44net Node Setup Behind Starlink CGNAT

W5AWW-7 • LinBPQ Packet Node on 44net

Overview

I have successfully configured a stable 44net connection for my wireless LinBPQ node using a MikroTik hAP ax³ router and a 44net.cloud WireGuard tunnel. This bypasses Starlink CGNAT and gives my node a real, routable 44net IP.

Current Status (April 2026)

Router: MikroTik hAP ax³ (RouterOS 7.19.3)
WAN: Starlink (CGNAT)
LinBPQ Server: Fedora 42 at 192.168.1.201
Tunnel IP: 44.27.128.18/32
Routed Subnet: 44.27.29.32/27
Node IP: 44.27.29.34/27 (resolves as node.w5aww.ampr.org)
AXIP Port: UDP 10093

I can now ping other 44net hosts from both the router and the Fedora server, and the WireGuard tunnel shows active handshakes with steady traffic.

1. MikroTik WireGuard Tunnel Configuration

Goal: Create a split-tunnel WireGuard connection so only 44net traffic uses the tunnel.

# 1. Create WireGuard interface
/interface wireguard add name=wireguardPOP private-key="YOUR_PRIVATE_KEY_HERE" \
    mtu=1380 listen-port=51820 comment="44net.cloud WireGuard Tunnel"

# 2. Add 44net.cloud peer (split tunnel)
 /interface wireguard peers add interface=wireguardPOP name=peer1 \
    public-key="wcGsrCrd4DiRELYDeccBbYwiTfe5uY8z24vHnpWnWkc=" \
    allowed-address=44.0.0.0/9,44.128.0.0/10 \
    endpoint-address=44.27.225.1 endpoint-port=44004 \
    persistent-keepalive=20s comment="44net.cloud POP"

# 3. Assign tunnel IP (critical step)
 /ip address add address=44.27.128.18/32 interface=wireguardPOP \
    comment="44net.cloud tunnel IP"

# 4. Add 44net routes
 /ip route add dst-address=44.0.0.0/9 gateway=wireguardPOP comment="44net via tunnel"
/ip route add dst-address=44.128.0.0/10 gateway=wireguardPOP comment="44net via tunnel"
/ip route add dst-address=44.27.29.32/27 gateway=192.168.1.201 comment="W5AWW-7 44Net subnet"

Firewall, NAT & MSS Clamping

# Allow WireGuard inbound
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" \
    dst-port=51820 protocol=udp place-before=0

# Allow AXIP from 44net to LinBPQ server
/ip firewall filter add action=accept chain=forward comment="Allow inbound AXIP UDP 10093" \
    in-interface=wireguardPOP dst-address=192.168.1.201 protocol=udp dst-port=10093 place-before=0

# Masquerade outbound 44net traffic
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade for 44net" \
    out-interface=wireguardPOP

# MSS clamping
/ip firewall mangle add action=change-mss chain=forward out-interface=wireguardPOP \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535 new-mss=1380 \
    comment="MSS clamping for WireGuard"

Verification

/interface wireguard peers print detail where name=peer1
/ping count=5 44.4.50.2 interface=wireguardPOP
/ip route print where dst-address~"44."

2. Fedora 42 LinBPQ Server Configuration

Goal: Assign a 44net IP directly to the server so AXIP packets source from 44.27.29.34.

# Add 44net IP to eno1 using nmcli (Fedora 42)
sudo nmcli connection modify "Wired connection 1" +ipv4.addresses "44.27.29.34/27"

# Add routes back to the MikroTik
sudo nmcli connection modify "Wired connection 1" +ipv4.routes "44.0.0.0/9 192.168.1.1,44.128.0.0/10 192.168.1.1"

# Apply changes
sudo nmcli connection down "Wired connection 1" && sudo nmcli connection up "Wired connection 1"

Allow AXIP on the server

sudo firewall-cmd --permanent --add-port=10093/udp
sudo firewall-cmd --reload

Test Commands

ip addr show eno1 | grep 44.
ping -I 44.27.29.34 -c 5 44.4.50.2
curl -4 http://whatismyip.ampr.org   # Should return 44.27.29.34

3. LinBPQ AXIP Port (bpq32.cfg)

PORT
PORTNUM=5
ID=AXIP 44net
DRIVER=BPQAXIP
QUALITY=192
MINQUAL=145
MAXFRAME=4
FRACK=5000
RESPTIME=1000
RETRIES=5
PACLEN=256
CONFIG
UDP 10093
MHEARD
ENDPORT

Restart LinBPQ after changes

sudo systemctl restart linbpq

Looking for AXIP Link Partners

I am actively looking for hams to test AXIP (UDP 10093) links with W5AWW-7.

To add me to your BPQAXIP port:

MAP W5AWW-7 node.w5aww.ampr.org UDP 10093 B

If you are also behind CGNAT, we can use TCP-Slave / TCP-Master mode instead.

Interested in testing:

Basic AXIP connectivity and route exchange
BBS message forwarding
CONVerse / chat round tables
Long-term link stability
Future AREDN bridging experiments

73 de W5AWW

Node: ctxpn.w5aww.net

Overview​

1. MikroTik WireGuard Tunnel Configuration​

Firewall, NAT & MSS Clamping​

Verification​

2. Fedora 42 LinBPQ Server Configuration​

Allow AXIP on the server​

Test Commands​

3. LinBPQ AXIP Port (bpq32.cfg)​

Restart LinBPQ after changes​

Looking for AXIP Link Partners​

Interested in testing:​