Over 1 year ago, I setup Wireguard between 2 pfSense boxes and everything was great. The transfer speed between 2 Synology at each location was about 100 Mbps and the ping was 30 ms.
A couple weeks ago, my apartment changed internet providers and the Wireguard stopped working. I decided it was time to setup Tailscale and it’s working but the transfer speeds are around 10 Mbps and the ping varies from 100 to over 1000 ms.
When I do a speed test, I get 600 Mbps up/down.
The IP my apartment pfSense WAN shows (100.something) is different from an online check (204.something). Does that mean it’s using “double NAT”?
Is there anything I can check or it is, what it is, since Tailscale is “automatic”?
Opening incoming UDP/41641 (by default) on a device’s public IP address will guarantee a direct connection from any peer where it is possible. I have Tailscale on my pfsense that has a public IP and wiht that port open it works well. I still think native wiregaurd will be faster as it’s a kernel version.
At first I tried installing Tailscale on the 2 pfSense, but had issues. I could use the built in ping tool on the local pfSense to ping devices on the remote LAN, but my laptop on the local LAN could not ping anything on the remote LAN. I checked the routes and NAT and everything looked ok. So I gave up and installed Tailscale on both Synologys and my laptop and that is working now.
Is it typical to only see 10% throughput when switching from Wireguard to Tailscale?
I tried forwarding port 41641 on both pfSense to each Synology and the throughput is still 10 Mbps vs 100 Mbps before.
Is it possible my new ISP is limiting throughput on specific ports?
I used ssh to the Synology and tried the command. Looks like it’s going through a relay. Since my building switched internet providers recently, I’m guessing they’re using CGNAT now. Does that make it impossible to ever connect directly?
Update: I just noticed the Troubleshooting guide at the bottom of your post. I think I’ve become “blind” to ads inserted everywhere! LOL
CGNAT can make it more difficult to establish direct connections in some cases, e.g. when the peers are behind the same CGANT. But Tailscale claims that it mostly doesn’t impact the ability to obtain direct connections. They have a very informative blog post on how their NAT traversal technique works:
After trying tailscale ping a couple times, it got a direct connection. Now the backup speed to the remote Synology is 25 Mbps with a direct connection vs 10 Mbps with a relay connection. I wish I could get back to the 100 Mbps I had before with the direct Wireguard connection.