Starlink and Peplink Balance

darwinperrier · December 6, 2020, 11:55pm

I have recently joined Starlink’s beta program. They don’t disclose any of their networking details. They allow you to hook into their wifi router with a network out, but I found it was both unstable and had poor performance.

I have managed to connect the Starlink dish to one of my WAN ports in DHCP/NAT mode, with an automatic DNS. I have a second provider with the same settings.

It works great, however in order to use the management app, I believe need to be able to pass through 192.168.100.1 to WAN1 to allow a LAN client to manage the dish. I have tried just about all of the Peplink balance settings to do so, an outbound policy to all WANs, adding 192.168.100.1 as an additional IP and pushing all traffic to that IP as a NAT rule, adding a firewall rule, and an management admin. I was trying to get this 192.168.100.1 IP setup to pass through to the WAN1 gateway, but didn’t manage to get that working either.

I cannot ping the 192.168.100.1 address, except when the dish initially boots up, they must hide it from ping.

Any suggestions?

stego · December 7, 2020, 12:22am

Possible the Starlink device is preventing any client not in its subnet from connecting to its admin interface? Kinda what Peplink lets you configuré as well. Nice feature.

Can you connect directly to its subnet and see if you can ping and connect via their mobile app?

darwinperrier · December 7, 2020, 3:32am

When using the starlink router it builds a 192.168.1.1 network and I believe has an admin passed through to the dish as 192.168.100.1

Any idea how to get the peplink to pass through any IP calls for an address not pingable?

AskTim · December 7, 2020, 5:16am

Just create an outbound policy rule: Source=Any > Destination=IP Address 192.168.100.1 > Algorithm=Enforced > WAN (Starlink)

darwinperrier · December 7, 2020, 3:42pm

That doesn’t seem to have gotten it…

erickufrin · December 7, 2020, 11:57pm

Not saying this is it, but generally that would not be a properly defined /24 destination “IP NETWORK”. Make it 192.168.100.0/24

Or within the drop down for destination be sure to choose “IP ADDRESS” with the single IP.

erickufrin · December 8, 2020, 12:04am

What IP address scheme does the Starlink WAN provide?

Maybe try adding a Static Route for 192.168.100.0/24 to the gateway IP of the Starlink interface. According to 8.1.1 release notes you may need to be running 8.1.1 for those to work in drop-in mode. Maybe that doesnt apply to this scenario

darwinperrier · December 8, 2020, 12:42am

When the Starlink dish / modem boots up it comes up as 192.168.1.1 as the gateway, it then renegotiates to 100.82.xxx.yyy with 100.27.aaa.bbb as the default gateway. The IP address and gateway changes address with each reboot.

Subnet mask is 255.192.0.0
When I put the static route in I get an error that the gateway 100.82.xxx.yyy is not on the local network.

I am running the WAN in DHCP/NAT mode not drop in.

darwinperrier · December 8, 2020, 12:45am

If I put firewall logging on to the 192.168.100.1 address I see a pass entry in the log from a source on the lan (cell phone with the app running) to the destination. I just don’t know if it’s hitting the WAN.

Paul_Mossip · December 8, 2020, 2:52pm

As soon as I can order a starlink dish I will test this out.

In the meantime, run a PCAP from the support.cgi page.

We need to see if the packets are leaving the router via the WAN link or not coming back.
and we need to see what MAC addresses they are tagged with.

The starlink forums imply that you should add a route to 192.168.100.1 netmask 0.0.0.0 on your WAN interface (or add the entire 192.168.100.0/24). This causes the router to broadcast an ARP request for 192.168.100.1 and then communicate directly to that MAC address. Peplink does not allow static routes on the WAN interfaces of Balance devices.

The Outbound Policy produces a similar but subtly different result. The packet will go out the WAN, but it will be tagged with the MAC address of the default router. If the hardware of the OOB interface only responds to its own MAC, then it will not pick up that packet.

Do you have a spare WAN port? (USB dongle?)… You can put in a switch between starlink and the Balance and then also connect to a second always on WAN port configured for 192.168.100.2/24 and use that for OOB communication.

Paul_Mossip · December 10, 2020, 8:50pm

I installed a B20X yesterday with a DSL bridged modem. To attempt to manage the modem (192.168.1.1) I set an Outbound Policy Enforced out the WAN interface. The packets leave the correct interface, but as expected they are tagged with the MAC address of the default router, and the DSL modem’s management interface does not pick them up.

Depending on your network a traceroute may show that an ICMP is returned from the next hop router.

You can also check with the CLI interface. Ping 192.168.100.1 from the WAN interface:

support ping 192.168.100.1 wan 1 (replace 1 with the number of the wan interface)

then

support arp

If 192.168.100.1 does not show up in the arp table, then there are no way to reach the device without a static route or other solution.

FusionHub allows WAN static routes.

When I had this same configuration, I had to use the second USB/WAN interface to manage the DSL modem, but with this new installation I don’t have a spare WAN Ethernet.

I tried a number of workarounds and was able to connect via an Access LAN, but this bridges the secure and insecure domains, and required adding a static route on the modem (which would not be available on starlink)

I think if we don’t have a good static route solution by the time starlink expands south, I will just use an old juniper SRX to bridge the Starlink WAN and securely connect a mangement VLAN to 192.168.100.1. That will probably also give me IPv6 access to test as well since peplink doesn’t support v6 in any reasonable way (passthrough on wired wan #1 is not support)

wcnetworks · December 11, 2020, 12:20am

for what its worth, I too am running a B20x and was able to set a WAN policy to forward requests to my cable modem @ 192.168.100.1 and i am able to access my cable modem.

Paul_Mossip · December 11, 2020, 6:04pm

Yes, and If you test with the CLI ping test you will get an answer back, probably with a MAC entry as well.

We can call this In Band traffic. the cable modem reads the bridged stream and intercepts any 192.168.100.1 destinations. The zyxel DSL modem and it seems the starlink modems don’t behave the same way and are Out of Band traffic, and want the packets sent to the MAC address of their management module.

AskTim · December 11, 2020, 10:05pm

This is very interesting, thanks for sharing Paul!

darwinperrier · December 12, 2020, 7:42pm

I did take the diagnostics. I cannot ping 192.168.100.1 it losses all packets. 192.168.100.1 does not show up in the arp interface. Did you want me to transfer you the diagnostic files?

Paul_Mossip · December 12, 2020, 8:39pm

No, that just re-enforces what I see with the DSL modem… That Starlink has the same behavior.

Ask peplink to support static routes on the WAN interface, there are about to be a lot of Starlink Customers, viewing the diagnostics via a phone is a core activity and they may want to support them directly.

For now, you will either have to allocate an additional WAN interface (If you have one free) or use an old router to handle the OOB traffic. To use a second router set its WAN to 192.168.100.2 /24 Assign the LAN to 192.168.101.2 /24. On the peplink set an Access VLAN 101 to have an IP address of 192.168.101.1 and then add a static route for 192.168.100.0/24 via 192.168.101.2. Connect the 2 WAN ports and Starlink to a Switch, and connect the second router’s LAN port to the Access Vlan 101 port.

I have an ethernet USB converter and GigE switch ready for when I can order Starlink.

jmpfas · December 12, 2020, 9:16pm

I give that a big thumbs up - peplink needs to do whatever is needed to fully support starlink on the WAN. I will likely put in several hundred myself. We sell phone service and cellular backup Internet to pizza restaurants, but they need decent WAN.
I have a waiting list of over a hundred locations waiting until they have some kind of high speed Internet to sign up with us.

darwinperrier · December 13, 2020, 6:29pm

Here is what I wound up doing. I put an unmanaged switch hub in between the dish and the peplink, then put the original starlink router off of the hub; after adding a Poe box. I have to connect to the starlink WiFi network to use the app. It did a firmware update as soon as I hooked it up, not sure if both the dish and then router or just the router. The starlink router is forced to be at 192.168.1.1 and doesn’t let you into any settings. I tried to hook a peplink ap300m up instead but all lights flash on it, I suspect a hardware error.

The starlink router no longer wrecks havoc with the rest of my network like it was doing when plugged directly off the starlink router network output port, even though I had noting on the 192.168.1 network.

Paul_Mossip · December 13, 2020, 9:01pm

I would only watch that the system is ok with having two router IP’s on the same dish. Both the peplink and starlink routers now have DHCP addresses. There is nothing illegal about this from a network point of view, but traditionally cable and DSL providers limit the DHCP clients on the remote side. Starlink may not be regulating this now, but they may in the future.

darwinperrier · December 13, 2020, 10:55pm

Thanks Paul, the starlink app shows “connected devices”. Any device that connects to the Starlink router shows up in the list, plus the Peplink shows up as "one device with the WAN mac address showing up. This leads me to believe it’s acceptable behavior (for now).