Since I "retired" my Dell r310, which was the smaller of the two Dell servers, I needed a new router.
The Dell r310 was running Untangle which was a router/NGFW "next-generation firewall". It was capable of packet inspection for incoming and outgoing connections to maintain an extra level of security.
Untangle was "free" software that can be installed on a hardware device. I use free in quoted because while it is free to download and install and offers a lot of features, all the best things about it are subscription based.
So now I am running the Ubiquiti Dream Machine Pro as my router. In some ways it is a downgrade from what Untangle can do (or pfsense which was another router/firewall option I had considered) I really like Ubiquiti and their Unifi access points that I use for wifi so wanted to tie everything together in a single neat little interface.
The Dream Machine Pro does have some of the same packet inspection and intrusion detection/prevention that Untangle/pfsense has without the subscription cost and I can manage my Unifi wifi access points with it.
The Ubiquiti Dream Machine Pro also has an added perk in that it supports dual WAN. I was able to take advantage of dual WAN for about a month while I was transitioning from Sierra Tel (DSL provider) to Starlink. I was able to connect both of them to my UDM Pro so that if one failed it would seemlessly switch over to the other. The first month of Starlink was pretty rocky as I was still moving the dish around trying to find the best place to avoid trees and Becca Ramsey could keep streaming Grace and Frankie without losing internet due to my messing around with things. I am still pondering other cheap internet options to use as a backup because I really miss having that, but in a pinch I can use the hot spot on my cell phone by using the USB-to-Ethernet bridge and connect the adapter to my second WAN port.
While Starlink is much faster than DSL and has been pretty reliable, it does have one downside and that it uses CGNAT. CGNAT is what cellular providers and many ISPs these days use to get around the fact that there are not enough IPs available.
IP addresses are like phone numbers for computers and devices that enable devices to talk to each other. Every device has to have a unique IP address in order to access the internet... well kinda.
There are about 4.3 billion IP addresses available which sounds like a lot but it isn't. When IPv4 came into use in 1982 it may have seemed like a lot and that we would never run out of IP numbers. There just weren't that many computers back in the day. Huge blocks of IP addresses were handed out to all the big tech companies out at the time like IBM, Apple, AT&T etc. Once they were all divvied up any new companies to come along had to negotiate with one of them to get IP addresses in order to access the Internet. All modern Internet Providers would have had to carve out their portion from one of the larger blocks from these initial companies. By the time companies like Starlink come around there are fewer and smaller pools of IP numbers available.
No one at the time could forsee that not only would there be a lot more computers and servers online, but that every cell phone and smart device would also be connecting to the internet. We are talking laptops, tablets, smart toasters and light bulbs all needing an internet connection. So we needed a bandaid to fix the problem of not having enough IP addresses.
So we have NAT (Network Address Translation but you probably didn't want to know that). They took a small pool of IP addresses and designated them as "private" IP addresses. These were off limits that no one could use, at least not publicly.
Your ISP would issue you ONE public IP address. All of the devices on your entire home network would have to share this single IP address.
The way this works is similar to the way a hospital or an office building might share a single phone number, while each room or cubical inside would still have its own "private" extention. This extention would only work within the building within its own phone system. If you wanted to call out you would have to go through their dispatch line. The person you were calling would see the office phone number on their caller ID. So every room would have its own private extention but when calling out they would all share the same "public" number, and any calls made to their room would have to go through the public number and then routed through to their private extention.
This is essentially the same way routers work when using NAT. Your ISP issues you one public IP number, and your router acts as the dispatch between your devices and the internet. Your router assumes the public IP assigned by your Internet provider, and then issues all your devices their own private IP. It doesn't matter that other devices outside your network might have that same private IP because it only needs to be unique on your own network.
So a hospital room can have an extention 100, and the office building across the street might also have an extention 100, but they are in separate buildings and don't share the same network. If they try to call each other then they have to go through their own dispatch services in which case their extention assumes the more proper phone number assigned to the building.
That is what routers do. They convert private IPs into public IPs (issued by your ISP) and then translate IPs from public to private as they pass traffic back and forth.
So what does that have to do with Starlink and CGNAT?
Smaller and/or older established Internet Providers may still have enough IP numbers to issue all their customers their own public IP number, but Starlink has far too many customers and not enough IPs for everyone to have even just one public IP number, so they are basically just issuing you a private IP on a much larger network. For the most part this changes nothing. Your devices can still connect out and receive a reply the same way when you had access to your own public IP, but now you are sharing that public IP with many other people and their networks.
The problem is when others try to connect to you directly. When your tablet connects to Facebook it goes through your router. Your router then attaches a session ID to the packet of data being sent out so that when Facebook replies and sends the requested information back to your tablet it can include the same session ID. This way your router knows that information was intended to go to your tablet and not to your toaster or some other device on your network.
If Facebook tries to connect to your tablet or any other device on your network without that session ID then your router will not know what device initiated that connection and will just ignore it. So that means no device can connect to any device on your network without that device first initiating the connection to create that session ID. Generally this is fine because you don't need random things trying to connect to your devices when you didn't try to connect to them first.
However what if your device is a game server like Mine craft and you want to allow other players to connect by giving them your IP number and telling them to log in and play. This normally wouldn't work but there is a way to make it work and that is where port forwarding comes into play.
With port forwarding you can configure your router in a way that any connection requests that it receives on port 100 be sent to your mine craft server. That way you can tell your friend to connect to this IP number using this port. Your router will see the port number and know you want that connection to go to your laptop where you have mine craft running, no session ID needed so you don't have to connect to the other player first. Unfortunately with Starlink the router that is receiving the public IP number isn't part of your personal network and is shared with other customers so you don't have access to it to configure port numbers so this type of connection is impossible to set up.
So this is where Cloudflare comes in.
Using a free Cloudflare account I was able to install a small app on my Synology NAS (running inside a docker container) that maintains an open connection to Cloudflare. Since this connection is kept alive continuously any incoming connections will have an established session ID, and as long as remote connections are routed through cloudflare it can piggy back off of that established connection without the need to configure port forwarding. So what I did was set up a domain name, and then linked that domain name to my cloudflare account and have traffic going to that domain name be redirected along that tunnel back through my Synology NAS, and from my NAS to any device on my network.
So this allows remote access to my media server and hosting my own websites, or a D&D virtual table top. That will be another long story for another time.