Anyone tested site-to-site VPN on Starlink

SOLVED
Mkozicki
Getting noticed

Anyone tested site-to-site VPN on Starlink

Hello all,

 

I am wondering if anyone has set up a site-to-site VPN between 2 MX devices where one end only has a Starlink internet connection.

 

I don't have Starlink yet but I can see where this may be a good option for some work from home people with Z3 or small MX devices.  But with Starlink using CGNAT I am unsure if this will work or not.


So just wanted to know if anyone has tested this or has this in production. 

 

I am tempted to buy a Starlink kit to try it out myself but they are mid to late 2021 so I thought this may be a faster way to find out if it will work.


Thanks

Michael Kozicki
CCIE #5367
MJK Net Inc.
1 ACCEPTED SOLUTION
Crocker
Building a reputation

I was lucky enough to get my Starlink beta kit a month or so ago.

 

So, I've got an MX67 at home connected up to my Starlink connection as of about 15 minutes ago. Surprisingly (or maybe not so much?) the MX came right to life with a DHCP configuration on the uplink. 

 

The S2S VPN came up without any issues as well. Will keep an eye on it and do some testing, but initially it seems to just work.

 

Edit: I've monitored this connection from Friday night - Monday morning. Given the stats I'm seeing, I'm not sure if I'd recommend using Starlink as a primary communications option right now. Latency averages ~70ms, with 55ms on the low end and ~100ms on the high end. This fluctuates constantly. There was also a pretty consistent 1-5% packet loss for the duration of this test. This is with a well-positioned dish with no obstructions, located in central Missouri.

View solution in original post

31 REPLIES 31
drgnslyr
Getting noticed

Also curious about this.  We have some rural offices that we could use a viable alternative to fixed wireless or cellular.

PhilipDAth
Kind of a big deal
Kind of a big deal

I really want to know this as well!

 

I have four customers signed up for the trial (awaiting their units) to test exactly this.

PhilipDAth
Kind of a big deal
Kind of a big deal

I am also particularly interested when Starlink start using laser-based communications between the satellites in space for some of my customers with branches in multiple countries.  Some countries have poor infrastructure, and this is likely to provide a faster better solution than using traditional in-country Internet solutions.

So your post brings up another testing option.

 

1). One mx on starlink and one with a public ip

 

2). Both mx on starlink with private addresses 

 

I hope number 1 will work and I am guessing number 2 will not work unless Meraki works with starlink to make a special option to make it work with both on starlink.

 

Mike

Michael Kozicki
CCIE #5367
MJK Net Inc.
PhilipDAth
Kind of a big deal
Kind of a big deal

Case 2 should work as they will just communicate using their public IP addresses.

Crocker
Building a reputation

I was lucky enough to get my Starlink beta kit a month or so ago.

 

So, I've got an MX67 at home connected up to my Starlink connection as of about 15 minutes ago. Surprisingly (or maybe not so much?) the MX came right to life with a DHCP configuration on the uplink. 

 

The S2S VPN came up without any issues as well. Will keep an eye on it and do some testing, but initially it seems to just work.

 

Edit: I've monitored this connection from Friday night - Monday morning. Given the stats I'm seeing, I'm not sure if I'd recommend using Starlink as a primary communications option right now. Latency averages ~70ms, with 55ms on the low end and ~100ms on the high end. This fluctuates constantly. There was also a pretty consistent 1-5% packet loss for the duration of this test. This is with a well-positioned dish with no obstructions, located in central Missouri.

PhilipDAth
Kind of a big deal
Kind of a big deal

When you say S2S, you mean AutoVPN?

Crocker
Building a reputation

Yep!

PhilipDAth
Kind of a big deal
Kind of a big deal

You legend.  Thanks for the feedback.

This is great news!  I may sign up for a beta kit so I can set this up as a demo for some customers.

 

thanks for testing this.

 

Mike

Michael Kozicki
CCIE #5367
MJK Net Inc.

Thanks for updating with statistics over the weekend.  Hoping they can continue to improve this service so it becomes truly viable for remote business functions.

Since the Meraki AutoVPN works perfectly with your Starlink Internet. Could you please help me understand how you setup the Meraki MX appliance with the Starlink internet?

 

We do have a Starlink Internet and a couple of Meraki MX64 security appliance for POC since I can see where this may be a good option for some of my company’s clients. 

 

We have everything connected and did notice the MX64 connected to public Internet established VPN connectivity right away but the second MX64 connected to Starlink Dish could not!


So just want to know what I am missing out here since you were able to establish S2S connectivity with the Starlink internet at your end. 

 

I have read a lot of notes on different links and tried all sort of stuff but no way.

 

Could you help me understand how to make the second Meraki work with the Starlink internet?

 

Thanks

We use the Meraki MX with Starlink as the Internet connection. To not double NAT we removed the Starlink Router. So we have the Starlink Dish connected to the power injector and the internet port on the power injector connected strait to the WAN on the MX. Then use the MX as the router.

JGill
Building a reputation

That is better than a lot of areas where monopoly telco's only have DSL services.   (*Cough California!).  Retailers will love this if they can get consistent service / prices and an accurate bill each month!  The competition will drive the telco's to either update their 1950's copper infrastructure, or go out of business.  I see that as a win-win, plus no more Universal Service fee taxes should be needed on your phone bills. 😉    

ZachE768
Here to help

We setup Starlink in 2 different locations as a secondary on our MX67s, 1 site has been working fine for VPN but the other is getting CGNAT so its external IP is different than the ones assigned dynamic to my Meraki WAN2 port, on this location it will not establish a VPN. 

I was able to figure out our issues at the site that had problems. Our Firewall in front of the concentrator was blocking the external IP from getting to the concentrator. Created a firewall rule and it is working now but the IP not being static we have had to adjust the rule a couple times because of changing IPs.

Thank you for the promptness. Just for clarification, you mean you have a firewall in between the Meraki appliance and the Starlink dish in your setup? Could you please help me understand?

 

Best Regards

We have 2 remote sites using Meraki SD-WAN with Starlink as the internet. These two sites connect back to a Main site that has an edge firewall and the MX Concentrator behind that firewall. The trouble was with the remote site was not able to build the VPN tunnel from the remote site with Starlink back to the Concentrator.

Thank you ZachE768. I am facing exactly the same thing. The only difference in my own case is neither of Meraki MX is behind a firewall since this is just POC to see if it will work or not. Could you please help me understand if you are using the Starlink router with the Meraki MX or you just connected the MX directly to the Starlink dish? Also, did you choose "Routed" mode or "Passthrough or VPN Concentrator" mode in both Meraki MX deployment setup?

 

Best Regards

I removed the Starlink Router so Dish strait to MX. We are in Routed Mode on the Starlink sites.

Ok thanks for the promptness. That is what I have here as well. Also, could you please help me understand if I have to add any firewall rules on the Meraki MX for this to work with the Starlink or not? The other MX connected to the public internet established the VPN tunnel right away without any rules added while the one via the Starlink is just struggling to connect, any advise will be highly appreciated.

 

 

Best Regards

We did not add any rules to the remote site MXs to get it to work. Maybe check in the VPN Status page see if you have an alert there telling you what might be the problem. 

Agba68_0-1651246675445.png

 

Agba68_2-1651246861359.png

 

and the peer details is as shown below

Agba68_1-1651246768848.png

 

 

 

Maybe try disabling the VPN on the site with issues and re enabling, or even reboot the MX. That is odd it shows not connected to the cloud. Might have to put in a support ticket.

Since this is POC, we have not gotten the License yet since there is a 30 days grace period or do you think this is a License issue? Meanwhile, I will try to disable and re-enable the VPN as advised and also reboot the MX again. I had rebooted the MX many times though. I will keep you posted. 

 

Thanks a lot for your time.

Maybe reach out to your Sales Rep and get a Eval license that will at least remove that variable.

Will do with thanks, ZachE768. Appreciated.

 

 

Best Regards

Hi ZachE768, 

Just a quick update to let you know that my issue is now resolved. It happened to be firmware issue. I contacted support and the firmware of the MX64 at the CHA site was updated and the VPN came up right away. Glad you were able to guide me in the right direction.

 

Have a great day.

 

Best Regards

Fabian1
Getting noticed

Starlink works great even with VoiP. We do not have any issues so far. The VPN tunnel is very stable and is much better than cellular connection.

A commercial use of the starlink network is not allowed at this moment. 

 

Residential Use Only; No Resale. Starlink consumer Services are for exclusive use for personal, family, household or residential use. Use of Starlink consumer Services by commercial, enterprise, governmental or institutional users is prohibited, unless approved by Starlink. You may not resell access to the Services to others as a stand-alone or value-added service.

 

There is Starlink for Business. 

CharlieCrackle
Building a reputation

Customers using Starlink can run into issues using Meraki SDWAN  if they use 192.168.1.0/24

The Starlink router uses 192.168.1.0/24 for the local LAN subnet.

If your office uses 192.168.1.0/24  as well then this will cause issues for SDWAN and VPN Traffic 

 

Prior to version 15.44  you could have the WAN subnet the same as a subnet on the  SDWAN   the route on the SDWAN took preference.

after 15.44 the traffic would go out of the WAN port and get lost.

This issue was fixed again in 18.0.2 but requires Meraki support to do a back-end fix.

The best solution would be to change the WAN subnet to a different range but this has been impossible.

I recently had a Starlink at my office and with the help of support, there is a solution now.

Starlink allows you to bypass the modem but you must have the ethernet adaptor

 

======================================================

To bypass the router, go to the App home page > Settings > Advanced

Starlink App version must be at least 2.0.19 to work

The toggle button on to bypass the Starlink router

This allows you to completely disable the Starlink Wifi Router.

You would need to utilize a Starlink ethernet adapter in order to plug in your own equipment.

While Bypass mode is enabled, router commands will not work.

If the toggle switch does not appear in the Settings tab, can factory reset the router and/or delete and re-download the app.

App Message in red text when Bypass is enabled: "Bypass Mode will completely disable the built-in Starlink Wifi router. this is an advanced feature that requires a Starlink Ethernet adapter and your own network equipment. A manual Factory reset will be required to reverse this."

==========================================================

 

As an interesting aside..  MY voice MOS scores change changed from 4.4  to 4.2  when using Starkink  and Packet loss was about 1% 

Starlink MOS scoreStarlink MOS score

 

Snap2.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels