Community discussions

MikroTik App
 
Invisible999
just joined
Topic Author
Posts: 3
Joined: Wed Jul 18, 2018 10:58 am

Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Tue Dec 06, 2022 6:49 am

Hello everyone,

After waiting 6 months I finally received Hex-S this week.

I am planning to put it as the router and use Starlink in the briding mode only. Topology will be Starlink->Hex-S->Tp-Link 1750 running DD-WRT in AP mode.

Has anyone used Hex-S with Starlink? Any feedbacks?

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Tue Dec 06, 2022 6:29 pm

Nothing special about MT in this regard, this article is helpful reading.........
https://www.hns-berks.co.uk/blogs/archives/07-2022

Be advised that starlink, like CGNAT, does not provide you a public IP in any mode and thus starlink cannot be a Server for Wireguard purposes for example.
Better off using zerotier.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Tue Dec 06, 2022 7:32 pm

Nothing special about MT in this regard, this article is helpful reading.........
https://www.hns-berks.co.uk/blogs/archives/07-2022

Be advised that starlink, like CGNAT, does not provide you a public IP in any mode and thus starlink cannot be a Server for Wireguard purposes for example.
Better off using zerotier.
Well depends on what you're trying to do. I mean if you just plug in the starlink and use their AP it does something. In fact, their Wi-Fi doesn't seem bad to me. But adding a TP-Link Wi-Fi thing to get more coverage may be need for you, dunno...

I'd just use the hEx in bridge mode, and just have it act like a switch of starlink LAN provided by their Wi-Fi router (& ordered-separately, ethernet dongle). Why make this complex? There isn't a lot of advantage to make Mikrotik the "router" for CGNAT (e.g. with starlink you're limited to I think 5000 total ports, and no public IP, so there isn't even much a better router can do for you). But the starlink is little flacky so I'd recommend installing the Dude to monitor your network from the hEX S – that's something the hEX S excels at.

Now if you have some multiple WAN connections, then yeah advice would change to recommend "routing on Mikrotik" and by-pass the Starlink LAN/Wi-Fi. But guessing if you're using starlink there isn't another network available... And you want to control access to devices, nothing stop you from using the bridge firewall on a port to restrict connected devices. Or even creating more LAN that have to "double NAT" (which isn't a big deal if the end already CGNAT). Kinda depending on what you're doing here...

Your next issue would be VPNs... The issue with ZeroTier is it's only for ARM... But the hEX S is MMIPS. So neither Wireguard (for lack of public IP), nor ZeroTier (for lack of package) can run on the router.
 
Invisible999
just joined
Topic Author
Posts: 3
Joined: Wed Jul 18, 2018 10:58 am

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 4:14 am

Thanks for the insightful replies. This is my first time having hands-on on Hex, all my network setup and experience is on enterprise-grade hardware.

Actually, the long-term plan calls for quite a complex setup, this is why Starlink will be in bridged mode. The end goal is the following:

Local LAN - three subnets - two 'home' subnets and one guest.
- The guest subnet is for wifi only and only for internet access.
- Home subnets are for internal (computers, NAS) and IoT devices subnets (Home Assistant, PoE cameras, Roku, Amazon Fire, sensors, etc)
- Internal subnet can access the other two subnets in addition to the Internet.


Failover/Load Balancing with Dual-Wan setup:
- The primary WAN is Starlink.
- The secondary WAN will be a SIM router but the plan has a much lower traffic allowance.
- Internal and guest subnets use Primary for internet access while Iot subnet uses secondary WAN.
- In case there is a failure with Starlink for >1 min, all subnets switch over to secondary and immediately start monitoring Starlink availability. Once Starlink is available again and stable (connection is up for >1 min) Internal and Guest will fallback.
- If there is a failure with Secondary WAN, the IoT subnet will use Primary until the fallback as in the previous case

VPN:
- The ability to establish a connection from outside and check the status of devices in the Internal and IoT subnets
- Because both Primary and Secondary will be behind CGNAT a device with the public IP will be needed for hub/proxying the connections from outside.

So... these are grand plans. But will start from small - Starlink is already in the bridge mode and directly plugged into DD-WRT box. So will add Hex-S in between and add a guest network.

I would appreciate your advice on how to properly setup failover/fallback. I don't have the Secondary Wan account ready yet, but do have the equipment (NightHawk M1).

Also want to know what would be the best way to accomplish VPN goal. Back 20 years ago for a similar setup when both satellite networks were behind FW, I was setting up IPSec via Cisco DynVPN with Cisco 3000/5000 series concentrator sitting in colo, but I guess now there are much better options.

Thanks again.

P.S. If you think that Hex is not the right equipment to accomplish the above goal, I am ready to listen to what would be the right one. I thought Hex and Ubiquity Edgerouter should do the job. I am clearly not putting Cisco gear here - I am done with it after the last 20 years. :)
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 9:37 am

I would appreciate your advice on how to properly setup failover/fallback. I don't have the Secondary Wan account ready yet, but do have the equipment (NightHawk M1).

Also want to know what would be the best way to accomplish VPN goal. Back 20 years ago for a similar setup when both satellite networks were behind FW, I was setting up IPSec via Cisco DynVPN with Cisco 3000/5000 series concentrator sitting in colo, but I guess now there are much better options.
Have you ever used MikroTik ROS?
Have you Ever used vyatta/EdgeOS?
Have you ever used OpenWrt?
Have you ever used pfsense or OPNSense?
Does DD-WRT support multiple SSIDs and vlans?

Some questions about your use case.

Do you really want to use the SIM based router with the Roku? I would guess that could consume a lot of data on your plan.

Will you be using vlans? If so, do you have vlan-aware switches? You stated that the guest will be for wifi only. What about your IoT devices on a different subnet? This is why I asked about whether DD-WRT supports multiple SSIDs and vlans. It appears that your Tp-Link 1750 (Archer 7? what version? there are 5 with different hardware configs) is supported by OpenWrt, which is probably more flexible than DD-WRT but also more complex (more like MikroTik ROS), but if you use it that's another command set to learn.

As far as VPN when both connections are dynamic behind CGNAT (about the worst possible scenario for setting up inbound VPN) will require some third party as a relay (as you did in the past) or to setup a point to point link by coordinating a rendezvous and UDP hole punching. The two popular solutions for this are ZeroTier (a L2 connection) and Tailscale over Wireguard (a layer 3 vpn).

One thing that may be an advantage of using OpenWrt is that there is a ZeroTier package available, but whether it is supported on Mips (the Archer is Mips based), but it if is supported, it would allow you to use ZeroTier, and that's reported to work with CGNAT (although not "supported" with double NAT, it may work. That's one thing the hAP ac2 or hAP ac3 or hAP ax2 or hAP ax3 would be a better fit than the hEX S, but you could always use the hEX S as a vlan-aware switch (I recommend using a recent version of v7 if you want to use vlans with the hEX S. I have a Mikrotik RB760iGS hEX S, and I also have several Ubiquiti ER-X, and I am much more familiar with the ER-X. For me, it would be much easier to configure an ER-X to do what you want (load balancing) than the hEX, but I think it will work, it will probably require more knowledge than using the Load Balancing setup wizard on the ER-X. I don't use load balancing myself and have only one Cable internet connection, so I am not sure how well it would work with the ER-X. I have seen complains about load balancing on the Ubiquiti forums; whether that is user error, or unrealistic expectations I don't know. On the MikroTik, configuration is similar to writing code in assembler, you have access to nearly everything, but it often takes a lot more time to configure than it does on other routers that are a bit more like C#/java, especially when you are learning. And you need to use firewall mangling rules to mark and make routing decisions based on the marks. At least that's how I think it is done. There are multiple youtube videos, but I don't want to recommend any since I haven't watched or tried setting it up in my lab myself.

I suggest while you are learning, put your RB760iGW hEX S behind your current router, until you get it to a point that you can verify that it will block access from the "WAN" side. Then you can put it to the internet with more confidence that you are not making your security worse by adding the router. I also suggest avoiding "common LAN subnets, if you want to be able to connect from an arbitrary location. You want the probability of the networks overlapping to be low, because overlapping networks will cause grief.

@anav has some good pointers in his New User Pathway To Config Success thread, although I don't see a "load balancing" section yet
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 1:46 pm

para O, has the two links for load balancing
a. Dischers PCC method ( most popular )
b. Tomas' Load Balance method

The only point I want to bring out is that you will need a third party (bridge) VPN, two choices. The idea being you will join your HEx to this node and then your laptop/iphone remotely to the same node and then via the node will have connectivity to your home hex and resources.

a. host your own Amazon Data Centre MT router (a bit complex with a monthly charge)
b. use third party VPN ( mostly used for users to have internet somewhere else, outgoing traffic and not that useful in your case )
c. find a friend who will host wireguard for you at their public IP (easiest and pick someone with an MT router to make it easier)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 2:24 pm

One critical note here is IPv6. Starlink uses CGNAT primarily to make installation easy, but it's architected around IPv6
[...]

I suggest while you are learning, put your RB760iGW hEX S behind your current router, until you get it to a point that you can verify that it will block access from the "WAN" side. Then you can put it to the internet with more confidence that you are not making your security worse by adding the router. I also suggest avoiding "common LAN subnets, if you want to be able to connect from an arbitrary location. You want the probability of the networks overlapping to be low, because overlapping networks will cause grief.
All good advice @Buckeye! Couldn't have said it better.

At a high level, giventhe hardware, seem like OP should use the DD-WRT as "network app server" and the hEX-R as "smart switch". Basically ZeroTier solve his VPN needs, but need the DD-WRT to do it. Then the hEX is initially a VLAN-enabled bridge (vlan-bridge=yes) with one VLAN for the current network be a good start.

I'd still recommend installing the "dude" package on the hEX pretty soon – that both it scan you network to know what you're dealing with – if get your monitoring first, if you break something, you'd know. To me that's more important than segmenting the network, which can still happen, except you'd know if those changes works by looking at the Dude.

For there, play around on the Mikrotik side, you can add more VLAN, connect the LTE modem, or other config, & experiment without messing up your working network. FWIW I'm not necessarily a fan of "over VLANing" a house with every category getting a VLAN – some devices need broadcasts to communicate with smart phones (which means needing to be on same LAN), so a some generic "all devices go to one VLAN", printers another, etc. is where both things get more complex.


@anav has some good pointers in his New User Pathway To Config Success thread,
This was going to be my recommend reading before @Buckeye suggested it!

For Starlink + LTE, seems like "try starlink" and "failover to LTE" is @Invisible999 idea here, which seems right. The pretty easily done with using "default-route-distance" initially. For the DHCP client setting it to 1 from Starlink LAN & in LTE settings, under APNs, the default-route-distance for the M1 modem should be 2 (assuming LTE modem is connected via USB to the hEX). That's actually the default, so "failover comes for free" here.

Now that alone will only failover if the starlink's ethernet is unplug/off, not if it's "green link light but no upstream internet" problem that's not solve by route-distance alone. And, it's here where there are wealth of choices. With a catalog of routing and subnetting all well covered in @anav's guide (which has more links on specific topics) linked above. Now the CGNATs do limit your choices.

I'd get ZeroTier working on the DD-WRT first, that solve your remote access, over either the starlink (or LTE eventually), since it does a bunch of thing to get ("hole punching", symmetric ports, IPv6). Still recommend starting with the Dude, in an hour you'd have monitoring of all devices on the network from the hEX and it's free. And with a complete map of devices, decide what needs to get segment or managed differently from the rest of the LAN.

Good luck.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 2:43 pm

The only point I want to bring out is that you will need a third party (bridge) VPN, two choices. The idea being you will join your HEx to this node and then your laptop/iphone remotely to the same node and then via the node will have connectivity to your home hex and resources.
This is where Mikrotik releasing ZeroTier only on ARM platforms is annoying. It work fine over either starlink or LTE and this be case be much simpler/cleaner (e.g. the @Buckeye/me proposed running ZT on his Linux-based AP, or your "phone-a-friend" WireGuard idea)

The hEX R is actually a great little router still & work great for LAN + external LTE hotpot for back, with an SD card to store Dude data (or other backups/data). And since can't run containers either, it's not like you can use some other hole-punch VPN either. Once the hAPax2/hAPax3 are shipping in volume, that be a better choice for hardware here - but OP be waiting another 6 months.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 3:56 pm

Concur AMMO, this is where Normis and his evil cohorts FAILED mikrotik users.
They should have gone with tailscale WG, instead of a limited device function of zerotier................. If someone was twisting their arm to only provide one of the functionalities.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 8:36 pm

Another, different, approach for the VPN be IPv6.

The big question is does YOUR starlink give you one? With the 2nd question is to they incoming connections on it?
Most of the VPN protocols do support IPv6, and if the other end support IPv6, just use the IPv6 address for the VPN part to tunnel the IPv4 locally. Since any VPN on Mikrotik results in a new interface, they largely don't care its IPv4 inside the tunnel. Your could run the VPN trough a IPv6 tunnel broker (he.net may have one) if the remote VPN client didn't have IPv6.
Just an idea. And, can't say I've done it that way, but theoretically should work too.

Learn IPv6 in the process which may not be a bad things. But whether the starlink gives you IPv6 address is the unknown here.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 8:45 pm

If someone was twisting their arm to only provide one of the functionalities.
@anav, LOL. More practicality I suspect, ZeroTier has an ARM build already. It the lack of containers on other devices that also annoying. Specifically TILE that gets me (although I don't have, doth protest too much) – those have such unused potential process for & some tasks would run so well with the high core count. Both ZT and containers violate MT philophohy of "all feature are enabled on all routers*" (*some may be a bad idea) e.g. BGP on $29 devices. Anyway, they do have decent IPv6 in V7, that works on all routers, is my thinking here.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Hex-S, Tp-link running DD-WRT and with Starlink as uplink

Wed Dec 07, 2022 8:50 pm

The big question is does YOUR starlink give you one? With the 2nd question is to they incoming connections on it?
Google is useful: Reddit had a thread this topic: https://www.reddit.com/r/Starlink/comme ... 6_in_2022/

Seems IPv6 with starlink is a very open question.

Who is online

Users browsing this forum: Google [Bot] and 66 guests