Cellular ISP/Broadband(T-Mobile) - Hubitat Server to HE hub connectivity concerns?

My question aligns with a question and reply in a Reddit thread about T-Mobile's Cellular Broadband offering and use with HA (smart home stuff).

Specifically, the nature of T-Mobile's IP allocation (CGNAT), port access, and HE server to hub connectivity ....but I created the topic to be more general in case others follow with similar Cellular Provider concerns.

Hope this prompts some discussion for the benefit of future Cellular Broadband subscribers.

Reddit Reply to a question about ...how it's working for smart homes:

My wifi thermostat works fine, smart devices like remotes for A/Cs also work fine, my security cameras work if they are connected via Cloud or P2P. You can't do a direct connection like on cable or dsl (ie: mydnsname.net:5400 or unless you run a VPN.

I'm not sure what your exact question/concern is, but I think the issue the poster in the comment you linked to is related to carrier-grade NAT that T-Mobile Home Internet and most cellular internet providers use. Your public IP address is shared among multiple other users, unlike cable or DSL where you normally get your own, so you can't do things like port-forwarding to access resources on your network directly from outside. This is a bad idea to do for your Hubitat hub anyway (and hard to do after recent security changes), but it also makes things like hosting a VPN into your own network at home tricky. Along those lines, I'm really not sure how the poster in that same comment is proposing a VPN as a solution--it poses same problem of how to reach if you're hosting it at home--unless you host a VPN in a VPS or whatnot on the Internet and connect both your devices to that, I suppose.

Regardless, this wouldn't affect Hubitat cloud services or anything I can think of related to regular use of any Hubitat feature. Remote Dashboard, Alexa, etc. use a connection initiated inside your own network--from the hub--to these servers. Remote Admin, should you use it, works similarly. This is no more of a problem than the NAT you're undoubtedly using on your internal network is already--which is to say not a problem at all.


There are some verisons of the t-mobile CPE that have extremely limited functionality - in the case I recall from this community there was no way to reserve an IP address. Not insurmountable but it really seemed like the hardware left a lot to be desired.

I’m also a little confused.

Is this the major concern?

Connecting to an IP camera, or Hubitat, directly over the internet with port forwarding is generally a bad idea, like @bertabcd1234 said.

If you need a server for files, web hosting, etc. accessible from anywhere in your situation with CG-NAT, a VPS is a good idea.

The remainder of the comments in that thread suggest that wireless ISP users are using WiFi devices and cloud-connected services without issue.

I got the impression that frequent IP address changing on their side, together with the IPv4/IPv6 gymnastics was presenting a problem for a handful of things. All made worse by the fact that their box (or familiarly called trashcan) does not allow you to use it as a traditional full functioned router, nor does it have a bridge mode so that you can use your own. So that brings up more NAT issues.

Not fully knowing the mechanics of how Hubitat does the Remote Dashboard, Backups, and Remote Admin as it currently is structured I thought I'd throw this out there for the very type of discussion that arose. So thank you. Sorry I didn't make myself clear before.

Their 5G (or rather, facsimile thereof in some areas) is garnering A LOT of attention at it's $50 price point and speed. It's only a matter of time that more folks that use, or want to use, HE may be considering it. This is a stake in the ground for those subsequent discussions.

P.S. I don't want to advertise for T-Mobile but if you go to the top of that Reddit forum and read some of the success stories you'll see why a lot of folks "with Comcast (or lessor) as an option" are excited, ...even with some of the quirks.

Here's what I know about CGNAT:

  1. It will not affect anything local (local dashboards etc)
  2. It will not affect use of the Hubitat cloud (so cloud dashboards will work)
  3. To administer your hub remotely, you will have to use Remote Admin.

(edited 5/16/2023)

  1. TailScale (even the free tier) works fine to access hubs behind CGNAT networks

I was researching T-Mobile home internet today. TL;DR a home vpn server will not work behind CGNAT. T-Mobile home internet uses GCNAT. In our area Adelphia uses CGNAT (Carrier Grade NAT). They aggregate local user ip addresses and serve them from a router which provides an internet facing ip address which is the same for all of the downstream users. Not a problem unless you want to run a VPN server. For that to work you need a unique public ip address. Normally you would request a static ip address or use a dynamic ip address service. Both work well but will not work with CGNAT. Fortunately for my client Adelphia will bypass CGNAT on request. Most users would have no idea that CGNAT is a thing and would likely just give up.


Been following the Customer Satisfaction side of the T-Mobile deployment and there seems to be some disappointment welling in near-urban areas as Home Broadband takes a back seat to mobile use demand/priority.

Folks go from excitement over the speeds and freedom from a certain ISP many love to hate...to being in the middle of commute-coincident Zoom Mtgs and losing acceptable connectivity.

It's going to be a while before capacity constraints are a less obvious PITA than this in urban areas.

Revisiting this thread to post a link to a relevant thread in case anyone considering T-Mobile's service might benefit from being forewarned. I believe the Business service level avoids CGNAT, or at the least it will if you pay for a Static IP.

1 Like

Fair enough.

This has changed. There is one more option.

  • Use TailScale (the free tier of service is adequate).

Tailscale is pretty amazing and easy. I was forced into tmobile internet recently and tailscale solves a lot of problems brought on by cgnat.

I am not sure how. There IS not one mention of cgnat in tailscales documents. I would assume it worked woth it they would mention it.

There is a detailed description of using TailScale with NAT in general, and CGNAT in particular, in the official TailScale blog.

There is also extensive mention of using TailScale with CGNAT in the official TailScale community forum. Here's one example.

There are also YouTube tutorials on overcoming CGNAT with TailScale. And plenty of examples in r/TailScale on Reddit of people using TailScale to get around CGNAT.

Like several others on this thread, I am using TailScale with CGNAT. It really does work - none of us are blowing smoke .....



It is mentioned, and it does work.

They describe in one place how Tailscale works through/with CGNAT. They describe in another place how tailscale Exit Nodes work.

The two together do what I mentioned. I use it through CGNAT to get to 100% of my home network from multiple business locations that use CGNAT.

Anyway, sorry - I didn't mean to derail your thread, and am not trying to be argumentative. I was just trying to be helpful.


After reading some of those links I'm left pondering the trade offs made.

The Cellular ISP options now available seem affordably offered...but at "a cost" ....which in this case TailScale mitigates ....but is that not equally costly in terms of complexity and perhaps security.

The more these new providers try to meet the demand, and do so with methods that allow them to "get more from less" (scraping profit out from under the ISP status quo) , the more creative solutions need to be applied to make some things work right. And so entire new businesses are born, at what risk.

What % of T-mobile’s customers do you think care whether their home internet uses cgnat? Care as in, it actually affects them in some way?

My guess is it’s low. Very low.

Hosted services in the home are, overall, a rare thing. Maybe gaming server type stuff as the most widespread?

So the problem described here is probably not a widespread one among cellular home internet users.

Tailscale doesn’t exist because cellular ISP customers want to access their locally hosted services remotely. But it does function for that use case.


Download the Hubitat app