Overlapping CGNAT problem

Tailscale version: 1.38.2
Linux (for the subnet routers/gateways)


My Internet provider (Starlink) uses CGNAT in the same way as Tailscale does. I’m trying to connect two subnets, one being my local office LAN, and the other being an AWS VPC, via Tailscale. My office LAN is connected to the Internet via Starlink (using for the assigned IP range). As you can imagine, setting my office LAN subnet router up means either adding a manual route (if it’s not the general gateway of the network), or it either routes all traffic supposed to go to Starlink via Tailscale, or no Tailscale traffic (as it routes everthing to Starlink).

Any ideas how I could solve this issue? Starlink cannot provide a different IP range, and Tailscale also don’t.

I understand that technically I could add specific routes to the static IPs of my Tailscale devices, but there are two drawbacks:

  • how do I add such static routes on the Tailscale subnet router? Is it sufficient to do standard “ip route add” stuff, or do I need to do some “Tailscale magic” like writing into “table 52” that Tailscale uses?
  • how could I avoid an IP clash (even though it’s very unlikely that my Starlink-provided IP will be one of the Tailscale IPs I route manually)?


Damn, when looking into “ip route show table 52” I already see that only the IP addresses that are actually used by Tailscale get routed.

Am I correct that as long as there is no IP clash between Starlink and Tailscale, there shouldn’t be any problems?

I connect various devices including two Starlink-connected systems via Tailscale, though I don’t use the Starlink routers (one has been deleted, the other is in bypass mode) so I just make sure the local NAT ranges don’t overlap with any of the other remotes or the Starlink dish range ( and it all works.

I can still connect to the Starlink dishes using the app or locally without any problem.

Tailscale will only route all traffic if you use an exit node, otherwise it routes only those IPs it knows about.

1 Like