For better knowledge about CGNAT, first precisely understand the reason for using it… Going back a little in the history of the Internet, when the IP protocol (Internet Protocol) was created, about 4 billion IPv4 were made available for distribution, at that time it was seen as a satisfactory value in relation to the need for use.

These prefixes were used for ‘NAT’ prefixes of internal networks, RFC1918, which did not have access to the Internet. NAT basically translates the private prefix to public. With this, we manage to make several clients able to browse through a single public IP and this on a small scale, with a few private IPs being replaced by a public one, does not bring us problems, but on a large scale it can cause connection problems or lack thereof. As the need for prefix distribution increased, the exhaustion of IPv4 prefixes came closer and closer to the limit.

With time and the growth of the internet, a second addressing protocol was created, called IPv6, in order to bypass the exhaustion of IPv4, nothing better than billions and billions of IP’s available to use. However, along with the creation of IPv6, the complexity of implementation arose, as it required the exchange of equipment that supported the protocol and adaptation to the protocol.

With that, the migration of the internet to the new IP protocol until the present day is not 100%, with that the need arose to create a provisional measure to overcome the depletion, without requiring changes in the Internet itself, but directly in networks providers… With that the CGNAT protocol ‘Carrier Grade Network Address Translation’ was created to assist in this adaptation.

But what is CGNAT? Before going deeper, we need to better understand how it works, how does it help with address depletion? CGNAT consists of using the UDP and TCP ports of public IP addresses, dividing them between private IP blocks to establish connections with destinations on the Internet, which would be a large-scale NAT.

There are basically two types of CGNAT, Deterministic and Bulk Port Allocation. In Deterministic, as in the previous example, we allocate a fixed amount of TCP/UDP ports per public IPv4, that is, if we make a with output using a public /27 and prefixing 8192 ports for each subscriber, we will have an immutable service limit of about 256 subscribers, we can see in the image below an example of a deterministic CGNAT table.

For this type of CGNAT, there is no minimum number of ports for each connection, and it can be implemented with up to 256 fixed ports per connection, but the smaller the number of ports, the more problems we will have with inaccessible destinations and lack of navigation. To avoid these problems, below is a table containing the required amount of public blocks in relation to private blocks with the number of ports.

Deterministic CGNAT with 1 public to 16 private, with 4 thousand ports per connection.

Deterministic CGNAT with 1 public to 32 private, with 2000 ports per connection.

For this model, we have a page created by the made4it team that generates a script for mikrotik, accessible through the link and an explanatory article on how to configure it that can be accessed by clicking here

In the Bulk Port Allocation model, the TCP/UDP ports are allocated according to the subscriber’s needs in blocks of defined size ports, the block being 256 ports and a subscriber using only one block we will save resources and with that we will be able to place many more subscribers with a public /27. The big disadvantage of this model is that we depend on generating logs of port usage and storing this information for future reference. The big disadvantage of this model is that we depend on generating logs of port usage and storing this information for future reference.

With the emergence of CGNAT, some devices that already support the creation of CGNAT, such as the Mikrotik, which is a device that was not created specifically for this purpose, but its CGNAT part works perfectly, if properly configured. We also have some other CGNAT solutions such as A10, DANOS (Linux), Iptables (Linux), Cisco, Huawei, Juniper, NFWare, 6Wind, among others…

Until the process of adapting the Internet to IPv6 is 100% complete, we will have to use CGNAT to overcome the scarcity of IPv4. If you need any assistance to implement the protocol, regardless of the model or equipment, the made4it team can help with the implementation, get in touch via email or by phone (43) 3047-8340 or (43) 9 8485-4013

Autor. Kevin Wauters.