T-Mobile home internet refuses to play nice with VPN

Firstly, I’m posting here because you folks are my only hope (Kenobi! lol) of having enough knowledge to even understand what I’m describing, rather than just telling me to reboot or call T-Mobile.
If anyone knows of another resource to contact that may be able to help, please share!

I recently switched to T-Mobile (TMO) business cellular internet (from my terrible DSL service) in an effort to get better speeds. I was getting 40Mb down and 3Mb up on the DSL. It was fairly stable, though.
My new connection is using an InseeGo FX3100 gateway/router, hardwired (Cat5e) to my pfsense firewall. The pfsense is currently pulling the WAN connection via DHCP from the InseeGo. All is ‘working’, in the sense that I have internet throughout the house, including wifi (Unifi APs) and such. I’m seeing speeds in the 350down/20up range, but my latency is kinda terrible. Unloaded is around 65ms, and loaded is anywhere from 150-600down and 125-700up.

Here’s the issue: If I connect to my server at work via ZeroTier or Tailscale (I have both set up for redundancy), it’s really sketchy. Half the time, it won’t connect at all. If it does, it’s very slow, and file transfers are pretty much not possible at all. Oddly, if I connect to the same machine via Teamviewer, I can copy/paste files and it’s much faster. Still not as fast as it should be, but far better. My work connection is a 200Mb synchronous fiber, just FYI.

I’ve tried every sort of troubleshooting I can think of, including isolating the connection from the pfsense, on the assumption that it may be the culprit. I connected the InseeGo directly to my desktop PC via Cat5e, and the behavior was identical. Decent speeds in general browsing, but the “VPN” connection was sketchy and very slow.

For giggles, I swapped back to the DSL, and everything worked fine. Slow, but fine, and actually overall faster than the TMO connection when using the remote connection specifically.

I’ve done all sorts of other tests and configurations, but rather than bore you with details you may not need, I’ll throw myself on the mercy of the homelab gurus, and hope that someone has an idea of where to go from here. Ask any questions, and I’ll either tell you what I’ve done on that front, or go try it and report back.

I will seriously offer some sort of reward to whomever can fix this, if we can figure out a way for me to get it to you. PayPal or whatnot.

EDIT 8/11/24: I enabled IP passthrough on the FX3100 gateway this morning. Connection is working, but pfsense is showing the WAN as “Offline, Packetloss”. Anyone know what that means? Also, I’m seeing no improvement in my ability to connect via my VPNs. I’ve also discovered that I can’t access any of my internally-hosted services, such as my security cameras (BlueIris) or the local services on my unraid server, like Plex, Sonarr, etc… Previously, I could get to all of these either via Wireguard, or through DuckDNS and my “domain”. Even with IP passtrhough, something is broken…

EDIT 9/15/24: FIXED!! This fixed my issues, at least the ones related to my Tailscale connection. I used the instructions in this article to tune Tailscale for a direct connection, and now everything is nice and fast. Stable, too. I haven’t bothered trying to see if ZeroTier has a similar fix, since TS is working so well.
Of course, this will likely only apply to you if you use pfsense, but it fixed my connection completely. YMMV.

I had a wfh employee with T-Mobile home internet and they blocked or throttled every vpn we tried

Yep, par fpr the course with the T-Mobile 5G home internet. We had a ton of users switch to it from Xfinity and all of their VPNs stopped working. Had to end up banning the use of their internet for our wfh staff as T-Mobile refused to assist us in resolving it.

This is a known and frequent issue with T-Mobile home internet that has plagued enterprise support teams basically since COVID went into high gear and everyone started working from home. The root of the issue is that T-Mobile home internet is a 100% IPv6 system and their v6 to v4 translation layer is trash for persistent connections like VPN. Google T-Mobile Internet VPN issues and you will find dozens of posts, many of them on T-Mobile’s own support site, with no true solution.

TMobile uses CG-NAT which could be the issue. When I used t-mobile I had trouble connecting to some games and it was due to the NAT type they use.

What is your VPN DNS pointed at?

Have you tried any other solutions besides zero tier? If you have pfsense running I would spin up OpenVPN that’s what I use on opnsense which is pretty similar plus the built in 2fa server you create in opnsense to secure the vpn account

T-mobile does 1400 MTU and it fucks with VPNs

Thanks to everyone so far for all the assistance! I knew I was in the right place.
Just for conversation’s sake, do we think that putting the TMO gateway into IP passthrough mode would be likely to have any positive effect?

Option 2 is to replace the gateway entirely with a 3rd party device, such as an Elsys Amplimax Ultra or InvisaGig. They are pricey, but this is my link to work, so within reason there’s no budget if it will get me functional.

Option 3 would be maybe Verizon Home Internet. I tried them once before, and it worked okay other than for some odd reason not being able to access any video streaming sites, like YouTube or Vimeo. I’d be willing to give that another try, perhaps with one of the 3rd party devices above, if there’s a decent chance of it working better with my remote connections.

Latency will of course be worse on a cellular connection. Which is unfortunate but there you go.

Long shot, but did you load the default settings / reset the modem after the change to v4 only? Maybe it still hangs on the wrong APN?

Also set the MTU to 1280 in WAN and VPN. Might be that the v6 to v4 transition has problems with bigger MTUs. Ipv6 smallest and therefore commonly used size is 1280 bytes. You also have to change the MTU size of the server to 1280.

Else, IP mode might be your next best bet. I’m not so much into cellular networks that I exactly know what it does, but if it let’s you establish your own pppoe connection, it might be worth a shot.

With the way that T-Mobile Home Internet works, you don’t get a public IP like most other ISPs give you (I get a 172 something address). While it does work fine for my wife and me (it’s my backup internet connection at home) to connect to our jobs via Cisco AnyConnect, nothing else works properly on it. I can’t even use my work phone (it’s a work-hosted voip line) as even though my physical phone and any voip client I use to connect will connect, but drops the call as soon as someone answers. Trying to connect to any resources inside my network from outside is impossible for me when my internet connection fails over to my T-Mobile connection. VPN, port forward, nothing works to access my internally hosted resources from outside.

You can’t put it in passthrough with their gateway.

I have their Nokia 5G21. Very limited UI.

I’ve struggling with T Mobile Home internet and my VPN for a year. From what I understand the 5G internet uses virtual channels and the packets (regardless of size) are spread through them as bandwidth is available. When we use a VPN we create a tunnel and kind of lock in the channels therefore the network can’t spread packets virtually across other channels that might have higher capacity at any given moment. Perhaps I have that wrong but that is what I understood from a T Mobile network person…. Furthermore I was told that their network is plug and play and there is not much I can do on the router side of things. As a casual home user I can accept the limitation although I’m not pleased about it.

Turn OFF IPv6 on the ethernet interface. That will solve the vpn woes/

well that’s not encouraging…

Wireguard and Pal Alto/GlobalProtect works for me perfectly, if that counts.

Well…dang. I take it you never got any sort of resolution?

So I hear you, except that this is TM business internet, and they have me set to IPv4 only, for whatever that’s worth. I’m guessing that just means that it goes v6->v4 … and stays v4 (rather than trying to assign an IPv6 address to the gateway, right? If so, then maybe I’m just borked, which would suck, since this service is working really well otherwise.