From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 8A97C3B29E for ; Fri, 17 Feb 2023 11:37:02 -0500 (EST) Received: by mail-qv1-xf2a.google.com with SMTP id j10so1255080qvc.1 for ; Fri, 17 Feb 2023 08:37:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1676651822; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vkciwMZdyuzskXQct+iGvMRvrJx6vKl3Qwfe0VpGd4A=; b=lJWN1POPEQD4pPThiQpvGEYy34uQz0jTMOaafEQh4CQJJGlyHwrZdy47T8dc4a1/9k OcAd0KgcCeOhrW0mudXXO03LMtsftB5UTJ13n+/0hOaSrLNhWpS4Og8NdB3GLvLYanhO JDP5+1TxfA+TcaP+CO5HgcqvAYrix3K1xR7TOwNCvKBczMHpahbhz0ebQygohnH6Bjw6 Gwnm2Y8V0HOiITkDmKhNOma466lfHIEAyuoJR0W/IidB4fR+H/T/+jxGpEB0N4DhXtAK /AIB1i+vKEmYXWcJpWHdm5v9SGzIT7YZhvLDjbmutXeOrD0PN9pGmtANmU57ustKun/+ ksVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1676651822; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vkciwMZdyuzskXQct+iGvMRvrJx6vKl3Qwfe0VpGd4A=; b=w6ie8Sr8V/CRT8uY1rWeB6vc5JzBk0Vjl3MKhfP8H4vQCLVLlPPApLHa2TNPcw3o12 kf3EbaPblwkJQ1nIxLm4V6HgbgYmMSffcr4q+g3x7P/9DZkvfa2/xLws1udR/FXAtn2C FvWuKKYeuH1oMj1/4unY9/zuscxuOE5KCWCWDbNl5TR+QPNSVs2q7bqb66r40uYn+MX4 xYy3/mWy7MVBIzAl8NsxxcmwJt7RkY9sGYVAJyAT8P2g6Z6q+tnjoI8n7Pzivs1e9atX M7OYXgq/qDg1ur6ybETPzi2QDX5EO5VurhWJsLuV9oEkq0i+UhQcFj5fg0txXiW7INR9 XEsQ== X-Gm-Message-State: AO0yUKV8T4DUquwN3J2O5nu8MfnL/2u/gSgKcq/VZzPFdBU5I6c+WQ2G ok4STldw0bU6YjAKWDECRdJ88rtyvzHaIK8UrJJWh2QgTZc= X-Google-Smtp-Source: AK7set8+CVAndBFV0r9OgXKSLChS1dBMrz0ohY7nyxz3peHcrRJDM946puOvAl5NsZ0QjkW4N3Dl4AWuYrlH7MPWdew= X-Received: by 2002:a0c:e086:0:b0:56e:8bef:5cc6 with SMTP id l6-20020a0ce086000000b0056e8bef5cc6mr262471qvk.31.1676651821945; Fri, 17 Feb 2023 08:37:01 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "Daniel C. Eckert" Date: Fri, 17 Feb 2023 11:36:24 -0500 Message-ID: To: Adam Thompson Cc: "starlink@lists.bufferbloat.net" Content-Type: multipart/alternative; boundary="000000000000425a7805f4e7ece9" Subject: Re: [Starlink] VPN woes, recommendations? X-BeenThere: starlink@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Starlink has bufferbloat. Bad." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2023 16:37:02 -0000 --000000000000425a7805f4e7ece9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Interesting scenario. This reply only addresses a small part of your message: While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic? For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted. Dan On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink < starlink@lists.bufferbloat.net> wrote: > Hi, all. > We've been trying to develop a plug-and-play L2 VPN over Starlink, using > Aruba Hospitality-series Remote APs like their RAP-505H. > It's not going great, and I'm wondering about several Starlink-specific > issues. > > First, having multiple devices in serial is generally not a great idea fo= r > reliability. Can we realistically plug our remote AP directly into the > dish, still? (This is using Starlink Business, FWIW.). I know we lose > access to the Starlink app, but we also lose a NATing router and an > unwanted wifi AP, so that's probably a net zero. I just don't know what > other dangers/problems that topology might cause. > > Secondly, we're only able to push about 30Mbps through the (magical > Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations sugge= st > we should be seeing around 100Mbps, not 30. (The Aruba devices are rated > for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so > presumably that's not the bottleneck.) > > So: > * does anyone have corroborating *or* contradicting evidence of VPN > performance over Starlink's particular flavor of Long Fat Pipe, and > * does anyone have any positive (or negative, I guess!) recommendations > for cloud-managed VPN devices that can do at least 100M and magically wor= k > from behind double-NAT/CGNAT like we see with Starlink? Bonus points if = it > does L2 tunnels or can run a dynamic routing protocol. > * Other comments or suggestions welcome, too. > > Thanks, > -Adam > > Get Outlook for Android > > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > =E1=90=A7 =E1=90=A7 --000000000000425a7805f4e7ece9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Inter= esting scenario.=C2=A0 This reply only addresses a small part of your messa= ge:=C2=A0 While I see you've done the math and checked the specs for th= e Aruba devices -- have you already conducted a few non-VPN tests between d= irect-wire-connected laptops/devices at those two locations to know what &q= uot;baseline" bandwidth you're starting from when considering the = max potential bandwidth for the encrypted traffic?=C2=A0 For example, since= you're on a business plan, you should have a direct public IP to targe= t with iperf traffic from either end, even if not encrypted.

Da= n

On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@li= sts.bufferbloat.net> wrote:
Hi, all.
We've been trying to develop a plug-and-play L2 VPN o= ver Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H= .
It's not going great, and I'm wondering about sev= eral Starlink-specific issues.

First, having multiple devices in serial is generally not= a great idea for reliability.=C2=A0 Can we realistically plug our remote A= P directly into the dish, still?=C2=A0 (This is using Starlink Business, FW= IW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so= that's probably a net zero.=C2=A0 I just don't know what other dan= gers/problems that topology might cause.

Secondly, we're only able to push about 30Mbps throug= h the (magical Aruba-proprietary GRE+IPsec) tunnel.=C2=A0 The bandwidth-del= ay equations suggest we should be seeing around 100Mbps, not 30.=C2=A0 (The= Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not = the bottleneck.)

So:
* does anyone have corroborating *or* contradicting evide= nce of VPN performance over Starlink's particular flavor of Long Fat Pi= pe, and
* does anyone have any positive (or negative, I guess!) r= ecommendations for cloud-managed VPN devices that can do at least 100M and = magically work from behind double-NAT/CGNAT like we see with Starlink?=C2= =A0 Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.

Thanks,
-Adam

Get Outlook for Android
_______________________________________________
Starlink mailing list
Starlin= k@lists.bufferbloat.net
https://lists.bufferbloat.net= /listinfo/starlink
= 3D""=E1=90=A7
3D""=E1=90=A7
--000000000000425a7805f4e7ece9--