Starlink with Meraki SD-WAN

Customers using Starlink can run into issues using Meraki SDWAN  if they use 192.168.1.0/24

The Starlink router uses 192.168.1.0/24 for the local LAN subnet.

If your office uses 192.168.1.0/24  as well then this will cause issues for SDWAN and VPN Traffic 

Prior to version 15.44  you could have the WAN subnet the same as a subnet on the  SDWAN   the route on the SDWAN took preference.

after 15.44 the traffic would go out of the WAN port and get lost.

This issue was fixed again in 18.0.2 but requires Meraki support to do a back-end fix.

The best solution would be to change the WAN subnet to a different range but this has been impossible.

I recently had a Starlink at my office and with the help of support, there is a solution now.

Starlink allows you to bypass the modem but you must have the ethernet adaptor

======================================================

To bypass the router, go to the App home page > Settings > Advanced

Starlink App version must be at least 2.0.19 to work

The toggle button on to bypass the Starlink router

This allows you to completely disable the Starlink Wifi Router.

You would need to utilize a Starlink ethernet adapter in order to plug in your own equipment.

While Bypass mode is enabled, router commands will not work.

If the toggle switch does not appear in the Settings tab, can factory reset the router and/or delete and re-download the app.

App Message in red text when Bypass is enabled: "Bypass Mode will completely disable the built-in Starlink Wifi router. this is an advanced feature that requires a Starlink Ethernet adapter and your own network equipment. A manual Factory reset will be required to reverse this."

==========================================================

As an interesting aside..  MY voice MOS scores change changed from 4.4  to 4.2  when using Starkink  and Packet loss was about 1% 

How to change the Starlink subnet.

Exchange Online Basic Auth Deprecation

Estimated start time: October 25, 2022 11:00 AM

Affected services

Exchange Online

User impact

If action is not taken, users with Basic Authentication enabled for the affected protocols will be unable to sign in.

Action needed

Today, we started to disable basic authentication for any protocol not opted-out prior to September 30, 2022.

For more information see the “Basic Authentication in Exchange Online - 7 Day Notice” notification in Message Center.

If you need to re-enable a protocol, you can do so once by following the process here.

Additional diagnostics

Please verify your clients are using clients configured with Modern Authentication.

Outlook 2013 – Office 2013 client applications utilize legacy authentication by default. Users may need to update their registry to fully enable Modern Authentication. Please reference this document for more information.

Exchange ActiveSync – Users may need to remove and re-add their account to fully switch to Modern Authentication on mobile devices using EAS protocol.

POP/IMAP clients – If your POP/IMAP clients or apps are unable to connect, you might need to change your email client to one that supports Modern Authentication (Outlook does not support Modern Authentication for POP/IMAP accounts), or switch to Outlook on the web. You can use your browser and access Outlook on the web via https://outlook.office.com.

Blocking ICMP

DONT BLOCK ICMP  (Maybe rate limit !)

Since setting IP IPV6 networks  icmp has become more important

Most IPV6 test sites Test ICMP connectivity.

ipv6 test

I have found this one to be very important

IPv6 - (Type2, Code0)   Packet Too Big (IPv6)

This is essential for MTU path discovery

IPv6 Routers do not Fragment packets like IPv4 did,  they just send back Packet too big  and the sender need to adjust.  these messages need to get back to sender!

Also  IPv4 used ARP for Layer 2 to  Layer 3 mappings.

But IPv6 Uses ICMP  for  

Router Solicitation (RS) (Type133, Code0)
Router Advertisement (RA) (Type134, Code0)
Neighbor Solicitation (NS) (Type135, Code0)
Neighbor Advertisement (NA) (Type136, Code0)
Redirect (Type137, Code0)

These should be permitted in the network but not outside

I have found a great source of information here

 Should I block ICMP

UBB Bridge Link Firmware Upgrade

SSH  192.168.1.20 (default)

Username ubnt

Password   ubnt

firmware

  https://www.ui.com/download/unifi/unifi-building-building-bridge

Should be 

upgrade http://http://fw-download.ubnt.com/data/unifi-firmware/3134-UBB-2.1.3-2094415b625d477983f2a648b8

Manual Way

wget -O /tmp/fwupdate.bin http://fw-download.ubnt.com/data/unifi-firmware/3134-UBB-2.1.3-2094415b625d477983f2a648b8

syswrapper.sh upgrade2

Default IP

Edit the file /etc/udhcpc/udhcpc

UDHCPC_FALLBACK_IP="192.168.1.20"UDHCPC_FALLBACK_NETMASK="255.255.255.0"

Unifi L3 Adoption with DHCP Option 43 on pfSense, Mikrotik and others - tcpip.wtf

http://unifi:8080/inform

MS Update Breaks L2TP VPN (Including Meraki using the build in client)

UPDATE 18/1/2022

Microsoft have released fix to update that broke windows native to Meraki Client VPN.

You must be running the Latest windows 10   21H2 

check and update here for windows 10   

Update Windows 10

Update  to the problem is

Windows 10 - KB5010793

Windows 11 - KB5010795

Run Windows Update and it will appear under optional downloads

OR

Download the patch from there: Microsoft Update Catalog  windows 10

Download the patch from there: Microsoft Update Catalog windows 11

=====================================================================

Microsoft released Updates 11 Jan 2022

 KB5009566 (windows 11)

 KB5009543 (windows 10)

This update breaks Meraki Client VPN. 

 Need to uninstall to fix VPN.

 MS confirmed today they will fix in an up coming update. (but may take 2 weeks.)

When you uninstall this update you then need to pause updates for 14 days to stop it reinstalling.

Open a command prompt as Administrator

then on

Windows 10:

wusa /uninstall /kb:5009543

or
Windows 11: 

wusa /uninstall /kb:5009566