I’ve got an InvisaGig (Gen 1) running 1.0.14. It is using a T-Mobile business sim which uses CGNAT. Outbound is great, but attempting to access services inside of the main firewall is a no-go due to CGAT.
I recognize that I could install a tailscale node inside of the network, I’ve done that before and it works. I’m trying to avoid it though and instead make use of the tailscale functionality integrated into the InvisaGig.
I know that we can setup a node to be able to access the modem’s UI, that’s fine and dandy. What I want to do though is hit https://tailscale-address-to-the-IG/ have that forward to my firewall and let the firewalls NAT take it from there just like it does for connections to the primary coble internet’s IP.
I believe I need subnet routing though tailscale, but that’s outside of my limited experience.
Does the InvisaGig have what we need here? Recommendations are appreciated!
As this is a business SIM, the simplest option would be to request the static IPv4 add-on from T-Mobile and ensure you have IP Passthrough enabled for the MAC of the WAN interface the IG connects to on your firewall/router. This is usally a low cost option which will remove CGNAT and doesn’t involve additional routing configuration with Tailscale. If go this route, just be sure to ask for the closest regional routing to your use address. By default this is the billing address on file for your account unless you update the line details with a different address. This ensures the lowest possible latency when using the static IPv4 add-on with T-Mobile Business SiMs.
If you want to accomplish this using Tailscale instead of requesting the static IPv4 for your T-Mobile Business SIM, you are correct that for a single touchpoint into the rest of the local network you would need subnet routing functionality configured on a tailscale node inside your LAN. While the IG currently offers Exit Node functionality (using a defined exit node on your Tailnet, or functioning as an exit node on your Tailnet) it does not currently offer the ability to act as a subnet router itself on your Tailnet.
As the core function of the IG is to provide a high speed Internet connection for any network, the lack of subnet routing functionality is by design at this time to ensure you achieve the fastest speeds and lowest latency possible. Because routing is resource intensive, IG users will achieve the best experience leveraging the ample processing power of a dedicated routing device. It is also worth noting that bypassing CGNAT using Tailscale leverages the use of DERP servers under Tailscale control which have variable latency (+50-200ms) and limited throughput (10-50Mpbs average but can be throttled lower under heavy user load on occasion). Tailscale connections that must traverse DERP are generally best reserved for low bandwidth applications where higher latency variability is also not a concern
If your firewall supports OpenVPN or Wireguard client functionality you can use this in conjunction with a cloud server (hyperscaler instance or VPS) in order to bypass CGNAT in a much more agnostic way that is not limited to only Tailnet access and is consistently more performant than what the shared Tailscale DERP servers can support. Below is an example tutorial using pfSense as the firewall/router. This setup is what I personally use and it is extremely stable and effective. I use it to check my security cameras remotely and even stream movies/TV remotely from multiple devices via a Channels DVR server when my family is outside of our home.
Hope this info is helpful, please let us know if we can be of any further assistance!