Stumped on this Meraki MX + strange ISP setup at a remote site with satellite broadband modem

Hello, bouncing from ISP support to Meraki support and banging my head against the wall with this.

The ISP has Juniper gear with a Hughes Net modem and have given x.x.x.84/30 to the setup. x.x.x.85 is the modem, x.x.x.86 is the usable IP for the firewall, x.x.x.87 is the broadcast.

The LAN port on the modem has DHCP, ip: x.x.x.86, Gateway: x.x.x.85, Mask: 255.255.255.252

The WAN port on Meraki is configured as dynamic, but is showing some conflicting info: https://i.imgur.com/VaIrq9D.png . In one spot the WAN1 IP is showing as x.x.x.85, and also the DDNS hostname of the Meraki resolves to x.x.x.85, which is the modem or it's default gateway. These should all be x.x.x.86

It does have connectivity, and I can reach its status page by IP x.x.x.86 if I add my own public IP to the allow list. However Meraki Client VPN is failing from any client. I've done some packet traces from my own Meraki, this Meraki and even did one with the ISP on the modem while trying to connect, the one thing they all show is that client reaches out on 500 and 4500, Meraki responds on 500 but 4500 is unreachable: https://i.imgur.com/8cSYTxq.png (the .120 is my own public IP). According to the ISP all ports are allowed/forwarded.

One other strange thing is the Meraki is doing ARP requests for it's own IP with "tell 0.0.0.0": https://i.imgur.com/0gyCMUc.png which may have to do with the weird ISP setup.

I think all the pieces are here but some of this is just beyond me to figure out what specifically to tell the ISP. I'm fairly certain it has to do with their setup, we have dozens of Merakis including several at remote locations like this with satellite or LTE modems that have a dynamic WAN IP with a public address, but they are usually on /29 or /28, not /30. The ISP has not been helpful and at one point asked if we could change the IPSEC port to something else. Meraki support hasn't been great either, the support rep had literally never seen a dynamic port with a public IP and said they couldn't help unless we plugged a windows computer into the modem and showed them the IP it got.