Thanks for the insightful replies. This is my first time having hands-on on Hex, all my network setup and experience is on enterprise-grade hardware.
Actually, the long-term plan calls for quite a complex setup, this is why Starlink will be in bridged mode. The end goal is the following:
Local LAN - three subnets - two 'home' subnets and one guest.
- The guest subnet is for wifi only and only for internet access.
- Home subnets are for internal (computers, NAS) and IoT devices subnets (Home Assistant, PoE cameras, Roku, Amazon Fire, sensors, etc)
- Internal subnet can access the other two subnets in addition to the Internet.
Failover/Load Balancing with Dual-Wan setup:
- The primary WAN is Starlink.
- The secondary WAN will be a SIM router but the plan has a much lower traffic allowance.
- Internal and guest subnets use Primary for internet access while Iot subnet uses secondary WAN.
- In case there is a failure with Starlink for >1 min, all subnets switch over to secondary and immediately start monitoring Starlink availability. Once Starlink is available again and stable (connection is up for >1 min) Internal and Guest will fallback.
- If there is a failure with Secondary WAN, the IoT subnet will use Primary until the fallback as in the previous case
VPN:
- The ability to establish a connection from outside and check the status of devices in the Internal and IoT subnets
- Because both Primary and Secondary will be behind CGNAT a device with the public IP will be needed for hub/proxying the connections from outside.
So... these are grand plans. But will start from small - Starlink is already in the bridge mode and directly plugged into DD-WRT box. So will add Hex-S in between and add a guest network.
I would appreciate your advice on how to properly setup failover/fallback. I don't have the Secondary Wan account ready yet, but do have the equipment (NightHawk M1).
Also want to know what would be the best way to accomplish VPN goal. Back 20 years ago for a similar setup when both satellite networks were behind FW, I was setting up IPSec via Cisco DynVPN with Cisco 3000/5000 series concentrator sitting in colo, but I guess now there are much better options.
Thanks again.
P.S. If you think that Hex is not the right equipment to accomplish the above goal, I am ready to listen to what would be the right one. I thought Hex and Ubiquity Edgerouter should do the job. I am clearly not putting Cisco gear here - I am done with it after the last 20 years.