Starlink ISP / Site-to-Site VPN Troubles

Solved
DavisMurphy
Here to help

Starlink ISP / Site-to-Site VPN Troubles

I'm having a really hard time getting a site-to-site VPN connection to work with the Starlink CGNAT. When I first connected my MX65 to the Starlink, I wasn't aware of the Dynamic IP that Starlink provides, so I tried to set it up the same way I've setup MXs before. Now it seems like my Config page has that original IP locked in, despite being set to dynamic:

 

DavisMurphy_2-1709686827576.png

 

I'm not even sure if this related to my problem, just something weird I noticed

 

My goal is try to get 2 Synology NAS devices to connect for replication. The source is at a site with traditional internet. The Partner (replication) is on the Starlink. Both ends are using Meraki MX. This setup has worked before (without needing NATs/Forwarding). It stopped working when I switched to Starlink ISP.

 

I've tried to use services like remote.it to get a "static" address for my source site to connect to, but that hasn't worked either. I've read that other people have tried to setup NATs or Port Forwarding to get around this, but they haven't included how they set this up. So I've tried to do this with the current "public IP" you see above, but I'm still unable to connect from the Partner site. 

Here's the 1:1 NAT I've tried. 

 

DavisMurphy_3-1709687945109.png

 

I've tried to split the Starlink Uplink, so one side goes to my MX, and the other goes to an Asus Router with OpenVPN enabled. Then plug the Synology into the Asus with it's VPN Static IP, but the connection is super unreliable. MX and Asus both are very unhappy.

 

I see that some people say they had no issues with this, which is frustrating because I have countless hours in this and can't figure it out. Hope someone here has an idea. Thanks!

1 Accepted Solution
jbright
A model citizen

Here's a screenshot from the MX75 that is connected directly to Starlink dish on WAN1. WAN2 is connected to an MG41 as a backup in case the Starlink gets blocked by heavy rain or snow. Both WAN ports are set to dynamic addressing. There are only a couple of Layer 7 firewall rules to block a few countries IP address blocks that really don't like America. Other than than, no NAT or other rules. It's too bad we can't get Starlink to use the Umbrella DNS servers instead of the Cloudflare and Google DNS servers.

 

mx.png

 

 

View solution in original post

8 Replies 8
kYutobi
Kind of a big deal

You said it stopped working when you switched ISPs. Was your connection before a "static" IP? If so that might be that you're using dynamic IPs from Starlink and you VPN wont work that way.

Enthusiast
DavisMurphy
Here to help

Yes it was working when both sides had ISPs with Static IPs. I'm aware that the dynamic IP from Starlink is what caused this to stop working. I've seen other people say they could get site-to-site VPN to work with CGNAT ISP, but I'm not sure how.

jbright
A model citizen

I have Starlink service too and they made a change in the past where only one device can obtain an IPV4 CGNAT DHCP address from the Starlink dish. It's first come, first serve, so which ever device is first to request a DHCP address from the Starlink service is the winner. I have my Dish connected directly to the WAN 2 port on my MX85. Another other option is to move up to the business class Starlink service. You still have to rely on a DHCP address, but it will be a real public IP address. And then their is IPV6, where you will get a /56 block of addresses. This document from Starlink provides more information about your options:  https://starlink-enterprise-guide.readme.io/docs/ip-addresses

 

DavisMurphy
Here to help

That "priority" plan with the fixed IP is crazy expensive. More than 2x the price, and they suggest different hardware now too.

jbright
A model citizen

Her

VPN.png

Here's a snapshot from a customer's dashboard. They only have Starlink at their house and they are using a site-to-site VPN connection back to their office. You can clearly see the 100.67.251.73 CGNAT IPV4 address that Starlink is providing. They have been using this for over a year. MX75 on one side and MX67 on the other side of site-to-site VPN. No complaints from the customer on this and they would tell me if they are having problems. Starlink dish is directly connected to WAN1 port on the MX.

DavisMurphy
Here to help

That sounds exactly like my setup!! I wish I could figure out what I need to do to get mine to work. Other sites/articles I've read said this is pretty easy / should work almost OOB. But for some reason mine is not. Was there any port forwarding / NAT setup / extra config involved?

 

I had some issues at the beginning when I was setting up my Starlink. I'd be curious to see what this user's Uplink page looks like on their home MX. You can see in my original post that I have a picture of mine saying that it's a "dynamic" IP, but then displays an IP address in the Static IP field that does not match my current IP from Starlink...

Starlink IP at this moment, but Uplink IP is different:

 

DavisMurphy_1-1709694410806.png

 

Confirmation that I'm set to Dynamic for the uplink

DavisMurphy_2-1709694450117.png

 

I'm wondering if this is causing my connectivity issues from outside.

jbright
A model citizen

Here's a screenshot from the MX75 that is connected directly to Starlink dish on WAN1. WAN2 is connected to an MG41 as a backup in case the Starlink gets blocked by heavy rain or snow. Both WAN ports are set to dynamic addressing. There are only a couple of Layer 7 firewall rules to block a few countries IP address blocks that really don't like America. Other than than, no NAT or other rules. It's too bad we can't get Starlink to use the Umbrella DNS servers instead of the Cloudflare and Google DNS servers.

 

mx.png

 

 

DavisMurphy
Here to help

I see you have IPv6 enabled on WAN1 (starlink). I do not have that. Maybe ill give that a try tonight. Thanks for all the info!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels