I have a wireguard VPN set up for a friend where they can remotely connect to access frigate and I can remotely connect to fix things when needed. They are considering switching to tmobile buisness as their ISP since spectrum is screwing them on price, tmobile’s minimum is twice as fast as spectrum while still being a lower price, and AT&T can’t be convinced their small business isnt a residential duplex or an apartment.
Tmobile offers the Inseego FX4100 gateway which does have an IP passthru option, so my question becomes will that work to wireguard in with their current router/firewall solution hosting the other end of that and just passing packets through the Inseego, or is that just not possible without tailscale due to CGNAT?
You must log in or # to comment.
Another solution I don’t see mentioned (yet) is have both ends connect to a VPS running your WG endpoint. Then both sides only have to have egress ability, nothing coming in, no CGNAT to worry about.
If only one side is behind a NAT then so long as that one initiates the tunnel it should work fine. NAT only really is a problem on the inbound side.
The firewalla is set up to wait for and respond to WireGuard tunnel requests and we like that as it is. We want to keep using that. We just don’t know if T-Mobile will fuck that up.
Right, and if both sides have their public ally routable IPs on their respective firewalls it’ll work. If on gets put behind a NAT of some sort then it would be able to speak outward, but would require specific packet routing inward (port forwarding) to have someone connect in. Stateful sessions will be fine so long as the one inside a NAT is the initiator.
Does their current equipment (and yours) support IPV6? If so CGNAT won’t be involved.
Our side supports ipv6 but I have no idea about T-Mobile’s setup.
TMO has had IPV6 implemented for mobile devices for years. There’s no way they only implemented IPV4 on a home/business service that uses the same network and the same towers.
Their sales rep emailed me back saying they use CGNAT and block WireGuard.
ISP may offer a static IP, and/or help bypassing CGNAT if either are useful. I’ve done it for a 5G failover with VPN, with the gateway in passthru, and a firewall behind it. At a glance, it looks like the FX4100 supports all of this
it seems they do offer a static IP. I dont mind if the IP changes, we already have DDNS up and running fine. its more of a concern with CGNAT wrecking the VPN.
This was years ago - but I feel like the solution for CGNAT at the time required a static, and we also implemented DDNS for their TLD. It definitely wasn’t T-Mobile. It took some time to find someone at the mobile ISP who understood what we needed, and what options existed.
