1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
.. _cgnat:
#####
CGNAT
#####
:abbr:`CGNAT (Carrier-Grade Network Address Translation)` , also known as
Large-Scale NAT (LSN), is a type of network address translation used by
Internet Service Providers (ISPs) to enable multiple private IP addresses to
share a single public IP address. This technique helps to conserve the limited
IPv4 address space.
The 100.64.0.0/10 address block is reserved for use in carrier-grade NAT
Overview
========
CGNAT works by placing a NAT device within the ISP's network. This device
translates private IP addresses from customer networks to a limited pool of
public IP addresses assigned to the ISP. This allows many customers to share a
smaller number of public IP addresses.
Not all :rfc:`6888` requirements are implemented in CGNAT.
Implemented the following :rfc:`6888` requirements:
- REQ 2: A CGN must have a default "IP address pooling" behavior of "Paired".
CGN must use the same external IP address mapping for all sessions associated
with the same internal IP address, be they TCP, UDP, ICMP, something else,
or a mix of different protocols.
- REQ 3: The CGN function should not have any limitations on the size or the
contiguity of the external address pool.
- REQ 4: A CGN must support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per subscriber
Advantages of CGNAT
-------------------
- **IPv4 Address Conservation**: CGNAT helps mitigate the exhaustion of IPv4 addresses by allowing multiple customers to share a single public IP address.
- **Scalability**: ISPs can support more customers without needing a proportional increase in public IP addresses.
- **Cost-Effective**: Reduces the cost associated with acquiring additional public IPv4 addresses.
Considerations
--------------
- **Traceability Issues**: Since multiple users share the same public IP address, tracking individual users for security and legal purposes can be challenging.
- **Performance Overheads**: The translation process can introduce latency and potential performance bottlenecks, especially under high load.
- **Application Compatibility**: Some applications and protocols may not work well with CGNAT due to their reliance on unique public IP addresses.
- **Port Allocation Limits**: Each public IP address has a limited number of ports, which can be exhausted, affecting the ability to establish new connections.
- **Port Control Protocol**: PCP is not implemented.
Port calculation
================
When implementing CGNAT, ensuring that there are enough ports allocated per subscriber is critical. Below is a summary based on RFC 6888.
1. **Total Ports Available**:
- Total Ports: 65536 (0 to 65535)
- Reserved Ports: Assume 1024 ports are reserved for well-known services and administrative purposes.
- Usable Ports: 65536 - 1024 = 64512
2. **Estimate Ports Needed per Subscriber**:
- Example: A household might need 1000 ports to ensure smooth operation for multiple devices and applications.
3. **Calculate the Number of Subscribers per Public IP**:
- Usable Ports / Ports per Subscriber
- 64512 / 1000 ≈ 64 subscribers per public IP
Configuration
=============
.. cfgcmd:: set nat cgnat pool external <pool-name> external-port-range <port-range>
Set an external port-range for the external pool, the default range is
1024-65535. Multiple entries can be added to the same pool.
.. cfgcmd:: set nat cgnat pool external <pool-name> per-user-limit port <num>
Set external source port limits that will be allocated to each subscriber
individually. The default value is 2000.
.. cfgcmd:: set nat cgnat pool external <pool-name> range [address | address range | network] [seq]
Set the range of external IP addresses for the CGNAT pool.
The sequence is optional; if set, a lower value means higher priority.
.. cfgcmd:: set nat cgnat pool internal <pool-name> range [address range | network]
Set the range of internal IP addresses for the CGNAT pool.
.. cfgcmd:: set nat cgnat rule <num> source pool <internal-pool-name>
Set the rule for the source pool.
.. cfgcmd:: set nat cgnat rule <num> translation pool <external-pool-name>
Set the rule for the translation pool.
.. cfgcmd:: set nat cgnat log-allocation
Enable logging of IP address and ports allocations.
Configuration Examples
======================
Single external address
-----------------------
Example of setting up a basic CGNAT configuration:
In the following example, we define an external pool named `ext-1` with one external IP address
Each subscriber will be allocated a maximum of 2000 ports from the external pool.
.. code-block:: none
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '2000'
set nat cgnat pool external ext1 range '192.0.2.222/32'
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
Multiple external addresses
---------------------------
.. code-block:: none
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '8000'
set nat cgnat pool external ext1 range '192.0.2.1-192.0.2.2'
set nat cgnat pool external ext1 range '203.0.113.253-203.0.113.254'
set nat cgnat pool internal int1 range '100.64.0.1-100.64.0.32'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
External address sequences
-----------------------------------
.. code-block:: none
set nat cgnat pool external ext-01 per-user-limit port '16000'
set nat cgnat pool external ext-01 range 203.0.113.1/32 seq '10'
set nat cgnat pool external ext-01 range 192.0.2.1/32 seq '20'
set nat cgnat pool internal int-01 range '100.64.0.0/29'
set nat cgnat rule 10 source pool 'int-01'
set nat cgnat rule 10 translation pool 'ext-01'
Operation commands
==================
.. opcmd:: show nat cgnat allocation
Show address and port allocations
.. opcmd:: show nat cgnat allocation external-address <address>
Show all allocations for an external IP address
.. opcmd:: show nat cgnat allocation internal-address <address>
Show all allocations for an internal IP address
Show CGNAT allocations
----------------------
.. code-block:: none
vyos@vyos:~$ show nat cgnat allocation
Internal IP External IP Port range
------------- ------------- ------------
100.64.0.0 203.0.113.1 1024-17023
100.64.0.1 203.0.113.1 17024-33023
100.64.0.2 203.0.113.1 33024-49023
100.64.0.3 203.0.113.1 49024-65023
100.64.0.4 192.0.2.1 1024-17023
100.64.0.5 192.0.2.1 17024-33023
100.64.0.6 192.0.2.1 33024-49023
100.64.0.7 192.0.2.1 49024-65023
vyos@vyos:~$ show nat cgnat allocation internal-address 100.64.0.4
Internal IP External IP Port range
------------- ------------- ------------
100.64.0.4 192.0.2.1 1024-17023
Further Reading
===============
- :rfc:`6598` - IANA-Reserved IPv4 Prefix for Shared Address Space
- :rfc:`6888` - Requirements for CGNAT
|