PFSense, T-Mobile Home Internet, CGNat, and Tailscale

1

New to CGNAT and overlay networks like tailscale.

I set up a remote network with a T-Mobile Home Internet service which is configured as WAN1 on my PFSense Netgate 2100 firewall router. Trying to at least get connected remotely to the pfsense web UI.

A few days ago when I was at the site, I seemed to have remote capabilities when I used my android mobile hotspot and was able to access pfsense on its internal IP address. The WiFi on my laptop was connected to my hotspot.

I have installed the latest Tailscale package into PFSense with non-reusable key and advertising the local route. Also, enabled.

Yesterday I got a notification that pfsense had rebooted although I don’t know why. But I know it is on and basically running. Movies are being streamed and everyone is delighted.

I can tailscale ping and I get a series of connections but at the bottom it shows direct connection not established. My understanding is that I will get DERP if no direct connection. But cannot connect to pfsense with http/https, etc.

# tailscale ping 192.168.1.1
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 292ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 376ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 99ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 139ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 100ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 139ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 100ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 147ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 286ms
pong from pfsense-2100 (100.XXX.XX.XX) via DERP(dfw) in 105ms
direct connection not established

When I execute a normal ping I get nothing, then a timeout.

In the Machines tab of tailscale it shows a green dot indicating that it is connected and working.

Also, from my local home Ubuntu laptop, I get the following:

# tailscale status
100.XXX.XXX.39   mylaptop             chris@       linux   -
100.XXX.XXX.43   pfsense-2100         chris@       freebsd active; relay "dfw", tx 80576 rx 36808

sudo tailscale netcheck
Report:
        * UDP: true
        * IPv4: yes, XXX.XXX.XXX.XXX:53507
        * IPv6: no, but OS has support
        * MappingVariesByDestIP: true
        * HairPinning: false
        * PortMapping: 
        * Nearest DERP: San Francisco
        * DERP latency:
                - sfo: 7.4ms   (San Francisco)
                - lax: 16.2ms  (Los Angeles)
                - sea: 26.2ms  (Seattle)
                - den: 32ms    (Denver)
                - dfw: 49.9ms  (Dallas)
                - ord: 55.9ms  (Chicago)
                - hnl: 58.4ms  (Honolulu)
                - tor: 71.1ms  (Toronto)
                - nyc: 73.3ms  (New York City)
                - mia: 75.3ms  (Miami)
                - tok: 111ms   (Tokyo)
                - lhr: 139.5ms (London)
                - par: 146.1ms (Paris)
                - ams: 148.4ms (Amsterdam)
                - fra: 155.7ms (Frankfurt)
                - mad: 155.9ms (Madrid)
                - hkg: 160ms   (Hong Kong)
                - waw: 166.2ms (Warsaw)
                - sin: 179.2ms (Singapore)
                - syd: 180.7ms (Sydney)
                - sao: 185.7ms (São Paulo)
                - blr:         (Bangalore)
                - jnb:         (Johannesburg)
                - dbi:         (Dubai)

Any tips appreciated. Thanks.

2

Disappointed in a lack of response.

Is this topic issue:

  • Redundant?
  • So obvious, does not deserve a response?
  • Too esoteric?
  • Poorly described?
  • Tragically hopeless?

Oh well. I’ll keep searching.

3

My problem is solved…

After much research into CGNAT and possible issues with T-Mobile’s version of that, I asked a local person to switch the 2 WAN devices so that instead of T-Mobile as the primary/tier1 WAN, I now had Starlink as the primary/tier1 WAN. Sadly this resulted in almost no change, but it did indicate that the problem was not with T-Mobile.

I have the tailscale service running on my Ubuntu laptop, on my android phone, on my local pfsense, and the remote pfsense. Tailscale on both of the pfsense firewalls was installed via the new tailscale package.

Finally I started looking at other options and so I looked at the Access Controls. I was under the impression that these rules were, by default, wide open. As I am the only user for now, I did not even really look at it. I noticed my account email was referenced as well as the ip address of my local pfsense (which I CAN access through tailscale). I added references, similar to my local pfsense, to my remote pfsense, and… Sail on, sail on, sailor (nod to the Beach Boys)

To future noobs, THE ACCESS CONTROLS ARE NOT WIDE OPEN. So if you add any other machines, you’ll likely have to edit the Access Controls.

So I’m guessing this post was in the category of: So obvious, does not deserve a response?