Symmetric NAT prevents direct peer connections forcing DERP relay fallback

When residential ISPs deploy symmetric NAT (Endpoint-Dependent Mapping), Tailscale's UDP hole punching fails because different external ports are assigned for each destination. Combined with CGNAT, direct peer-to-peer connections cannot be established, forcing all traffic through DERP relays. Observable as persistent 'via DERP(xxx)' in ping output with 'direct connection not established' message.

Diagnose NAT type using `tailscale netcheck` and look for `MappingVariesByDestIP: true`, which indicates symmetric NAT. Use `stunner` tool or check `tailscale ping` output for persistent DERP relay usage. If direct connections consistently fail, deploy Tailscale Peer Relays on nodes with better connectivity to bypass the limitation. No fix exists for the underlying NAT issue itself.