Ad 1: speed via TS is not necessarily slower than direct connection. It of course needs some CPU to encrypt and decrypt the data stream. That is why a router will always be slower than a client with a desktop or laptop PC, even a smartphone or iPad will probably be faster than your average router. I regularly do 80 MBytes/s over the internet via Tailscale, so it is not its fault if it is slower.
To be sure: there is no 3rd server in between the two TS partners, they communicate directly. So speed depends on their upload / download as well as cpu.
Ad 2: if Tailscale can establish a direct connection, which in this scenario it should, it will be the same speed as 1.
In normal use, a direct connection should almost always be possible.
Ad 3: yes, Tauscale’s DERP servers will be slower. If DERP should really regularly be used, you can host and use your own, preferably on some internet virtual server with 1Gig up/down: Custom DERP Servers · Tailscale Docs . But I would assume that should not be necessary 98% of the time.
ISPs of both clients don’t use CGNAT: DERP servers aren’t used, hence Tailscale provides fastest data transfer speed it can (but still slower than direct remote connection without Tailscale)
Not 100% accurate, if your firewalls arent opening up the ports correctly/your client and tailscale are fighting NAT you clients could use DERP even if both sides have routable public ip addresses.
Also it depends on the tailscale client at the time of the release, the tailscale team is always trying to make improvements on the client side and the backend when it comes to getting direct connect setup
ISP of one client uses CGNAT, ISP of another one doesn’t: same scenario as above, since Tailscale finds work around. The data transfer speed will (?) be lower though?
Again see number 1 response
ISPs of both clients use CGNAT: connection is via DERP servers, hence - data transfer speed is slowest among all 3 scenarios.
If both sides dont have routable public ip addresses there isnt much you can do to open ports on both sides so yes your clients will be a DERP
Do P2P clients (if you’re not comfortable with their names) always connect via DERP servers if Tailscale is used?
What do you mean by P2P clients? Like two tailscale clients talking to each other or particulate applications running on the computer?
Yeah also, I’m still on 4.4.6 firmware on my GL.iNet router. Both on the Beryl AX and Slate AX I have witnessed everything break when trying to upgrade to latest firmware. So just keep that in mind everyone lol
I know so much more than when I first set up my system (Cisco router, Cisco switch, synology NAS, plus a whole bunch of media gear and IoT gear). Looking forward to a refresh where I can keep the concepts but redo the implementations. Planning on moving to another WiFi AP platform. Considering Unifi or Aruba bc I’d like wifi 6. Will repurpose ruckus APs at my vacation home. That also was a learning experience—an AV shop set up media and network bc I wanted out of town support for guests. They’ve got my main router (apple extreme) in bridge mode due to the CGNAT i mentioned which means of course neighbors can see my LAN and Vice versa. I don’t mind as there’s nothing critical running, but I’d like to tighten it up and if I’m going to have any local access via Tailscale, I must have a firewall, so either bridge mode goes (double nat, ugh) or I figure out a bridged firewall (pfsense supports this, but need to play with VLANs with it).
Thank you - very comprehensive reply and very positive for specifically my use case. Great!
Thank you, it’s all clear now!
What do you mean by P2P clients? Like two tailscale clients talking to each other or particulate applications running on the computer?
Well, I assume Tailscale works on a machine level, right? Like VPN: i.e. all apps running on the machine with Tailscale client installed will use its service so to say. Or am I mistaken and I can set in Tailscale client the list of apps which will use it, so that all others won’t?
Curious what broke?
Im running 4.5.0 beta on the Slate, I havent had a chance to upgrade it to 1.58.2 yet as it sits in my travel bag and I havent done much traveling this year.
I left unifi wireless when the COVID lock downs hit and was WFH full time. I didnt really notice how many bugs there was with unifi until I was using it 24/7 and hence the reason why im sitting on Ruckus. Never ever going back to Unifi after dealing with something like Ruckus. Im totally cool with their switches
I am in the process of looking to upgrade my wireless and I have been debating between either another Ruckus or Aruba. Probably wait to see when wifi 7 is finalized standard and then look at my options. Im not in a rush because this is more of a “I want” than a need and the Ruckus is doing everything it needs to do on my network/for my clients
Yes it works at the OS level.
i.e. all apps running on the machine with Tailscale client installed will use its service so to say.
Depends on the mode. If you use an exit node all your traffic will be pushed through the tailscale network to the exit node
Or a subnet router
If you dont have an exit node setup your apps wont utilize the tailscale network unless you specifically tell the app to (generally by specifying the tailscale ip address in the app).
On the Beryl AX I couldn’t connect to any networks with the repeater anymore. And just last week when I was helping someone setup their Slate AX the latest firmware wasn’t letting Tailscale connect I think.
Yeah, since I’m not traveling at the moment, I just repurpose my Beryl AX as an Extender to get around the brick fireplace at home between me and my Verizon hotspot lol.
Interesting. Man, they sure look slick. Good marketing. The IT consultant for my home suggested ruckus, which is how I wound up with it and it’s been truly stellar. Maybe I should just sit pat. I would like wifi 7…
Got it, it’s all clear, thank you for the links and your comprehensive explanation! May I ask the last one about Tailscale, but beyond the topic of the current discussion?
I know Tailscale allows to use NextDNS to block ads. If you have experience of that - does it do that effectively? Can I setup Tailscale to use a 3rd party DNS address instead, which I’ve been using for years and I know that this one is really effective in removing ads (AdGuard DNS if that matters)?
In that context I refer to your previous reply, and assume that any ad removing done with Tailscale (using NextDNS or AdGuard DNS if that is possible) supposes I need to setup the exit node - so that ad traffic is cut on the machine level, i.e. for all apps, right?
On 8 January 2024, the Wi-Fi Alliance introduced its “Wi-Fi Certified 7” program to certify Wi-Fi 7 devices. While final ratification is not expected until the end of 2024, the technical requirements are essentially complete
It seems pretty much wifi 7 is ready to go