popov/scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
22b302d98d67f54781eda97740a60417e6d5b581
scripts/linux/openwrt/policy-route-via-starlink.md
Dobromir Popov a2c33734fb openwrt routing
2026-02-16 14:13:35 +02:00

6.5 KiB
Raw Blame History

Policy routing: send blocked sites via Starlink (WiFi)

Your main connection blocks some sites (e.g. polymarket.com). Starlink is available over WiFi. This routes only selected traffic via Starlink; the rest stays on the main link.

Where to implement

Place When to use
OpenWrt router Starlink is a second WAN on the same router. One config, all LAN devices benefit.
Linux host (Mint) Starlink is only reachable from this machine (e.g. WiFi to Starlink, Ethernet to main LAN).
Docker No separate step. Containers use the hosts routing; fix it on the host (or router).

So: router if Starlink is second WAN on OpenWrt; otherwise Linux host. Docker follows the host.

Router as WiFi client to Starlink

Using the router to connect to Starlinks WiFi as a client gives you one device with two WANs (main + Starlink over WiFi). Then policy routing can send only blocked sites via Starlink.

Stock TP-Link (e.g. Archer C6):
Most stock firmwares do not support “connect to another WiFi as client and use it as a second WAN”. They may have “WISP” / “Wireless ISP” mode, which uses WiFi-as-WAN but typically replaces the main WAN, not adds a second one. So dual-WAN with one being WiFi client is usually not available on stock.

OpenWrt:
Supports this. You use one wireless interface in Client mode, connected to Starlinks SSID (and password). That interface gets an IP via DHCP from Starlink and acts as a second WAN. Your existing Ethernet WAN stays the first. Requirements:

  • Router has OpenWrt installed (Archer C6 is supported; check OpenWrt Table of Hardware).
  • Two wireless “sides”: one stays in AP mode for your LAN WiFi, the other is in Client mode to Starlink. On dual-band routers (e.g. 2.4 GHz + 5 GHz) you use one band for AP and the other for client, so both can run at once.
  • Then configure mwan3 with two WANs and policy routing as in Option A. Step-by-step LuCI guide: see openwrt-starlink-luci-setup.md.

So: yes, you can configure the router to connect to Starlink as a client, but you need OpenWrt (or similar) to both join Starlink WiFi and use it as a second WAN next to your main connection.

Option A: OpenWrt (router level)

Requirements:

  • OpenWrt with two WANs: main (blocking) + Starlink.
  • Starlink connected to OpenWrt: Ethernet to Starlink router, or WiFi client (router joins Starlinks WiFi as above).

Steps (short):

  1. Multi-WAN: Install mwan3, configure two interfaces (e.g. wan, wan2), each with its gateway and metric.
  2. Policy: In mwan3, add a policy that uses only the Starlink member for a specific rule.
  3. Matching traffic:
    • Either assign source IP of the Linux host (and optionally other devices) to use that policy, or
    • Use destination IP (see “Domain → IP” below) in firewall/routing so only those IPs go via Starlink.

Domain → IP on OpenWrt: resolve the domain (e.g. via nslookup polymarket.com or a script), then add those IPs to a firewall fwmark or an mwan3 rule. Some use dnsmasq with ipset + firewall to mark by domain and then mwan3 routes by mark.

Option B: Linux host (Mint) two interfaces

Your machine has:

  • Main: e.g. Ethernet (default route, blocking).
  • Starlink: WiFi to Starlink.

Idea: keep default route on main; add a second routing table whose default is via Starlink; use ip rule so that traffic to specific IPs (resolved from polymarket.com etc.) uses that table.

Steps:

  1. Identify interfaces and gateways

    • Main: ip route show default (e.g. eth0, gateway 192.168.0.1).
    • Starlink: connect WiFi, then ip route and note gateway on wlan0 (e.g. 192.168.1.1).

  2. Starlink routing table

    • Pick a table id, e.g. 200.
    • Add default via Starlink gateway in table 200 (see script).

  3. Which IPs to send via Starlink

    • Resolve domains (e.g. polymarket.com, www.polymarket.com, gamma-api.polymarket.com if needed). IPs can change (CDN), so either:
      • Run a small script periodically (cron) that resolves domains and updates ip rule/routing, or
      • Add a known set of IPs and update when blocking starts again.

  4. Rules

    • ip rule add to <IP> table 200 for each IP (or use ipset + one rule ip rule add to match set <setname> table 200).

Use the script policy-route-starlink.sh: it wraps the above and can be run at boot and on a timer.

Script usage (host):

# One-time: set gateway if auto-detect fails
export STARLINK_IF=wlan0
export STARLINK_GW=192.168.1.1   # optional, else from default route on wlan0
export DOMAINS="polymarket.com www.polymarket.com"   # optional
sudo ./policy-route-starlink.sh setup
# To remove: sudo ./policy-route-starlink.sh remove

Because CDN IPs can change, run setup after boot (e.g. systemd service or @reboot cron) and optionally every 1015 min via cron so new IPs get added.

Option C: Docker

No extra layer. Containers use the hosts routing and DNS. Once policy routing works on the host (or router), traffic from Docker to polymarket.com will go via Starlink if the rule matches that traffic (same destination IPs).

Summary

  • Router (OpenWrt): Yes, if Starlink is second WAN; use mwan3 + policy + (optionally) domain→ipset.
  • Host (Linux Mint): Yes; two interfaces, second routing table, ip rule for destination IPs of blocked domains; script can maintain IP list.
  • Docker: No separate config; host (or router) handles it.

If only the Linux Mint box has Starlink WiFi, implement on the host with the script. If Starlink is a second WAN on OpenWrt, implement on the router.

Pi-hole DNS on the Linux host

Does Pi-hole help route blocked sites through Starlink?
No. Pi-hole only does DNS (answers and forwarding). It does not decide which WAN is used for the actual traffic. Routing is done by the kernel (policy routing / mwan3).

  • If the block is DNS-only (ISP DNS returns NXDOMAIN or a block page): Using a different DNS (e.g. Pi-hole with upstream 1.1.1.1 / 8.8.8.8) can give clients the real IP. Traffic still goes out the main WAN; if the ISP also blocks by IP or SNI, you still need policy routing.
  • If the block is IP/SNI/DPI: You need policy routing so traffic to polymarkets IPs goes via Starlink. Pi-hole does not do that.

Pi-hole is useful for ad blocking and DNS control; use it together with policy routing (OpenWrt or host script), not as a substitute for it.

Reference in New Issue View Git Blame Copy Permalink