.1`).

2. **Starlink routing table**
   - Pick a table id, e.g. `200`.
   - Add default via Starlink gateway in table 200 (see script).

3. **Which IPs to send via Starlink**
   - Resolve domains (e.g. `polymarket.com`, `www.polymarket.com`, `gamma-api.polymarket.com` if needed). IPs can change (CDN), so either:
     - Run a small script periodically (cron) that resolves domains and updates `ip rule`/routing, or
     - Add a known set of IPs and update when blocking starts again.

4. **Rules**
   - `ip rule add to <IP> table 200` for each IP (or use `ipset` + one rule `ip rule add to match set <setname> table 200`).

Use the script `policy-route-starlink.sh`: it wraps the above and can be run at boot and on a timer.

**Script usage (host):**
```bash
# One-time: set gateway if auto-detect fails
export STARLINK_IF=wlan0
export STARLINK_GW=192.168.1.1   # optional, else from default route on wlan0
export DOMAINS="polymarket.com www.polymarket.com"   # optional
sudo ./policy-route-starlink.sh setup
# To remove: sudo ./policy-route-starlink.sh remove
```
Because CDN IPs can change, run `setup` after boot (e.g. systemd service or @reboot cron) and optionally every 10–15 min via cron so new IPs get added.

---

## Option C: Docker

No extra layer. Containers use the host’s routing and DNS. Once policy routing works on the host (or router), traffic from Docker to polymarket.com will go via Starlink if the rule matches that traffic (same destination IPs).

---

## Summary

- **Router (OpenWrt):** Yes, if Starlink is second WAN; use mwan3 + policy + (optionally) domain→ipset.
- **Host (Linux Mint):** Yes; two interfaces, second routing table, `ip rule` for destination IPs of blocked domains; script can maintain IP list.
- **Docker:** No separate config; host (or router) handles it.

If only the Linux Mint box has Starlink WiFi, implement on the host with the script. If Starlink is a second WAN on OpenWrt, implement on the router.

---

## Pi-hole DNS on the Linux host

**Does Pi-hole help route blocked sites through Starlink?**  
No. Pi-hole only does DNS (answers and forwarding). It does not decide which WAN is used for the actual traffic. Routing is done by the kernel (policy routing / mwan3).

- **If the block is DNS-only** (ISP DNS returns NXDOMAIN or a block page): Using a different DNS (e.g. Pi-hole with upstream 1.1.1.1 / 8.8.8.8) can give clients the real IP. Traffic still goes out the main WAN; if the ISP also blocks by IP or SNI, you still need policy routing.
- **If the block is IP/SNI/DPI**: You need policy routing so traffic to polymarket’s IPs goes via Starlink. Pi-hole does not do that.

Pi-hole is useful for ad blocking and DNS control; use it together with policy routing (OpenWrt or host script), not as a substitute for it.