* [Starlink] VPN woes, recommendations?
@ 2023-02-17 16:30 Adam Thompson
2023-02-17 16:34 ` Dave Taht
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Adam Thompson @ 2023-02-17 16:30 UTC (permalink / raw)
To: starlink
[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]
Hi, all.
We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H.
It's not going great, and I'm wondering about several Starlink-specific issues.
First, having multiple devices in serial is generally not a great idea for reliability. Can we realistically plug our remote AP directly into the dish, still? (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero. I just don't know what other dangers/problems that topology might cause.
Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30. (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.)
So:
* does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and
* does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it does L2 tunnels or can run a dynamic routing protocol.
* Other comments or suggestions welcome, too.
Thanks,
-Adam
Get Outlook for Android<https://aka.ms/AAb9ysg>
[-- Attachment #2: Type: text/html, Size: 2189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:30 [Starlink] VPN woes, recommendations? Adam Thompson @ 2023-02-17 16:34 ` Dave Taht 2023-02-17 16:36 ` Daniel C. Eckert ` (2 subsequent siblings) 3 siblings, 0 replies; 11+ messages in thread From: Dave Taht @ 2023-02-17 16:34 UTC (permalink / raw) To: Adam Thompson; +Cc: starlink The big winners over starlink have been wireguard and zerotier. + https://github.com/lynxthecat/cake-autorate#cake-with-adaptive-bandwidth---autorate finally hit the big 2.0 mark a few days ago. On Fri, Feb 17, 2023 at 8:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net> wrote: > > Hi, all. > We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H. > It's not going great, and I'm wondering about several Starlink-specific issues. > > First, having multiple devices in serial is generally not a great idea for reliability. Can we realistically plug our remote AP directly into the dish, still? (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero. I just don't know what other dangers/problems that topology might cause. > > Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30. (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.) > > So: > * does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and > * does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it does L2 tunnels or can run a dynamic routing protocol. > * Other comments or suggestions welcome, too. > > Thanks, > -Adam > > Get Outlook for Android > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink -- Surveillance Capitalism? Or DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/ Dave Täht CEO, TekLibre, LLC ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:30 [Starlink] VPN woes, recommendations? Adam Thompson 2023-02-17 16:34 ` Dave Taht @ 2023-02-17 16:36 ` Daniel C. Eckert 2023-02-17 16:38 ` Adam Thompson 2023-02-17 16:39 ` Adam Thompson 2023-02-17 18:29 ` Michael Richardson 2023-02-17 21:01 ` David Lang 3 siblings, 2 replies; 11+ messages in thread From: Daniel C. Eckert @ 2023-02-17 16:36 UTC (permalink / raw) To: Adam Thompson; +Cc: starlink [-- Attachment #1: Type: text/plain, Size: 2487 bytes --] Interesting scenario. This reply only addresses a small part of your message: While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic? For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted. Dan On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink < starlink@lists.bufferbloat.net> wrote: > Hi, all. > We've been trying to develop a plug-and-play L2 VPN over Starlink, using > Aruba Hospitality-series Remote APs like their RAP-505H. > It's not going great, and I'm wondering about several Starlink-specific > issues. > > First, having multiple devices in serial is generally not a great idea for > reliability. Can we realistically plug our remote AP directly into the > dish, still? (This is using Starlink Business, FWIW.). I know we lose > access to the Starlink app, but we also lose a NATing router and an > unwanted wifi AP, so that's probably a net zero. I just don't know what > other dangers/problems that topology might cause. > > Secondly, we're only able to push about 30Mbps through the (magical > Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest > we should be seeing around 100Mbps, not 30. (The Aruba devices are rated > for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so > presumably that's not the bottleneck.) > > So: > * does anyone have corroborating *or* contradicting evidence of VPN > performance over Starlink's particular flavor of Long Fat Pipe, and > * does anyone have any positive (or negative, I guess!) recommendations > for cloud-managed VPN devices that can do at least 100M and magically work > from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it > does L2 tunnels or can run a dynamic routing protocol. > * Other comments or suggestions welcome, too. > > Thanks, > -Adam > > Get Outlook for Android > <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > ᐧ ᐧ [-- Attachment #2: Type: text/html, Size: 4483 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:36 ` Daniel C. Eckert @ 2023-02-17 16:38 ` Adam Thompson 2023-02-17 16:39 ` Adam Thompson 1 sibling, 0 replies; 11+ messages in thread From: Adam Thompson @ 2023-02-17 16:38 UTC (permalink / raw) To: Daniel C. Eckert; +Cc: starlink [-- Attachment #1: Type: text/plain, Size: 3251 bytes --] Business plans include static IPs?!?!?!? Ok, yeah, that radically changes the situation. Also, we're not getting static or predictable IPs. I can follow that up, anyway, thanks! -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Daniel C. Eckert <eckertd@gmail.com> Sent: Friday, February 17, 2023 10:36:24 AM To: Adam Thompson <athompson@merlin.mb.ca> Cc: starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net> Subject: Re: [Starlink] VPN woes, recommendations? Interesting scenario. This reply only addresses a small part of your message: While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic? For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted. Dan On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote: Hi, all. We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H. It's not going great, and I'm wondering about several Starlink-specific issues. First, having multiple devices in serial is generally not a great idea for reliability. Can we realistically plug our remote AP directly into the dish, still? (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero. I just don't know what other dangers/problems that topology might cause. Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30. (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.) So: * does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and * does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it does L2 tunnels or can run a dynamic routing protocol. * Other comments or suggestions welcome, too. Thanks, -Adam Get Outlook for Android<https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> _______________________________________________ Starlink mailing list Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net> https://lists.bufferbloat.net/listinfo/starlink [https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=c1c31836-4d3e-4aad-a576-c28cbc6172cb]ᐧ [https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=5fd7792d-7b29-429a-9e08-ab57de655a75]ᐧ [-- Attachment #2: Type: text/html, Size: 5666 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:36 ` Daniel C. Eckert 2023-02-17 16:38 ` Adam Thompson @ 2023-02-17 16:39 ` Adam Thompson 2023-02-17 16:45 ` Dave Taht 2023-02-17 16:47 ` Nathan Owens 1 sibling, 2 replies; 11+ messages in thread From: Adam Thompson @ 2023-02-17 16:39 UTC (permalink / raw) To: Daniel C. Eckert; +Cc: starlink [-- Attachment #1: Type: text/plain, Size: 3194 bytes --] Sorry, forgot to answer the first part: yes, absent the tunnel, we get ~200/8 consistently, occasionally bursting higher. -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Daniel C. Eckert <eckertd@gmail.com> Sent: Friday, February 17, 2023 10:36:24 AM To: Adam Thompson <athompson@merlin.mb.ca> Cc: starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net> Subject: Re: [Starlink] VPN woes, recommendations? Interesting scenario. This reply only addresses a small part of your message: While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic? For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted. Dan On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote: Hi, all. We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H. It's not going great, and I'm wondering about several Starlink-specific issues. First, having multiple devices in serial is generally not a great idea for reliability. Can we realistically plug our remote AP directly into the dish, still? (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero. I just don't know what other dangers/problems that topology might cause. Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30. (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.) So: * does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and * does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it does L2 tunnels or can run a dynamic routing protocol. * Other comments or suggestions welcome, too. Thanks, -Adam Get Outlook for Android<https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> _______________________________________________ Starlink mailing list Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net> https://lists.bufferbloat.net/listinfo/starlink [https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=c1c31836-4d3e-4aad-a576-c28cbc6172cb]ᐧ [https://mailfoogae.appspot.com/t?sender=aZWNrZXJ0ZEBnbWFpbC5jb20%3D&type=zerocontent&guid=5fd7792d-7b29-429a-9e08-ab57de655a75]ᐧ [-- Attachment #2: Type: text/html, Size: 5563 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:39 ` Adam Thompson @ 2023-02-17 16:45 ` Dave Taht 2023-02-17 17:38 ` Adam Thompson 2023-02-17 16:47 ` Nathan Owens 1 sibling, 1 reply; 11+ messages in thread From: Dave Taht @ 2023-02-17 16:45 UTC (permalink / raw) To: Adam Thompson; +Cc: Daniel C. Eckert, starlink [-- Attachment #1: Type: text/plain, Size: 3715 bytes --] On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink < starlink@lists.bufferbloat.net> wrote: > Sorry, forgot to answer the first part: yes, absent the tunnel, we get > ~200/8 consistently, occasionally bursting higher. > you really should test more deeply, and for longer periods than 15 seconds. I keep hoping someone with business class service will repeat these 2 year old benchmarks. https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQKblM/edit#heading=h.fwv7fw3aeaz > -Adam > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > *From:* Daniel C. Eckert <eckertd@gmail.com> > *Sent:* Friday, February 17, 2023 10:36:24 AM > *To:* Adam Thompson <athompson@merlin.mb.ca> > *Cc:* starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net> > *Subject:* Re: [Starlink] VPN woes, recommendations? > > Interesting scenario. This reply only addresses a small part of your > message: While I see you've done the math and checked the specs for the > Aruba devices -- have you already conducted a few non-VPN tests between > direct-wire-connected laptops/devices at those two locations to know what > "baseline" bandwidth you're starting from when considering the max > potential bandwidth for the encrypted traffic? For example, since you're > on a business plan, you should have a direct public IP to target with iperf > traffic from either end, even if not encrypted. > > Dan > > On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink < > starlink@lists.bufferbloat.net> wrote: > > Hi, all. > We've been trying to develop a plug-and-play L2 VPN over Starlink, using > Aruba Hospitality-series Remote APs like their RAP-505H. > It's not going great, and I'm wondering about several Starlink-specific > issues. > > First, having multiple devices in serial is generally not a great idea for > reliability. Can we realistically plug our remote AP directly into the > dish, still? (This is using Starlink Business, FWIW.). I know we lose > access to the Starlink app, but we also lose a NATing router and an > unwanted wifi AP, so that's probably a net zero. I just don't know what > other dangers/problems that topology might cause. > > Secondly, we're only able to push about 30Mbps through the (magical > Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest > we should be seeing around 100Mbps, not 30. (The Aruba devices are rated > for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so > presumably that's not the bottleneck.) > > So: > * does anyone have corroborating *or* contradicting evidence of VPN > performance over Starlink's particular flavor of Long Fat Pipe, and > * does anyone have any positive (or negative, I guess!) recommendations > for cloud-managed VPN devices that can do at least 100M and magically work > from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it > does L2 tunnels or can run a dynamic routing protocol. > * Other comments or suggestions welcome, too. > > Thanks, > -Adam > > Get Outlook for Android > <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > > ᐧ > ᐧ > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > -- Surveillance Capitalism? Or DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/ Dave Täht CEO, TekLibre, LLC [-- Attachment #2: Type: text/html, Size: 7313 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:45 ` Dave Taht @ 2023-02-17 17:38 ` Adam Thompson 2023-02-17 17:40 ` Dave Taht 0 siblings, 1 reply; 11+ messages in thread From: Adam Thompson @ 2023-02-17 17:38 UTC (permalink / raw) To: Dave Taht; +Cc: Daniel C. Eckert, starlink [-- Attachment #1.1: Type: text/plain, Size: 4609 bytes --] I may be able to repeat your benchmarks, if you have something that shows the methodology, tools, parameters, etc. that were used. (The linked document does not have that level of detail.) -Adam Adam Thompson Consultant, Infrastructure Services [MERLIN] 100 - 135 Innovation Drive Winnipeg, MB R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) https://www.merlin.mb.ca<https://www.merlin.mb.ca/> [cid:image002.png@01D942C4.5CB417F0]Chat with me on Teams<https://teams.microsoft.com/l/chat/0/0?users=athompson@merlin.mb.ca> From: Dave Taht <dave.taht@gmail.com> Sent: February 17, 2023 10:45 AM To: Adam Thompson <athompson@merlin.mb.ca> Cc: Daniel C. Eckert <eckertd@gmail.com>; starlink@lists.bufferbloat.net Subject: Re: [Starlink] VPN woes, recommendations? On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote: Sorry, forgot to answer the first part: yes, absent the tunnel, we get ~200/8 consistently, occasionally bursting higher. you really should test more deeply, and for longer periods than 15 seconds. I keep hoping someone with business class service will repeat these 2 year old benchmarks. https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQKblM/edit#heading=h.fwv7fw3aeaz -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Daniel C. Eckert <eckertd@gmail.com<mailto:eckertd@gmail.com>> Sent: Friday, February 17, 2023 10:36:24 AM To: Adam Thompson <athompson@merlin.mb.ca<mailto:athompson@merlin.mb.ca>> Cc: starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net> <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> Subject: Re: [Starlink] VPN woes, recommendations? Interesting scenario. This reply only addresses a small part of your message: While I see you've done the math and checked the specs for the Aruba devices -- have you already conducted a few non-VPN tests between direct-wire-connected laptops/devices at those two locations to know what "baseline" bandwidth you're starting from when considering the max potential bandwidth for the encrypted traffic? For example, since you're on a business plan, you should have a direct public IP to target with iperf traffic from either end, even if not encrypted. Dan On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink <starlink@lists.bufferbloat.net<mailto:starlink@lists.bufferbloat.net>> wrote: Hi, all. We've been trying to develop a plug-and-play L2 VPN over Starlink, using Aruba Hospitality-series Remote APs like their RAP-505H. It's not going great, and I'm wondering about several Starlink-specific issues. First, having multiple devices in serial is generally not a great idea for reliability. Can we realistically plug our remote AP directly into the dish, still? (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero. I just don't know what other dangers/problems that topology might cause. Secondly, we're only able to push about 30Mbps through the (magical Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest we should be seeing around 100Mbps, not 30. (The Aruba devices are rated for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so presumably that's not the bottleneck.) So: * does anyone have corroborating *or* contradicting evidence of VPN performance over Starlink's particular flavor of Long Fat Pipe, and * does anyone have any positive (or negative, I guess!) recommendations for cloud-managed VPN devices that can do at least 100M and magically work from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it does L2 tunnels or can run a dynamic routing protocol. * Other comments or suggestions welcome, too. Thanks, -Adam Get Outlook for Android<https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> _______________________________________________ Starlink mailing list Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net> https://lists.bufferbloat.net/listinfo/starlink ᐧ ᐧ _______________________________________________ Starlink mailing list Starlink@lists.bufferbloat.net<mailto:Starlink@lists.bufferbloat.net> https://lists.bufferbloat.net/listinfo/starlink -- Surveillance Capitalism? Or DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/ Dave Täht CEO, TekLibre, LLC [-- Attachment #1.2: Type: text/html, Size: 13613 bytes --] [-- Attachment #2: image001.png --] [-- Type: image/png, Size: 13827 bytes --] [-- Attachment #3: image002.png --] [-- Type: image/png, Size: 359 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 17:38 ` Adam Thompson @ 2023-02-17 17:40 ` Dave Taht 0 siblings, 0 replies; 11+ messages in thread From: Dave Taht @ 2023-02-17 17:40 UTC (permalink / raw) To: Adam Thompson; +Cc: Daniel C. Eckert, starlink [-- Attachment #1.1: Type: text/plain, Size: 5089 bytes --] A simple script is in this blog entry here: https://blog.cerowrt.org/post/flaws_in_flent/ In your case you would want to vary it between tunnel and non-tunnel. On Fri, Feb 17, 2023 at 9:38 AM Adam Thompson <athompson@merlin.mb.ca> wrote: > I * may* be able to repeat your benchmarks, if you have something that > shows the methodology, tools, parameters, etc. that were used. (The linked > document does not have that level of detail.) > > -Adam > > > > *Adam Thompson* > > Consultant, Infrastructure Services > > [image: MERLIN] > > 100 - 135 Innovation Drive > > Winnipeg, MB R3T 6A8 > > (204) 977-6824 or 1-800-430-6404 (MB only) > > https://www.merlin.mb.ca > > Chat with me on Teams > <https://teams.microsoft.com/l/chat/0/0?users=athompson@merlin.mb.ca> > > > > *From:* Dave Taht <dave.taht@gmail.com> > *Sent:* February 17, 2023 10:45 AM > *To:* Adam Thompson <athompson@merlin.mb.ca> > *Cc:* Daniel C. Eckert <eckertd@gmail.com>; starlink@lists.bufferbloat.net > *Subject:* Re: [Starlink] VPN woes, recommendations? > > > > > > > > On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink < > starlink@lists.bufferbloat.net> wrote: > > Sorry, forgot to answer the first part: yes, absent the tunnel, we get > ~200/8 consistently, occasionally bursting higher. > > > > you really should test more deeply, and for longer periods than 15 seconds. > > > > I keep hoping someone with business class service will repeat these 2 year > old benchmarks. > > > > > https://docs.google.com/document/d/1puRjUVxJ6cCv-rgQ_zn-jWZU9ae0jZbFATLf4PQKblM/edit#heading=h.fwv7fw3aeaz > > > > -Adam > > > > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > > *From:* Daniel C. Eckert <eckertd@gmail.com> > *Sent:* Friday, February 17, 2023 10:36:24 AM > *To:* Adam Thompson <athompson@merlin.mb.ca> > *Cc:* starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net> > *Subject:* Re: [Starlink] VPN woes, recommendations? > > > > Interesting scenario. This reply only addresses a small part of your > message: While I see you've done the math and checked the specs for the > Aruba devices -- have you already conducted a few non-VPN tests between > direct-wire-connected laptops/devices at those two locations to know what > "baseline" bandwidth you're starting from when considering the max > potential bandwidth for the encrypted traffic? For example, since you're > on a business plan, you should have a direct public IP to target with iperf > traffic from either end, even if not encrypted. > > > > Dan > > > > On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink < > starlink@lists.bufferbloat.net> wrote: > > Hi, all. > > We've been trying to develop a plug-and-play L2 VPN over Starlink, using > Aruba Hospitality-series Remote APs like their RAP-505H. > > It's not going great, and I'm wondering about several Starlink-specific > issues. > > > > First, having multiple devices in serial is generally not a great idea for > reliability. Can we realistically plug our remote AP directly into the > dish, still? (This is using Starlink Business, FWIW.). I know we lose > access to the Starlink app, but we also lose a NATing router and an > unwanted wifi AP, so that's probably a net zero. I just don't know what > other dangers/problems that topology might cause. > > > > Secondly, we're only able to push about 30Mbps through the (magical > Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest > we should be seeing around 100Mbps, not 30. (The Aruba devices are rated > for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so > presumably that's not the bottleneck.) > > > > So: > > * does anyone have corroborating *or* contradicting evidence of VPN > performance over Starlink's particular flavor of Long Fat Pipe, and > > * does anyone have any positive (or negative, I guess!) recommendations > for cloud-managed VPN devices that can do at least 100M and magically work > from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it > does L2 tunnels or can run a dynamic routing protocol. > > * Other comments or suggestions welcome, too. > > > > Thanks, > > -Adam > > > > Get Outlook for Android > <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> > > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > > ᐧ > > ᐧ > > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > > > > > -- > > Surveillance Capitalism? Or DIY? Choose: > https://blog.cerowrt.org/post/an_upgrade_in_place/ > > Dave Täht CEO, TekLibre, LLC > -- Surveillance Capitalism? Or DIY? Choose: https://blog.cerowrt.org/post/an_upgrade_in_place/ Dave Täht CEO, TekLibre, LLC [-- Attachment #1.2: Type: text/html, Size: 13689 bytes --] [-- Attachment #2: image001.png --] [-- Type: image/png, Size: 13827 bytes --] [-- Attachment #3: image002.png --] [-- Type: image/png, Size: 359 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:39 ` Adam Thompson 2023-02-17 16:45 ` Dave Taht @ 2023-02-17 16:47 ` Nathan Owens 1 sibling, 0 replies; 11+ messages in thread From: Nathan Owens @ 2023-02-17 16:47 UTC (permalink / raw) To: Adam Thompson; +Cc: Daniel C. Eckert, starlink [-- Attachment #1: Type: text/plain, Size: 3498 bytes --] Yes, you can run a business (HP) dish without the router, it comes with an Ethernet cable. You can put a static route to 192.168.100.1 and still get the stats/app. You can also request a static IP. On Fri, Feb 17, 2023 at 8:39 AM Adam Thompson via Starlink < starlink@lists.bufferbloat.net> wrote: > Sorry, forgot to answer the first part: yes, absent the tunnel, we get > ~200/8 consistently, occasionally bursting higher. > -Adam > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > *From:* Daniel C. Eckert <eckertd@gmail.com> > *Sent:* Friday, February 17, 2023 10:36:24 AM > *To:* Adam Thompson <athompson@merlin.mb.ca> > *Cc:* starlink@lists.bufferbloat.net <starlink@lists.bufferbloat.net> > *Subject:* Re: [Starlink] VPN woes, recommendations? > > Interesting scenario. This reply only addresses a small part of your > message: While I see you've done the math and checked the specs for the > Aruba devices -- have you already conducted a few non-VPN tests between > direct-wire-connected laptops/devices at those two locations to know what > "baseline" bandwidth you're starting from when considering the max > potential bandwidth for the encrypted traffic? For example, since you're > on a business plan, you should have a direct public IP to target with iperf > traffic from either end, even if not encrypted. > > Dan > > On Fri, Feb 17, 2023 at 11:30 AM Adam Thompson via Starlink < > starlink@lists.bufferbloat.net> wrote: > > Hi, all. > We've been trying to develop a plug-and-play L2 VPN over Starlink, using > Aruba Hospitality-series Remote APs like their RAP-505H. > It's not going great, and I'm wondering about several Starlink-specific > issues. > > First, having multiple devices in serial is generally not a great idea for > reliability. Can we realistically plug our remote AP directly into the > dish, still? (This is using Starlink Business, FWIW.). I know we lose > access to the Starlink app, but we also lose a NATing router and an > unwanted wifi AP, so that's probably a net zero. I just don't know what > other dangers/problems that topology might cause. > > Secondly, we're only able to push about 30Mbps through the (magical > Aruba-proprietary GRE+IPsec) tunnel. The bandwidth-delay equations suggest > we should be seeing around 100Mbps, not 30. (The Aruba devices are rated > for ~2Gbps encrypted at the site end, and ~7Gbps at the head end, so > presumably that's not the bottleneck.) > > So: > * does anyone have corroborating *or* contradicting evidence of VPN > performance over Starlink's particular flavor of Long Fat Pipe, and > * does anyone have any positive (or negative, I guess!) recommendations > for cloud-managed VPN devices that can do at least 100M and magically work > from behind double-NAT/CGNAT like we see with Starlink? Bonus points if it > does L2 tunnels or can run a dynamic routing protocol. > * Other comments or suggestions welcome, too. > > Thanks, > -Adam > > Get Outlook for Android > <https://streaklinks.com/BZdCYXLz80mmcz4jWATVEg7r/https%3A%2F%2Faka.ms%2FAAb9ysg> > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > > ᐧ > ᐧ > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink > [-- Attachment #2: Type: text/html, Size: 7156 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:30 [Starlink] VPN woes, recommendations? Adam Thompson 2023-02-17 16:34 ` Dave Taht 2023-02-17 16:36 ` Daniel C. Eckert @ 2023-02-17 18:29 ` Michael Richardson 2023-02-17 21:01 ` David Lang 3 siblings, 0 replies; 11+ messages in thread From: Michael Richardson @ 2023-02-17 18:29 UTC (permalink / raw) To: Adam Thompson, starlink [-- Attachment #1: Type: text/plain, Size: 209 bytes --] Do we know for sure that the starlink terminals don't do any kind of TCP performance enhancing proxy? (TCP ACK spoofing) VPNs hide that info. I believe that the Flent tests would also ignore such things. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Starlink] VPN woes, recommendations? 2023-02-17 16:30 [Starlink] VPN woes, recommendations? Adam Thompson ` (2 preceding siblings ...) 2023-02-17 18:29 ` Michael Richardson @ 2023-02-17 21:01 ` David Lang 3 siblings, 0 replies; 11+ messages in thread From: David Lang @ 2023-02-17 21:01 UTC (permalink / raw) To: Adam Thompson; +Cc: starlink [-- Attachment #1: Type: text/plain, Size: 929 bytes --] On Fri, 17 Feb 2023, Adam Thompson via Starlink wrote: > First, having multiple devices in serial is generally not a great idea for reliability. Can we realistically plug our remote AP directly into the dish, still? (This is using Starlink Business, FWIW.). I know we lose access to the Starlink app, but we also lose a NATing router and an unwanted wifi AP, so that's probably a net zero. I just don't know what other dangers/problems that topology might cause. look at youtube for people running their starlink on 12v, it requires cutting the cable and putting normal ends on it, but once you do that (and have a PoE power injector) you can connect a normal router to a starlink dish I haven't heard of anyone doing this for the larger dish, but for the standard one it's quite common. The dish then gives you a 192.168.1 IP address (and only one, so you still have your router NAT and dish NAT involved) David Lang [-- Attachment #2: Type: text/plain, Size: 149 bytes --] _______________________________________________ Starlink mailing list Starlink@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/starlink ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-02-17 21:01 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-02-17 16:30 [Starlink] VPN woes, recommendations? Adam Thompson 2023-02-17 16:34 ` Dave Taht 2023-02-17 16:36 ` Daniel C. Eckert 2023-02-17 16:38 ` Adam Thompson 2023-02-17 16:39 ` Adam Thompson 2023-02-17 16:45 ` Dave Taht 2023-02-17 17:38 ` Adam Thompson 2023-02-17 17:40 ` Dave Taht 2023-02-17 16:47 ` Nathan Owens 2023-02-17 18:29 ` Michael Richardson 2023-02-17 21:01 ` David Lang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox
![[-- Attachment #2: image001.png --] [-- Type: image/png, Size: 13827 bytes --]](../../YQBPR0101MB89250A1168C9633B3EAB1D699BA19@YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM/2-image001.png){kind=link}
![[-- Attachment #3: image002.png --] [-- Type: image/png, Size: 359 bytes --]](../../YQBPR0101MB89250A1168C9633B3EAB1D699BA19@YQBPR0101MB8925.CANPRD01.PROD.OUTLOOK.COM/3-image002.png){kind=link}
![[-- Attachment #2: image001.png --] [-- Type: image/png, Size: 13827 bytes --]](../../CAA93jw6oa+Au4kKCyr1fp0e-ak3Busbk6m7AULxA12Tp2umi_A@mail.gmail.com/2-image001.png){kind=link}
![[-- Attachment #3: image002.png --] [-- Type: image/png, Size: 359 bytes --]](../../CAA93jw6oa+Au4kKCyr1fp0e-ak3Busbk6m7AULxA12Tp2umi_A@mail.gmail.com/3-image002.png){kind=link}