How to Set Up a Captive Portal on Starlink: A Guide for Remote & Maritime Venues
This guide details how to bypass the native Starlink hardware and integrate a cloud-managed captive portal using enterprise routing equipment. You will learn how to overcome the CGNAT limitation, enforce VLAN segmentation, manage satellite bandwidth constraints, and ensure regulatory compliance.
Listen to this guide
View podcast transcript
- Executive Summary
- Technical Deep Dive
- The CGNAT Constraint
- Reverse Tunnel Architecture
- Bandwidth Constraints and Traffic Shaping
- Implementation Guide
- Step 1: Enable Bypass Mode
- Step 2: Configure VLAN Segmentation
- Step 3: Deploy the Cloud Captive Portal
- Step 4: Test the User Flow
- Best Practices
- Troubleshooting and Risk Mitigation
- ROI and Business Impact

Executive Summary
Starlink provides 220 Mbps connectivity in locations where fibre cannot reach, completely changing the networking landscape for remote and maritime venues. However, for public-facing environments, connectivity alone is not enough. When you deploy Starlink for guests, passengers or crew, you must implement authentication, access control, GDPR-compliant consent, and bandwidth management. The native Starlink router does not provide any of these capabilities.
This guide explains in detail how to bypass the native Starlink hardware and integrate a cloud-managed Captive Portal using enterprise routing equipment. You will learn how to overcome the limitations of Carrier Grade NAT (CGNAT), implement VLAN segmentation, manage satellite bandwidth constraints, and ensure regulatory compliance.
By implementing this architecture, venue operators transform an unmanaged internet pipe into a secure, segmented network that captures first-party data and protects core business infrastructure.
Technical Deep Dive
The CGNAT Constraint
The primary technical hurdle when deploying a Captive Portal on Starlink is Carrier Grade NAT (CGNAT). The standard Starlink dish connects to a proprietary router that handles DHCP and NAT. By default, the WAN IP address assigned to your equipment falls within the 100.64.0.0/10 range. Since this is not a public IP address, your router cannot receive inbound connections from the internet.
Standard Captive Portal architectures often assume that the cloud portal can reach back to your network to authenticate users or update access control lists. With CGNAT, inbound connections fail.
To resolve this, you must configure the Starlink dish in Bypass Mode (often referred to as bridge mode). In Bypass Mode, the Starlink router's functions are disabled, and the dish sends the CGNAT address directly to the WAN port of your enterprise router. Your enterprise router then takes full control of the routing layer.

Reverse Tunnel Architecture
Even with the enterprise router handling the traffic, the CGNAT inbound restriction remains. The solution is a reverse tunnel architecture. Your router establishes an outbound connection to the cloud portal and maintains it continuously. All authentication traffic flows through this established tunnel. The cloud infrastructure never needs to initiate an inbound connection.
Purple's cloud overlay architecture handles this natively. You do not need to configure manual VPN tunnels. If your deployment requires a static IP for legacy on-premises RADIUS servers or strict IP allowlisting, Starlink Business and Maritime plans provide a static IP as a paid add-on.
Bandwidth Constraints and Traffic Shaping
Satellite bandwidth is a shared, finite resource. A single user streaming 4K video can continuously consume 25 Mbps. On a vessel with 50 passengers sharing a 220 Mbps Starlink connection, one user could consume 11% of the total capacity.
You must address this at the Captive Portal and router level through aggressive traffic shaping:
- Per-device limits: Restrict individual guest devices to 5 Mbps download and 2 Mbps upload.
- Fair-use policies: Enforce daily data allowances (e.g., 2GB per 24 hours).
- Application control: Prioritise web browsing and messaging protocols over video streaming and peer-to-peer file sharing.
- Tiered access: Provide a free tier for basic connectivity and a paid premium tier for streaming, transforming the WiFi infrastructure from a cost centre into a revenue source.

Implementation Guide
Follow these steps to deploy a secure Captive Portal on Starlink using enterprise hardware.
Step 1: Enable Bypass Mode
- Install Starlink hardware and verify connectivity using the original router.
- Open the Starlink mobile application and navigate to Settings.
- Select and confirm Bypass Starlink WiFi router.
- Connect the Starlink Ethernet Adapter to the WAN port of your enterprise router (Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet).
Note: If the Starlink dish undergoes a factory reset, Bypass Mode is automatically disabled. Document this in your site runbook and configure a monitoring alert on your router's WAN interface.
Step 2: Configure VLAN Segmentation
You must isolate guest traffic from your core business systems. Configure at least three VLANs on your core switch and access points:
- VLAN 10 (Staff): Carries POS systems, back-office applications, and management traffic.
- VLAN 20 (Guest): Internet-only segment that redirects to the Captive Portal.
- VLAN 30 (IoT): Isolated network for cameras, smart thermostats, and building management systems.
Configure firewall rules to block all inter-VLAN routing. A guest device on VLAN 20 must never be able to ping a POS terminal on VLAN 10. This segmentation is a strict requirement for PCI-DSS compliance.
Step 3: Deploy the Cloud Captive Portal
- Configure your access points to broadcast the Guest SSID on VLAN 20.
- Set the authentication method to external RADIUS or use the vendor's API integration.
- Point the authentication server to Purple's cloud infrastructure.
- Configure the walled garden (allowlist) to permit traffic to Purple's domains before authentication is complete.
- Design the splash page in the Purple portal, ensuring the branding aligns with your venue and the terms of service are clearly displayed.
Step 4: Test the User Flow
Test the authentication flow on both iOS and Android devices. Apple's Captive Network Assistant (CNA) and Android's network probe behave differently. Verify that the splash page loads within 10 seconds and that the device gains internet access immediately after authentication.
Best Practices
- HTTPS Intercept: Ensure your router handles HTTPS interception correctly. Modern devices use HTTPS by default. If the router cannot redirect HTTPS requests cleanly, guests will experience certificate errors before reaching the portal.
- Session Keepalive: Starlink's Low Earth Orbit (LEO) constellation provides latencies of 20 to 40 milliseconds, but brief spikes occur during satellite handoffs. Set your Captive Portal session keepalive interval to 60 seconds or less to prevent premature disconnection.
- Offline Caching: Configure your router to cache active sessions locally. If the Starlink connection drops temporarily, guests who are already authenticated will remain online when connectivity is restored, rather than being forced to log in again.
Troubleshooting and Risk Mitigation
| Failure Mode | Root Cause | Mitigation |
|---|---|---|
| Captive Portal fails to load | Incorrect walled garden configuration | Verify that all required Purple domains and CDN endpoints are added to the pre-authentication allowlist on the router. |
| Double NAT errors | Bypass Mode is disabled | Check the Starlink app to confirm Bypass Mode is active. Power fluctuations or manual resets may have reverted the dish to default settings. |
| Slow guest speeds | Unrestricted bandwidth | Apply per-device bandwidth limits (e.g., 5 Mbps) and block high-bandwidth applications like BitTorrent on the firewall. |
| Security audit failure | Inter-VLAN routing is enabled | Audit firewall rules to ensure traffic from the Guest VLAN cannot route to the Staff or Management VLAN. |
ROI and Business Impact
Deploying a managed Captive Portal on Starlink transforms a raw internet connection into a measurable business asset.
For a 120-cabin cruise ship running Starlink Maritime at 220 Mbps, raw access yields zero business return. By deploying Cisco Meraki access points and Purple's Captive Portal, the operator can enforce a 2GB daily allowance for standard passengers while upselling a 10GB premium tier. The resulting WiFi revenue covers the $250+ monthly Starlink subscription cost. Furthermore, the portal captures fully compliant first-party email data, expanding the operator's direct marketing list for future voyages.
In a remote hotel environment, deploying a portal with strict bandwidth policies reduces guest complaints regarding slow WiFi by up to 60%, as heavy users are prevented from monopolising the satellite link.
Key Definitions
Bypass Mode
A configuration setting that disables the native Starlink router's DHCP and NAT functions, passing the WAN IP directly to a third-party enterprise router.
Required when integrating enterprise networking equipment with a Starlink dish to avoid double NAT and routing conflicts.
CGNAT (Carrier Grade NAT)
A method used by ISPs to share a single public IP address among multiple customers. The customer's router receives a private IP address (typically 100.64.0.0/10).
Starlink uses CGNAT by default, which prevents inbound connections from the internet and requires reverse tunnel architectures for cloud management.
VLAN (Virtual Local Area Network)
A logical subnetwork that groups a collection of devices from different physical LANs.
Used to isolate guest WiFi traffic from staff and IoT networks, ensuring security and compliance.
Captive Portal
A web page that a user of a public access network is obliged to view and interact with before access is granted.
Used to enforce terms of service, collect marketing data, and authenticate users on guest WiFi networks.
Walled Garden
A limited environment that controls the user's access to web content and services before they have fully authenticated.
Required to allow guest devices to reach the cloud captive portal and authentication servers before they are granted full internet access.
RADIUS
A networking protocol that provides centralised Authentication, Authorisation, and Accounting management for users who connect and use a network service.
The underlying protocol used by enterprise access points to communicate with the cloud captive portal to verify user credentials.
Traffic Shaping
The manipulation and prioritisation of network traffic to reduce the impact of heavy users or latency-sensitive applications.
Essential on Starlink networks to prioritise web browsing over high-bandwidth activities like video streaming.
First-Party Data
Information a company collects directly from its customers and owns.
Captured via the captive portal login process (e.g., email addresses) and used for direct marketing and loyalty campaigns.
Worked Examples
A 120-cabin cruise vessel running Starlink Maritime at 220 Mbps needs to provide passenger WiFi without degrading ship operations. They require a mechanism to monetise the connection and collect marketing data.
The operator deploys Cisco Meraki access points throughout the vessel with three strict VLANs: crew, passenger, and ship systems. Purple's captive portal handles passenger authentication via email or a cabin number lookup integrated with the PMS. Each passenger receives a 2GB daily allowance. Premium tier passengers can purchase a 10GB allocation. The portal collects first-party email data for post-voyage marketing.
A remote Highland hotel with no fibre infrastructure runs Starlink Business at 150 Mbps. Guests frequently complain about slow speeds during the evening, and the hotel has no visibility into who is using the network.
The hotel deploys HPE Aruba access points across the main building and outbuildings. They configure the Starlink dish in Bypass Mode and connect it to an Aruba gateway. Guests authenticate via email on Purple's portal. The hotel enforces a strict 5 Mbps per-device bandwidth cap and uses Purple's analytics to monitor peak usage times.
Practice Questions
Q1. A remote mining camp has deployed Starlink Business. They have connected a Cisco Meraki MX firewall to the Starlink router. Guests can connect to the WiFi, but the captive portal page times out and fails to load. What is the most likely cause?
Hint: Consider how the Starlink hardware handles routing by default and what the Meraki firewall requires to manage traffic effectively.
View model answer
The Starlink dish has not been placed in Bypass Mode. As a result, the network is suffering from double NAT (the Starlink router and the Meraki firewall are both attempting to perform Network Address Translation). The administrator must use the Starlink app to enable Bypass Mode, allowing the Meraki firewall to receive the CGNAT IP directly and manage the routing and captive portal interception.
Q2. You are deploying a captive portal for a hotel using Starlink. You have configured Bypass Mode and VLAN segmentation. During testing, you notice that Apple devices prompt the user to log in immediately, but some Android devices show a certificate error when the user tries to browse to a secure website before authenticating. How do you resolve this?
Hint: Think about how modern browsers handle initial connection requests and what the router must do to intercept them cleanly.
View model answer
The enterprise router is not configured to handle HTTPS interception correctly for the captive portal redirect. Modern browsers default to HTTPS. When the user attempts to visit an HTTPS site before authenticating, the router intercepts the traffic and presents its own certificate, which the browser rejects as invalid. You must ensure the router's captive portal settings are configured to use a valid SSL certificate for the redirect, or rely on the OS-level network probes (like Apple's CNA) which use HTTP endpoints to trigger the portal automatically.
Q3. A maritime operator complains that their Starlink Maritime connection (220 Mbps) becomes unusable every evening. They currently provide an open, password-free guest network. What three specific configurations should you implement on the enterprise router and captive portal to resolve this?
Hint: Focus on controlling how much data individual users can consume and prioritising critical traffic types.
View model answer
- Implement a captive portal requiring authentication to track and manage individual users. 2. Enforce per-device bandwidth caps (e.g., 5 Mbps down / 2 Mbps up) to prevent a single user from monopolising the connection. 3. Apply traffic shaping rules at the firewall to prioritise web browsing and messaging protocols while throttling or blocking high-bandwidth applications like video streaming and P2P file sharing.
Continue reading in this series
Captive portal for Ruijie: set it up with Purple guest WiFi
How Purple's cloud guest WiFi sits on top of Ruijie RG Series access points using web authentication and RADIUS, configured from the command line, and where to find the exact setup steps.
Captive portal for Ruijie: set it up with Purple guest WiFi
How Purple's cloud guest WiFi sits on top of Ruijie RG Series access points using web authentication and RADIUS, configured from the command line, and where to find the exact setup steps.
Designing B2B Captive Portals: Collecting Registered Name and Company Data
This guide provides IT managers and venue operators with a vendor-neutral technical framework for designing B2B captive portals. It details how to structure registration fields to capture registered name and company data, ensuring high completion rates while maintaining GDPR compliance and building account-level intelligence.