VPN: Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk. Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan) Can use IPv6 Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Date sent: Tue, 10 Oct 2023 16:05:29 +1100 Organization: Nullarbor Consulting pty Ltd Subject: Re: [MT-AU Public] Mikrotik and Starlink Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Mon, 2023-10-09 at 19:38 +1100, Andrew Gilbett wrote:
Hi Karl,
I have run a 5009 behind starlink and it works great. You just need a DHCP client and depending on whether or not you need the CGNAT V4 + V6 or CGNAT + Starlink Router NAT defines whether or not you need the device in bypass mode or not. You do need the ethernet adaptor to make it work though. Its $60.
TL;DR It's the DNS. Slightly longer version: It's the DNS because the VPN. I got eyeballs on the devices today; I've never seen Starlink kit before. It has a very Buck Rogers look. Anyway, good news is they already have the Starlink ethernet adapter, and that was what they'd connected their existing router to. Except for the DNS, everything was actually working - local LAN pingable, outside world pingable etc. The DNS was not working because the local LAN uses nameservers back at HQ on the other side of a VPN, and the IPSec VPN was not up because it is now behind another layer of NAT and the local outside address has changed. Using a globally reachable nameserver like 8.8.8.8, DNS queries to the outside world work fine. DNS queries using the Starlink router's LAN address also work fine. Neither of those can answer for the internal resources at HQ, though, and in any case they are not reachable on the public Internet. Also interesting - IPv6 all present and correct :-) As far as I can tell from my reading, I could take out one layer of NAT by logging into the Starlink router and turning on "bypass mode". By "Starlink router" I mean a tall, slim, white angular box with a three orbits printed on the front and "Starlink Router Model No. UTR-211" printed on the bottom. It's not the model with multiple ethernet ports and rabbit ears. It would seem that a DHCP request from my router would then retrieve an address via the Starlink router (rather than *from* the Starlink router) and all should be well. Starlink doesn't do static IP addresses. Opinion online seems to be divided as to whether the extremely expensive business option includes a static IP or merely a public (not CGNATted) IP address. Either way the existing bidirectional IPSec VPN is going to be a non-starter. That being so, it's probably simplest to forget bypass mode, live with the double NATting and find a different bidirectional VPN solution. Ideas welcome :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant