Mikrotik and Starlink
Wondering if anyone has any tips here. A client has acquired a company whose office has a Starlink connection. This client also has an existing office with an NBN connection. The latter is connected to a Mikrotik that does plain old DHCP to get its WAN address from the NPN. Now the client wants to use the acquired company's office instead. They want to move the Mikrotik there and keep more or less the same network behind it that they have now. They've done the obvious thing and just plugged the WAN interface on the Mikrotik into an Ethernet port on the Starlink router, but no go. "No go" in this case means that PCs on the inside network don't have Internet access, and that's as far as they know how to go. I have never seen the new office or the Starlink router (or any Starlink routers). I have no idea if they connected the right Mikrotik interface to it. In fact I don't even know if the port on the Starlink router is in fact an Ethernet port. My searching on the subject finds numerous articles saying that Starlink routers have no Ethernet ports, that additional hardware must be purchased from Starlink and talking about "Bypass Mode", none of which is inspiring... Anyway, if anybody has run a small network behind Mikrotik using a Starlink router as the WAN connnection can share any info, that'd be great. Many thanks in advance, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
My father-in-law has one, but I haven't seen it in person yet. If it's the standard Starlink, it has a built-in WiFi router and no Ethernet. You need to purchase the Ethernet adapter and enable bypass mode using the mobile app, and then it's straight-forward - plug it into the router and use the dhcp client. Shouldn't be difficult, but as I say, I haven't done it yet - I'll set it up next time I'm in Albany, probably Christmas time. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, October 9, 2023 4:10 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Mikrotik and Starlink Wondering if anyone has any tips here. A client has acquired a company whose office has a Starlink connection. This client also has an existing office with an NBN connection. The latter is connected to a Mikrotik that does plain old DHCP to get its WAN address from the NPN. Now the client wants to use the acquired company's office instead. They want to move the Mikrotik there and keep more or less the same network behind it that they have now. They've done the obvious thing and just plugged the WAN interface on the Mikrotik into an Ethernet port on the Starlink router, but no go. "No go" in this case means that PCs on the inside network don't have Internet access, and that's as far as they know how to go. I have never seen the new office or the Starlink router (or any Starlink routers). I have no idea if they connected the right Mikrotik interface to it. In fact I don't even know if the port on the Starlink router is in fact an Ethernet port. My searching on the subject finds numerous articles saying that Starlink routers have no Ethernet ports, that additional hardware must be purchased from Starlink and talking about "Bypass Mode", none of which is inspiring... Anyway, if anybody has run a small network behind Mikrotik using a Starlink router as the WAN connnection can share any info, that'd be great. Many thanks in advance, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
There is the option of using StarPower or a similar product/solution to remove the Starlink/SpaceX router from the equation: https://spacetek.com.au/products/starpower-12v-stralink-dc-power-supply Cheers, Luke On 9/10/2023 6:34 pm, Russell Hurren wrote:
My father-in-law has one, but I haven't seen it in person yet. If it's the standard Starlink, it has a built-in WiFi router and no Ethernet. You need to purchase the Ethernet adapter and enable bypass mode using the mobile app, and then it's straight-forward - plug it into the router and use the dhcp client. Shouldn't be difficult, but as I say, I haven't done it yet - I'll set it up next time I'm in Albany, probably Christmas time.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, October 9, 2023 4:10 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Mikrotik and Starlink
Wondering if anyone has any tips here. A client has acquired a company whose office has a Starlink connection. This client also has an existing office with an NBN connection. The latter is connected to a Mikrotik that does plain old DHCP to get its WAN address from the NPN.
Now the client wants to use the acquired company's office instead. They want to move the Mikrotik there and keep more or less the same network behind it that they have now.
They've done the obvious thing and just plugged the WAN interface on the Mikrotik into an Ethernet port on the Starlink router, but no go. "No go" in this case means that PCs on the inside network don't have Internet access, and that's as far as they know how to go.
I have never seen the new office or the Starlink router (or any Starlink routers). I have no idea if they connected the right Mikrotik interface to it. In fact I don't even know if the port on the Starlink router is in fact an Ethernet port. My searching on the subject finds numerous articles saying that Starlink routers have no Ethernet ports, that additional hardware must be purchased from Starlink and talking about "Bypass Mode", none of which is inspiring...
Anyway, if anybody has run a small network behind Mikrotik using a Starlink router as the WAN connnection can share any info, that'd be great.
Many thanks in advance, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
You can cut the USB-C style plug off the dish, wire him into an RJ-45 plug as per T568B, get yourself a PoE for the dish, then plug your router in. I’ve done this in my caravan and it’s a great solution to be able to use your own router (and in my case, not have to use an inverter) Dave Browning | dlbNetworks 0413 579 391 | 1800 DLB NET
On 9 Oct 2023, at 6:35 pm, Russell Hurren <russell@zeropointnetworks.com> wrote:
My father-in-law has one, but I haven't seen it in person yet. If it's the standard Starlink, it has a built-in WiFi router and no Ethernet. You need to purchase the Ethernet adapter and enable bypass mode using the mobile app, and then it's straight-forward - plug it into the router and use the dhcp client. Shouldn't be difficult, but as I say, I haven't done it yet - I'll set it up next time I'm in Albany, probably Christmas time.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, October 9, 2023 4:10 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Mikrotik and Starlink
Wondering if anyone has any tips here. A client has acquired a company whose office has a Starlink connection. This client also has an existing office with an NBN connection. The latter is connected to a Mikrotik that does plain old DHCP to get its WAN address from the NPN.
Now the client wants to use the acquired company's office instead. They want to move the Mikrotik there and keep more or less the same network behind it that they have now.
They've done the obvious thing and just plugged the WAN interface on the Mikrotik into an Ethernet port on the Starlink router, but no go. "No go" in this case means that PCs on the inside network don't have Internet access, and that's as far as they know how to go.
I have never seen the new office or the Starlink router (or any Starlink routers). I have no idea if they connected the right Mikrotik interface to it. In fact I don't even know if the port on the Starlink router is in fact an Ethernet port. My searching on the subject finds numerous articles saying that Starlink routers have no Ethernet ports, that additional hardware must be purchased from Starlink and talking about "Bypass Mode", none of which is inspiring...
Anyway, if anybody has run a small network behind Mikrotik using a Starlink router as the WAN connnection can share any info, that'd be great.
Many thanks in advance, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi, Adding to what others have said..... Done plenty of these. Is it the older round dish or the newer square one? - Old round dish one Discard the starlink router entirely, just use the PoE injector. Plug into mikrotik WAN and with DHCP client and appropriate NAT rule on this port and away you go. - new square dish one Obviously need the additional ethernet adapter. Set starlink router in Bypass mode. Plug into mikrotik WAN and with DHCP client and appropriate NAT rule on this port and away you go. Andrew -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Russell Hurren Sent: Monday, October 9, 2023 4:34 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik and Starlink My father-in-law has one, but I haven't seen it in person yet. If it's the standard Starlink, it has a built-in WiFi router and no Ethernet. You need to purchase the Ethernet adapter and enable bypass mode using the mobile app, and then it's straight-forward - plug it into the router and use the dhcp client. Shouldn't be difficult, but as I say, I haven't done it yet - I'll set it up next time I'm in Albany, probably Christmas time. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, October 9, 2023 4:10 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Mikrotik and Starlink Wondering if anyone has any tips here. A client has acquired a company whose office has a Starlink connection. This client also has an existing office with an NBN connection. The latter is connected to a Mikrotik that does plain old DHCP to get its WAN address from the NPN. Now the client wants to use the acquired company's office instead. They want to move the Mikrotik there and keep more or less the same network behind it that they have now. They've done the obvious thing and just plugged the WAN interface on the Mikrotik into an Ethernet port on the Starlink router, but no go. "No go" in this case means that PCs on the inside network don't have Internet access, and that's as far as they know how to go. I have never seen the new office or the Starlink router (or any Starlink routers). I have no idea if they connected the right Mikrotik interface to it. In fact I don't even know if the port on the Starlink router is in fact an Ethernet port. My searching on the subject finds numerous articles saying that Starlink routers have no Ethernet ports, that additional hardware must be purchased from Starlink and talking about "Bypass Mode", none of which is inspiring... Anyway, if anybody has run a small network behind Mikrotik using a Starlink router as the WAN connnection can share any info, that'd be great. Many thanks in advance, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Mon, 2023-10-09 at 09:04 +0000, Andrew Oakeley wrote:
Done plenty of these. Is it the older round dish or the newer square one?
Thank you and others for the wealth of info provided. As noted, I have never visited the site and have no idea. I have also never seen a Starlink setup of ANY description except in very recent searching relating to this issue. I am starting to wonder what the "Ethernet port" is that they say is on the Starlink router. Clearly my first step should have been to actually get eyeballs onto the situation :-) I will do so probably tomorrow. If in the light of your collective contributions all becomes clear, I'll be a happy chappy, and if not I will return armed with concrete information. Many thanks, K. -- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Hi Karl, I have run a 5009 behind starlink and it works great. You just need a DHCP client and depending on whether or not you need the CGNAT V4 + V6 or CGNAT + Starlink Router NAT defines whether or not you need the device in bypass mode or not. You do need the ethernet adaptor to make it work though. Its $60. On Mon, Oct 9, 2023 at 7:28 PM Karl Auer <kauer@nullarbor.com.au> wrote:
Wondering if anyone has any tips here. A client has acquired a company whose office has a Starlink connection. This client also has an existing office with an NBN connection. The latter is connected to a Mikrotik that does plain old DHCP to get its WAN address from the NPN.
Now the client wants to use the acquired company's office instead. They want to move the Mikrotik there and keep more or less the same network behind it that they have now.
They've done the obvious thing and just plugged the WAN interface on the Mikrotik into an Ethernet port on the Starlink router, but no go. "No go" in this case means that PCs on the inside network don't have Internet access, and that's as far as they know how to go.
I have never seen the new office or the Starlink router (or any Starlink routers). I have no idea if they connected the right Mikrotik interface to it. In fact I don't even know if the port on the Starlink router is in fact an Ethernet port. My searching on the subject finds numerous articles saying that Starlink routers have no Ethernet ports, that additional hardware must be purchased from Starlink and talking about "Bypass Mode", none of which is inspiring...
Anyway, if anybody has run a small network behind Mikrotik using a Starlink router as the WAN connnection can share any info, that'd be great.
Many thanks in advance, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Mon, 2023-10-09 at 19:38 +1100, Andrew Gilbett wrote:
Hi Karl,
I have run a 5009 behind starlink and it works great. You just need a DHCP client and depending on whether or not you need the CGNAT V4 + V6 or CGNAT + Starlink Router NAT defines whether or not you need the device in bypass mode or not. You do need the ethernet adaptor to make it work though. Its $60.
TL;DR It's the DNS. Slightly longer version: It's the DNS because the VPN. I got eyeballs on the devices today; I've never seen Starlink kit before. It has a very Buck Rogers look. Anyway, good news is they already have the Starlink ethernet adapter, and that was what they'd connected their existing router to. Except for the DNS, everything was actually working - local LAN pingable, outside world pingable etc. The DNS was not working because the local LAN uses nameservers back at HQ on the other side of a VPN, and the IPSec VPN was not up because it is now behind another layer of NAT and the local outside address has changed. Using a globally reachable nameserver like 8.8.8.8, DNS queries to the outside world work fine. DNS queries using the Starlink router's LAN address also work fine. Neither of those can answer for the internal resources at HQ, though, and in any case they are not reachable on the public Internet. Also interesting - IPv6 all present and correct :-) As far as I can tell from my reading, I could take out one layer of NAT by logging into the Starlink router and turning on "bypass mode". By "Starlink router" I mean a tall, slim, white angular box with a three orbits printed on the front and "Starlink Router Model No. UTR-211" printed on the bottom. It's not the model with multiple ethernet ports and rabbit ears. It would seem that a DHCP request from my router would then retrieve an address via the Starlink router (rather than *from* the Starlink router) and all should be well. Starlink doesn't do static IP addresses. Opinion online seems to be divided as to whether the extremely expensive business option includes a static IP or merely a public (not CGNATted) IP address. Either way the existing bidirectional IPSec VPN is going to be a non-starter. That being so, it's probably simplest to forget bypass mode, live with the double NATting and find a different bidirectional VPN solution. Ideas welcome :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
VPN: Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk. Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan) Can use IPv6 Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Date sent: Tue, 10 Oct 2023 16:05:29 +1100 Organization: Nullarbor Consulting pty Ltd Subject: Re: [MT-AU Public] Mikrotik and Starlink Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Mon, 2023-10-09 at 19:38 +1100, Andrew Gilbett wrote:
Hi Karl,
I have run a 5009 behind starlink and it works great. You just need a DHCP client and depending on whether or not you need the CGNAT V4 + V6 or CGNAT + Starlink Router NAT defines whether or not you need the device in bypass mode or not. You do need the ethernet adaptor to make it work though. Its $60.
TL;DR It's the DNS. Slightly longer version: It's the DNS because the VPN. I got eyeballs on the devices today; I've never seen Starlink kit before. It has a very Buck Rogers look. Anyway, good news is they already have the Starlink ethernet adapter, and that was what they'd connected their existing router to. Except for the DNS, everything was actually working - local LAN pingable, outside world pingable etc. The DNS was not working because the local LAN uses nameservers back at HQ on the other side of a VPN, and the IPSec VPN was not up because it is now behind another layer of NAT and the local outside address has changed. Using a globally reachable nameserver like 8.8.8.8, DNS queries to the outside world work fine. DNS queries using the Starlink router's LAN address also work fine. Neither of those can answer for the internal resources at HQ, though, and in any case they are not reachable on the public Internet. Also interesting - IPv6 all present and correct :-) As far as I can tell from my reading, I could take out one layer of NAT by logging into the Starlink router and turning on "bypass mode". By "Starlink router" I mean a tall, slim, white angular box with a three orbits printed on the front and "Starlink Router Model No. UTR-211" printed on the bottom. It's not the model with multiple ethernet ports and rabbit ears. It would seem that a DHCP request from my router would then retrieve an address via the Starlink router (rather than *from* the Starlink router) and all should be well. Starlink doesn't do static IP addresses. Opinion online seems to be divided as to whether the extremely expensive business option includes a static IP or merely a public (not CGNATted) IP address. Either way the existing bidirectional IPSec VPN is going to be a non-starter. That being so, it's probably simplest to forget bypass mode, live with the double NATting and find a different bidirectional VPN solution. Ideas welcome :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan)
Interesting, thanks! Is it bidirectional once established, i.e., can connections be initiated over the VPN from either end? Will look into it. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Wireguard can work behind NAT but one end has to be reachable at all times. I got caught out the other week with 2 Mikrotik routers that had a Wireguard connection not work as one ended up behind 4G CGNAT and the other switched to AussieBB CGNAT. Once the 4G end was restored to a normal publicly reachable IP it worked again.
From what I understand one end can change IP's say from a reachable to non-reachable address like you would switching from Wifi to 4G and the VPN remains uninterrupted. As mentioned above the far end has to be on a reachable IP. So this setup works well for a Wireguard router that is on a rigidly static IP and the other end is a roaming VPN user. It reminds me a bit of the "persistent" mode of OpenVPN.
Each end is also equal as such, so there is no server/peer relationship at the interface level like other VPNs. https://www.wireguard.com/ explains it simply enough. Regards, Jason Hecker <https://www.upandrunningtech.com.au> On Tue, 10 Oct 2023, at 18:32, Karl Auer wrote:
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan)
Interesting, thanks! Is it bidirectional once established, i.e., can connections be initiated over the VPN from either end?
Will look into it.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I will second wireguard. You also have public IPv6 so the possibilities there are fascinating. I did manage to do an EoIPv6 tunnel over starlink to solve a short term problem... On Tue, Oct 10, 2023 at 7:01 PM Jason Hecker <jason@upandrunningtech.com.au> wrote:
Wireguard can work behind NAT but one end has to be reachable at all times.
I got caught out the other week with 2 Mikrotik routers that had a Wireguard connection not work as one ended up behind 4G CGNAT and the other switched to AussieBB CGNAT. Once the 4G end was restored to a normal publicly reachable IP it worked again.
From what I understand one end can change IP's say from a reachable to non-reachable address like you would switching from Wifi to 4G and the VPN remains uninterrupted. As mentioned above the far end has to be on a reachable IP. So this setup works well for a Wireguard router that is on a rigidly static IP and the other end is a roaming VPN user. It reminds me a bit of the "persistent" mode of OpenVPN.
Each end is also equal as such, so there is no server/peer relationship at the interface level like other VPNs.
https://www.wireguard.com/ explains it simply enough.
Regards, Jason Hecker <https://www.upandrunningtech.com.au>
On Tue, 10 Oct 2023, at 18:32, Karl Auer wrote:
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan)
Interesting, thanks! Is it bidirectional once established, i.e., can connections be initiated over the VPN from either end?
Will look into it.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Zerotier is a great option if both ends could be behind NAT, or the IP might change for whatever reason. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Andrew Gilbett Sent: Tuesday, October 10, 2023 8:31 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik and Starlink I will second wireguard. You also have public IPv6 so the possibilities there are fascinating. I did manage to do an EoIPv6 tunnel over starlink to solve a short term problem... On Tue, Oct 10, 2023 at 7:01 PM Jason Hecker <jason@upandrunningtech.com.au> wrote:
Wireguard can work behind NAT but one end has to be reachable at all times.
I got caught out the other week with 2 Mikrotik routers that had a Wireguard connection not work as one ended up behind 4G CGNAT and the other switched to AussieBB CGNAT. Once the 4G end was restored to a normal publicly reachable IP it worked again.
From what I understand one end can change IP's say from a reachable to non-reachable address like you would switching from Wifi to 4G and the VPN remains uninterrupted. As mentioned above the far end has to be on a reachable IP. So this setup works well for a Wireguard router that is on a rigidly static IP and the other end is a roaming VPN user. It reminds me a bit of the "persistent" mode of OpenVPN.
Each end is also equal as such, so there is no server/peer relationship at the interface level like other VPNs.
https://www.wireguard.com/ explains it simply enough.
Regards, Jason Hecker <https://www.upandrunningtech.com.au>
On Tue, 10 Oct 2023, at 18:32, Karl Auer wrote:
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan)
Interesting, thanks! Is it bidirectional once established, i.e., can connections be initiated over the VPN from either end?
Will look into it.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi, Another great option is to use a $4/month VM in Binary Lane as a peering point, if you don’t have a site with a Public IP. Load the Mikrotik CHR RAW Disk Image. Andy -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Russell Hurren Sent: Tuesday, October 10, 2023 8:34 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik and Starlink Zerotier is a great option if both ends could be behind NAT, or the IP might change for whatever reason. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Andrew Gilbett Sent: Tuesday, October 10, 2023 8:31 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik and Starlink I will second wireguard. You also have public IPv6 so the possibilities there are fascinating. I did manage to do an EoIPv6 tunnel over starlink to solve a short term problem... On Tue, Oct 10, 2023 at 7:01 PM Jason Hecker <jason@upandrunningtech.com.au> wrote:
Wireguard can work behind NAT but one end has to be reachable at all times.
I got caught out the other week with 2 Mikrotik routers that had a Wireguard connection not work as one ended up behind 4G CGNAT and the other switched to AussieBB CGNAT. Once the 4G end was restored to a normal publicly reachable IP it worked again.
From what I understand one end can change IP's say from a reachable to non-reachable address like you would switching from Wifi to 4G and the VPN remains uninterrupted. As mentioned above the far end has to be on a reachable IP. So this setup works well for a Wireguard router that is on a rigidly static IP and the other end is a roaming VPN user. It reminds me a bit of the "persistent" mode of OpenVPN.
Each end is also equal as such, so there is no server/peer relationship at the interface level like other VPNs.
https://www.wireguard.com/ explains it simply enough.
Regards, Jason Hecker <https://www.upandrunningtech.com.au>
On Tue, 10 Oct 2023, at 18:32, Karl Auer wrote:
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan)
Interesting, thanks! Is it bidirectional once established, i.e., can connections be initiated over the VPN from either end?
Will look into it.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Binary Lane sounds good. I have a few CHR's on the lowest tier VM (USD$5/m) with Vultr working well for years doing various tasks including relaying between 4G points. If I had to do it again I'd probably go with Zerotier - I haven't tried it yet but it lets you link networks and devices that are all behind NAT of need be and it can even figure out fastest paths as links change and it'll hole punch for NATed systems. It's free for low counts of devices too. Regards, Jason Hecker <https://www.upandrunningtech.com.au> <https://www.upandrunningtech.com.au> On Wed, 11 Oct 2023, at 10:34, Andrew Oakeley wrote:
Hi,
Another great option is to use a $4/month VM in Binary Lane as a peering point, if you don’t have a site with a Public IP. Load the Mikrotik CHR RAW Disk Image.
Andy
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Russell Hurren Sent: Tuesday, October 10, 2023 8:34 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik and Starlink
Zerotier is a great option if both ends could be behind NAT, or the IP might change for whatever reason.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Andrew Gilbett Sent: Tuesday, October 10, 2023 8:31 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik and Starlink
I will second wireguard.
You also have public IPv6 so the possibilities there are fascinating. I did manage to do an EoIPv6 tunnel over starlink to solve a short term problem...
On Tue, Oct 10, 2023 at 7:01 PM Jason Hecker <jason@upandrunningtech.com.au> wrote:
Wireguard can work behind NAT but one end has to be reachable at all times.
I got caught out the other week with 2 Mikrotik routers that had a Wireguard connection not work as one ended up behind 4G CGNAT and the other switched to AussieBB CGNAT. Once the 4G end was restored to a normal publicly reachable IP it worked again.
From what I understand one end can change IP's say from a reachable to non-reachable address like you would switching from Wifi to 4G and the VPN remains uninterrupted. As mentioned above the far end has to be on a reachable IP. So this setup works well for a Wireguard router that is on a rigidly static IP and the other end is a roaming VPN user. It reminds me a bit of the "persistent" mode of OpenVPN.
Each end is also equal as such, so there is no server/peer relationship at the interface level like other VPNs.
https://www.wireguard.com/ explains it simply enough.
Regards, Jason Hecker <https://www.upandrunningtech.com.au>
On Tue, 10 Oct 2023, at 18:32, Karl Auer wrote:
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
Client Peer(s) can be behind CGNat. Server Peer needs a udp port (either port forwarded or directly on wan)
Interesting, thanks! Is it bidirectional once established, i.e., can connections be initiated over the VPN from either end?
Will look into it.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Tue, 2023-10-10 at 23:34 +0000, Andrew Oakeley wrote:
Another great option is to use a $4/month VM in Binary Lane as a peering point, if you don’t have a site with a Public IP.
Mikrotik have a CHR 6.44.3 AMI on the Amazon Marketplace. Too old to be useful I suppose, but I was reading the comments and am AMAZED at how versatile CHR is: "I used the Router to re-route porposes at the company." Do you think he means... porpoises?!? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
On Tue, 2023-10-10 at 23:31 +1100, Andrew Gilbett wrote:
You also have public IPv6 so the possibilities there are fascinating.
Frustratingly, the other end does not appear to have IPv6. If it did, according to the wireguard docs running IPv4 over an IPv6 tunnel would be easy, and would do an end run around the IPv4 NAT situation. It might be worth revisiting the question of the provider at the other end... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
After a bit of faffing around I have a Wireguard VPN between two test sites. Many thanks to Roger and others who suggested and seconded Wireguard. Took my first look at the Starlink end a couple of days ago. The dish is a dozen meters or so from the site office, sat atop a concrete wall. Not bolted down. The 80m cable coils and loops its way over sharp midsize gravel, then up through a window, then across an office floor to the router. Cars, utes and the occasional small truck park right by the cable. People walk over the cable on the gravel, and over the cable on the office floor. Each evening someone grabs the dish and drags it and the cable into the office so they can close the window and lock up. That last part was unknown to me as I sat in the other site office trying to set up the server end around 17:00. I spent entirely too long trying to work out why the handshakes stopped. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Well that was entertaining. Well done. Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Date sent: Sat, 14 Oct 2023 11:47:42 +1100 Organization: Nullarbor Consulting pty Ltd Subject: Re: [MT-AU Public] Mikrotik and Starlink Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Tue, 2023-10-10 at 18:17 +1100, Roger Plant wrote:
Wireguard, Built into latest Mikrotik versions, it's very good, easy to setup and quite brisk.
After a bit of faffing around I have a Wireguard VPN between two test sites. Many thanks to Roger and others who suggested and seconded Wireguard. Took my first look at the Starlink end a couple of days ago. The dish is a dozen meters or so from the site office, sat atop a concrete wall. Not bolted down. The 80m cable coils and loops its way over sharp midsize gravel, then up through a window, then across an office floor to the router. Cars, utes and the occasional small truck park right by the cable. People walk over the cable on the gravel, and over the cable on the office floor. Each evening someone grabs the dish and drags it and the cable into the office so they can close the window and lock up. That last part was unknown to me as I sat in the other site office trying to set up the server end around 17:00. I spent entirely too long trying to work out why the handshakes stopped. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
On Sat, 2023-10-14 at 12:11 +1100, Roger Plant wrote:
Well that was entertaining.
One niggle left. I'm not sure if it's operationally relevant, but it's annoying that I can't figure it out. BTW this setup doesn't involve Starlink (it will eventually) Basically I cannot ping one end of the Wireguard link from the other end. I can ping each LAN from the LAN at the other end of the Wireguard VPN. I can ping each router's LAN address from the router at the other end of the VPN. But I cannot ping one router's Wireguard address (the address on its Wireguard interface) from the other router. I get "host unreachable" when I try (or timeouts, see below). Server (LAN is 192.168.102.0/24): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /ip address print [...] 1 192.168.102.1/24 192.168.102.0 e2-master 3 192.168.16.1/24 192.168.16.0 wg0 /ip route print 0 As 192.168.1.0/24 192.168.16.3 1 DAc 192.168.16.0/24 wg0 0 wg0 allowed-address=192.168.1.0/24 Client (LAN is 192.168.1.0/24): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /ip address print [...] 1 192.168.1.1/24 192.168.1.0 bridge 5 192.168.16.3/24 192.168.16.0 wg0 /ip route print DAc 192.168.16.0/24 wg0 0 0 As 192.168.102.0/24 192.168.16.1 1 wg0 allowed-address=192.168.102.0/24 Hope I haven't elided too much. The error message attempting to ping the client end (192.168.16.3) from the server end is: 0 161 (No error information) 0 192.168.16.1 84 64 2ms93us host unreachable The error message attempting to ping the server end (192.168.16.1) from the client end is: 0 126 (No error information) 0 192.168.16.3 84 64 494us host unreachable There's an added wrinkle. Both client and server have an additional peer configured. These have been disabled and the system configured to be that peer is not running (or at least is physically unreachable). If I enable that other peer on the server, the error when I try to ping the client from the server changes to a straight timeout. That feels like it should be a clue, but to what I am not sure. If I enable the one on the client, the error when I try to ping the server does not change. If I add ",192.168.16.0/24" to the allowed-address on each end, I get a timeout in both directions (i.e., only the behaviour on the client end changes, from the error 126 to a timeout). Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Hi, On the Server, You need to add 192.168.16.3 to the allowed addresses in the Client peer entry. On the Client, You need to add 192.168.16.1 (or maybe .16.0/24 if there will be other peers attached to server in future) to the allowed addresses in the Server peer entry. Hope this makes sense. Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Date sent: Sun, 15 Oct 2023 17:20:44 +1100 Organization: Nullarbor Consulting pty Ltd Subject: Re: [MT-AU Public] Mikrotik and Starlink Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Sat, 2023-10-14 at 12:11 +1100, Roger Plant wrote:
Well that was entertaining.
One niggle left. I'm not sure if it's operationally relevant, but it's annoying that I can't figure it out. BTW this setup doesn't involve Starlink (it will eventually) Basically I cannot ping one end of the Wireguard link from the other end. I can ping each LAN from the LAN at the other end of the Wireguard VPN. I can ping each router's LAN address from the router at the other end of the VPN. But I cannot ping one router's Wireguard address (the address on its Wireguard interface) from the other router. I get "host unreachable" when I try (or timeouts, see below). Server (LAN is 192.168.102.0/24): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /ip address print [...] 1 192.168.102.1/24 192.168.102.0 e2-master 3 192.168.16.1/24 192.168.16.0 wg0 /ip route print 0 As 192.168.1.0/24 192.168.16.3 1 DAc 192.168.16.0/24 wg0 0 wg0 allowed-address=192.168.1.0/24 Client (LAN is 192.168.1.0/24): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /ip address print [...] 1 192.168.1.1/24 192.168.1.0 bridge 5 192.168.16.3/24 192.168.16.0 wg0 /ip route print DAc 192.168.16.0/24 wg0 0 0 As 192.168.102.0/24 192.168.16.1 1 wg0 allowed-address=192.168.102.0/24 Hope I haven't elided too much. The error message attempting to ping the client end (192.168.16.3) from the server end is: 0 161 (No error information) 0 192.168.16.1 84 64 2ms93us host unreachable The error message attempting to ping the server end (192.168.16.1) from the client end is: 0 126 (No error information) 0 192.168.16.3 84 64 494us host unreachable There's an added wrinkle. Both client and server have an additional peer configured. These have been disabled and the system configured to be that peer is not running (or at least is physically unreachable). If I enable that other peer on the server, the error when I try to ping the client from the server changes to a straight timeout. That feels like it should be a clue, but to what I am not sure. If I enable the one on the client, the error when I try to ping the server does not change. If I add ",192.168.16.0/24" to the allowed-address on each end, I get a timeout in both directions (i.e., only the behaviour on the client end changes, from the error 126 to a timeout). Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
participants (8)
-
Andrew Gilbett
-
Andrew Oakeley
-
Dave Browning
-
Jason Hecker
-
Karl Auer
-
Luke Thompson
-
Roger Plant
-
Russell Hurren