I have recently installed a Starlink business dish at one of our sites utilizing a Meraki MX100. Everything seems to work fine when switching over to the Starlink uplink except the client VPN feature. When trying to connect, we get Server could not be reached within Secure Client. With Starlink leveraging a CGNAT, we believe this is where the failure is occurring but aren't to sure why or how to correct the problem. Tried port forwarding on the Meraki and Manual NAT-T with same results.
Wanted to reach out here to see if anyone has experienced this issue and had any recommendations on how to correct?
Thanks!
As far as I know, Client VPN does not work with CGNAT.
Please see the following link to configure the MX-Z for Client VPN. If the MX-Z sits behind another NAT device or firewall, please make sure that the following UDP ports are forwarded/allowed to the MX-Z:
Note: Since the MX is the device communicating from UDP 500/4500, those ports need to be forwarded on any devices upstream of the MX, not on the MX itself.
https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN
alemabrahao is correct. CGNAT will stop any incoming connections. If you have an SD-WAN you could have the client VPN enter a different site (or even cloud site) and tunnel the client VPN subnet that way.
Well, that's unfortunate. Thank you both for the replies. Will definitely take a look into the SD WAN option.
To be clear here, manual NAT-T only works for the purposes of AutoVPN, and a port forward on the MX itself wouldn't resolve the issue either.
Realistically, if Starlink offers any way of doing a fixed inner IP or some other way of allowing for inbound traffic through the outermost layer of NAT, that might also be a solution for you.
On the Starlink web site for business, they state "Customers on Priority plans will also benefit from 24/7, prioritized support and a publicly routable IPv4 address" This should get you past the CGNAT problem, at an additional upfront and monthly cost.
Yes, that's the impression I was under when I purchased it, that a static IP will be provided but that's not what their support is saying.
Might have to ruffle some feathers to see if I can get any traction with getting a static. The tech I got didn't seem to really understand the problem so maybe with some push we can get some better answers. We can't be the first business to run into this problem.
Appreciate the assist.
Have you tried change the ip setting in the starlink webpage? change it from default to "Private IP"