From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 4B6DF3B29E for ; Fri, 17 Feb 2023 11:45:32 -0500 (EST) Received: by mail-wm1-x32b.google.com with SMTP id ja15-20020a05600c556f00b003dc52fed235so1280905wmb.1 for ; Fri, 17 Feb 2023 08:45:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JOpYtf/c9KcF1Ekcb8xLrSqyONuK/9npNvBlkyVMNNQ=; b=NiLq73jZiCzDWC1MQDTDecA/BLoLo/IlkmHh8/ZOOzMusibghJdmiLwxqC3ZDNR2DG mXdGBcLsAog+hvPh1oOGmkLJ57Q2HZ65dIS1yapuoLN5rsOWr2TEZF8jHti7s2rjX61A 1uhh05tLV4+df49FgkAASy7H0sV8M/I8nHf2XVtw+/9ri7U99/7iy+n7yWTC2AC6gdBv NXQ4TTRgPhQiHf/9I3FbpyHHPIzsdQhhrBx6BvwPMY8xIomoeiFn3WXLHlljp4K57p5P RHPRvaGEKp+HUs1F6PdA9xpUpMv7Tx6H3Pc7xk1VKEQcu0jVlBWcBFKNbnPi4/tGakJJ MUxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JOpYtf/c9KcF1Ekcb8xLrSqyONuK/9npNvBlkyVMNNQ=; b=j5n6Sri4/Nt0h90xOFLaDgpxPxGhj7sV6popfa+OzPR0r/yLGGLdHyeyDifEm97xFV YbtMfCtgDOa0JwDQKVmsVz0ccajn6fJLwfXGJZItfHZh6XA5F2NIZAmSFdtBPeKeAub8 C/adAOaxVv+akwxy4sXWclcy8QXID/wdnny4OhkLyhOO5IT8ylIx7qh2pWUxsMg12u8H wCzpxnuFEHuFcDDL+RzHeB0qcvSyN8w06Btg7WbOtw8JJHcUvAKbxdVLr5nP5/nfo/Fr UlEM3ZyDNbdQolqH9EbxAmRezi2lv2ad2e4LuZvq3nZOMpfdJB53jgeWdUh/6izEQeUZ IJdQ== X-Gm-Message-State: AO0yUKUvXe/WqKGweVnD3CHpu7cD6sEAqJ1qIGiDy7pBQDNMOvcRgE9Q 0ULIU5cbeWU7fXlldpD4pBZrDYVEaqWFNHH5eqxOqUJOVoA= X-Google-Smtp-Source: AK7set/LV99Yxn/FAvXf3/RQGLhQM/Lwvsxks3RBVhmpOTvvyAD1O+A/22d6hncse+3LvOA4VwaZWVzxvUB30dXazj8= X-Received: by 2002:a05:600c:3b8d:b0:3e2:1c73:a1aa with SMTP id n13-20020a05600c3b8d00b003e21c73a1aamr206099wms.206.1676652330943; Fri, 17 Feb 2023 08:45:30 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Taht Date: Fri, 17 Feb 2023 08:45:19 -0800 Message-ID: To: Adam Thompson Cc: "Daniel C. Eckert" , "starlink@lists.bufferbloat.net" Content-Type: multipart/alternative; boundary="00000000000099087705f4e80a71" Subject: Re: [Starlink] VPN woes, recommendations? X-BeenThere: starlink@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Starlink has bufferbloat. Bad." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2023 16:45:32 -0000 --00000000000099087705f4e80a71 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink < starlink@lists.bufferbloat.net> wrote: > Sorry, forgot to answer the first part: yes, absent the tunnel, we get > ~200/8 consistently, occasionally bursting higher. > you really should test more deeply, and for longer periods than 15 seconds. I keep hoping someone with business class service will repeat these 2 year old benchmarks. https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQ= KblM/edit#heading=3Dh.fwv7fw3aeaz > -Adam > > > Get Outlook for Android > ------------------------------ > *From:* Daniel C. Eckert > *Sent:* Friday, February 17, 2023 10:36:24 AM > *To:* Adam Thompson > *Cc:* starlink@lists.bufferbloat.net > *Subject:* Re: [Starlink] VPN woes, recommendations? > > Interesting scenario. This reply only addresses a small part of your > message: While I see you've done the math and checked the specs for the > Aruba devices -- have you already conducted a few non-VPN tests between > direct-wire-connected laptops/devices at those two locations to know what > "baseline" bandwidth you're starting from when considering the max > potential bandwidth for the encrypted traffic? For example, since you're > on a business plan, you should have a direct public IP to target with ipe= rf > traffic from either end, even if not encrypted. > > Dan > > On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink < > starlink@lists.bufferbloat.net> wrote: > > Hi, all. > We've been trying to develop a plug-and-play L2 VPN over Starlink, using > Aruba Hospitality-series Remote APs like their RAP-505H. > It's not going great, and I'm wondering about several Starlink-specific > issues. > > First, having multiple devices in serial is generally not a great idea fo= r > reliability. Can we realistically plug our remote AP directly into the > dish, still? (This is using Starlink Business, FWIW.). I know we lose > access to the Starlink app, but we also lose a NATing router and an > unwanted wifi AP, so that's probably a net zero. I just don't know what > other dangers/problems that topology might cause. > > Secondly, we're only able to push about 30Mbps through the (magical > Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations sugge= st > we should be seeing around 100Mbps, not 30. (The Aruba devices are rated > for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so > presumably that's not the bottleneck.) > > So: > * does anyone have corroborating *or* contradicting evidence of VPN > performance over Starlink's particular flavor of Long Fat Pipe, and > * does anyone have any positive (or negative, I guess!) recommendations > for cloud-managed VPN devices that can do at least 100M and magically wor= k > from behind double-NAT/CGNAT like we see with Starlink? Bonus points if = it > does L2 tunnels or can run a dynamic routing protocol. > * Other comments or suggestions welcome, too. > > Thanks, > -Adam > > Get Outlook for Android > > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > > =E1=90=A7 > =E1=90=A7 > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > --=20 Surveillance Capitalism? Or DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/ Dave T=C3=A4ht CEO, TekLibre, LLC --00000000000099087705f4e80a71 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Fri, Feb 17, 2023 at 8:39 AM Adam = Thompson via Starlink <starlink@lists.bufferbloat.net> wrote:
Sorry, forgot to answer the first part: yes, absent the t= unnel, we get ~200/8 consistently, occasionally bursting higher.

you really should test more deeply, and f= or longer periods than 15 seconds.

I keep hoping s= omeone with business class service will repeat these 2 year old benchmarks.=

=C2=A0
-Adam


Get Outlook for Androi= d
From: = Daniel C. Eckert <eckertd@gmail.com>
Sent: Friday, February 17, 2023 10:36:24 AM
To: Adam Thompson <athompson@merlin.mb.ca>
Cc: starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net><= br> Subject: Re: [Starlink] VPN woes, recommendations?
=C2=A0
Interesting scenario.=C2=A0 This reply only addresses a small part of your = message:=C2=A0 While I see you've done the math and checked the specs f= or the Aruba devices -- have you already conducted a few non-VPN tests betw= een direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're start= ing from when considering the max potential bandwidth for the encrypted tra= ffic?=C2=A0 For example, since you're on a business plan, you should ha= ve a direct public IP to target with iperf traffic from either end, even if not encrypted.

Dan

On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlin= k <s= tarlink@lists.bufferbloat.net> wrote:
Hi, all.
We've been trying to develop a plug-and-play L2 VPN o= ver Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H= .
It's not going great, and I'm wondering about sev= eral Starlink-specific issues.

First, having multiple devices in serial is generally not= a great idea for reliability.=C2=A0 Can we realistically plug our remote A= P directly into the dish, still?=C2=A0 (This is using Starlink Business, FW= IW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that'= ;s probably a net zero.=C2=A0 I just don't know what other dangers/prob= lems that topology might cause.

Secondly, we're only able to push about 30Mbps throug= h the (magical Aruba-proprietary GRE+IPsec) tunnel.=C2=A0 The bandwidth-del= ay equations suggest we should be seeing around 100Mbps, not 30.=C2=A0 (The= Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the= bottleneck.)

So:
* does anyone have corroborating *or* contradicting evide= nce of VPN performance over Starlink's particular flavor of Long Fat Pi= pe, and
* does anyone have any positive (or negative, I guess!) r= ecommendations for cloud-managed VPN devices that can do at least 100M and = magically work from behind double-NAT/CGNAT like we see with Starlink?=C2= =A0 Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android
_______________________________________________
Starlink mailing list
Starlin= k@lists.bufferbloat.net
https://lists.bufferbloat.net= /listinfo/starlink
3D""=E1=90=A7
3D""=E1=90=A7
_______________________________________________
Starlink mailing list
Starlin= k@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/starlink


--
Surveillance Capitalism? O= r DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/=
Dave T=C3=A4ht CEO, TekLibre, LLC
--00000000000099087705f4e80a71--