WireGuard behind CGNAT 5G Connection (T-Mobile 5G Business Internet)
My parents have T-Mobile 5G Business Internet which from my understanding uses CGNAT.
It is able to make a wireguard connection to my home, and some data is able to transfer between networks, but some websites and applications just won't work.
I can't seem to pinpoint why this is happening since there aren't many debugging options within FWG (at least as far as I've found). Is someone able to help me figure this out?
Since we have a business account with T-Mobile, I do have access to their US based engineers who can make adjustments, but I'm not sure where to start.
History of this:
- T-Mobile 5G Home/Residential - This did NOT work, due to CGNAT no VPN connection could be made
- T-Mobile 5G Business with Static IP - This worked without issue, as paying for the static IP means we are not behind CGNAT
- NOW: T-Mobile 5G Business without Static IP - This is using the same modem model as the original residential internet, but supposedly the service is different. As I mentioned, we're able to make the VPN connection, and I can publicly check my IP to make sure it's being routed correctly (which it is), but then sites like gmail.com don't work, or iMessages don't seem to pass through.
Is anyone at Firewalla able to help me identify the issue here? Online I read it could be related to the SSL Cipher, and that changing the MTU for WG may help, but it doesn't seem like this can be done in the WG config, especially when it's setup automatically as a site to site VPN.
-
....which from my understanding uses CGNAT.
Usually CGNAT IPs start with 100.x
It is able to make a wireguard connection to my home, and some data is able to transfer between networks, but some websites and applications just won't work.
CGNAT has no bearing on outbound connections, only the ability to connect to them. You do not need a static IP, just a public one.
NOW: T-Mobile 5G Business without Static IP - This is using the same modem model as the original residential internet, but supposedly the service is different. As I mentioned, we're able to make the VPN connection, and I can publicly check my IP to make sure it's being routed correctly (which it is), but then sites like gmail.com don't work, or iMessages don't seem to pass through.
Is this a public IP using DHCP? It should work fine as a VPN Server.
What are your objectives? Are you trying to connect from one firewalla to another? Or just from a device (e..g. laptop) home? Are you trying to put all traffic over the VPN connection or just connect to your specific devices?
-
So far, it doesn't support changing MTU for site-to-site VPN on UI. It's on our to-do list.
What if you use WireGuard App to connect from your parent home (bypass Firewalla Site-to-Site VPN)? MTU can be changed on WireGuard client App. If you would like to test MTU. Here is a guide to help. https://help.firewalla.com/hc/en-us/articles/19570500078995-Change-MTU-to-Establish-a-VPN-Connection
-
Thanks for the responses.
To be clear, I'm not trying to host anything or accept incoming connections on the T-Mobile ISP connection. I'm simply trying to connect TO another WG VPN Server (which works fine and works well).
As I mentioned, it does make the connection, but seems to drop it and reconnect quite a bit, and while it's connected I can't seem to get all data through. It's super odd. On the T-Mobile Residential setup I couldn't connect to any WG servers (outgoing) from my devices or from the Firewalla itself.
I may have to do some more testing when I'm onsite there this weekend.
-
When it's confirmed work with a specific MTU, please share the value and remote access of your parent's box. Our engineer can help you change the MTU on the box.
Here is a guide to enable remote support: Tutorial: Remote support. You may include this post link so our engineer can quickly understand the background.
Please sign in to leave a comment.
Comments
5 comments