Meraki

Community

Starlink & client VPN

AnthonyMaddick
Here to help
‎Sep 5 2022 3:27 AM
‎Sep 5 2022 3:27 AM

Starlink & client VPN

Hi all, 

I have a client running 2 x WAN an Optus FTTN connection and then a Starlink as WAN2, 

The client VPN is working with Optus but the connection is experiencing a lot of packet loss issues and we want to use Starlink (wan2) as the primary connection. I made the changes but then we lost access to the client VPN. I have the Starlink router in "Bypass" mode which I'm assuming is bridge mode. I get a WAN IP on the appliance status page and all looks good. 

I have tried to configure the client VPN as the hostname and the Starlink IP 

 

Has anyone actually had it working in the field??

Regards

Anthony

0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
‎Sep 5 2022 3:54 AM
‎Sep 5 2022 3:54 AM

Hi,

 

The Client VPN should be work on both links, Are you using L2TP connection or AnyConnect? Have you checked the logs on Event Viewer from Windows?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Sep 5 2022 4:04 AM
‎Sep 5 2022 4:04 AM

No experience with starlink myself but I've heard that for some customers, it uses CG-NAT (Carrier Grade NAT). Are you receiving a true public IP address or a CG-NAT IP Address?

0 Kudos
AnthonyMaddick
Here to help
‎Sep 5 2022 4:17 AM
‎Sep 5 2022 4:17 AM

after doing some research it appears i am receiving a CG-Nat ip address. i might be wrong but i think the earlier hardware from Starlink did not use CG-NAT but this new modern hardware does. Im hoping that it will at least work with Site-to-site. Do you know if there is a way around CG-NAT

jbright
A model citizen
‎Sep 5 2022 10:13 AM
‎Sep 5 2022 10:13 AM

I have the Starlink residential service connected to WAN2 on my MX85. Starlink has gone back and forth between using CGNAT IP addresses and Public IP addresses for the residential service. They are currently back to using the CGNAT IP Address range. They are supposedly using Public IP addresses for the Starlink business service. As long they are using CGNAT on the residential side, Client VPN will not work across that link. Site-to-site VPN will continue to work. Starlink has also experimented with handing out IPV6 addresses too, but they are not currently doing that on the residential service either. Your best bet is get your Optus service repaired, if possible, and use it for Client VPN. Your second choice, if you are located in the US, is to switch to the Starlink business service, which is also more expensive. The residential Starlink service also has a low (< 2%) continuous packet loss. I have attached a couple of graphs depicting this. 

 

Insight WAN HealthInsight WAN HealthUplink Latency and LossUplink Latency and Loss

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 5 2022 12:41 PM
‎Sep 5 2022 12:41 PM

If you have a small number of users, consider getting Z3s and using AutoVPN.  They work ok over Starlink.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.