Skip to content

Shortcomings of CGNAT and Potential Workarounds

If my work has helped you with your network setup, kindly consider donating to support my non-profit work. I rely heavily on sponsorships to keep these experiments and testing going. Thanks!

This article will mostly focus on the cons of deploying CGNAT and how it ultimately affects the end-user and what are some of the methods that we can use to improve it.

A quick recap on CGNAT, CGNAT is just a fancy name for NAT whereby an ISP will NAT or map multiple internal IPs (RFC 1918) to a single external public IP, i.e., enabling a single public IP to be shared among n number of internal IPs, where each internal IP is assigned to an end-user. Methods used can vary from ISP to ISP, some would just use single source NATs, some would use deterministic NAT etc.

Shortcomings

  1. Breaks P2P traffic
  2. Increases latency
  3. It leads to NAT-keep alive traffic (such as NAT punching, NAT traversal mechanisms etc) on end-users’ local network as well as on the CGNAT device itself
    1. Which in theory could affect battery life on end-user devices
    2. Increased link utilisation/CPU cycles on the CGNAT device
  4. Some end-user applications will simply refuse to work or fail miserably like Xbox Networking (P2P Gaming services), Torrent clients etc
  5. Lacks NAT traversal mechanisms/port forwarding (by default)

Now the IETF published RFC 7021 in 2013 which details how CGNAT affects networking performance and end-user experience, if you want technically backed data and testing methodologies please check that out.

Workarounds

There are two broad ways to workaround CGNAT cons

At ISP Level

  1. Make use of NAT traversal and very strict NAT rules like mentioned here
    • I’ve included port forwarding solution in the above without the need for PCP
  2. Deploy Port Control Protocol [PCP (RFC 6887)]
    • PCP would allow port forwarding to work for end-users behind a CGNAT and hence improve their experience and reduce the visibility of the shortcomings
    • Needs a Server/Client model, so a client would need to run on end-users router/CPE
      • Can use OpenWRT with minimalist-pcproxy to enable PCP client and PCP connectivity from end-users’ side for a cheap solution
    • Many vendors like MikroTik (most widely used as a CGNAT device among Indian ISPs) do not support PCP
    • Lack of awareness among ISPs and Network Engineers
    • You can also have a web dashboard for PCP to permit users to assign their own ports
  3. Do the obvious and deploy IPv6

At End User Level

  1. Get a public IP from your ISP (best and most optimal solution)
  2. VPN based solution where you route all traffic over the tunnel including multicast traffic (UPnP)
    • You could purchase from services like ZeroTier and tunnel your traffic over them
    • Set up your own VPN/VPS on a Cloud instance with public IP and then run a VPN client on your home router/client device
Published inNetworking

8 Comments

  1. Raajesh Raajesh

    Well written blog with so much detail. Thanks for the info man

  2. Rupam Rupam

    Informative ..and these form of resources are important for the end users

  3. Febrian Febrian

    Thank you for the info

  4. Jorge Jorge

    Thank you for such a great info. I had PCC configured and was a little different so I decided to try your config, Yesterday I migrate the config to your example. With a few changes like, remove NTH and apply PCC to all ports/protocols with src-address as PCC. If I left the configuration as your example I was having trouble with 3rd party IPTV services. Other than that, is working great.

    • IPTV would be ISP/Unicast specific/Multicast traffic and shouldn’t be subjected to the load balancing. Create seperate preceding rules for IPTV traffic and ensure it’s always “accepted” before hitting the PCC/Nth rules on the destination IP or port or both. Then you can still use Nth to achieve bandwidth aggregation for everything else.

      If you’re an ISP you should be using LACP/Bonding.

  5. Jorge Jorge

    I’m sorry, the comment was for the 2 WANs setup post but I pubished it in thr wrong one. Nevertheless, I’m a TIER3 for saying someway. So I can’t use LACP/Bonding because our WANs are from different TIER2 ISPs I don’t have an ASN yet. IPTV services reported are those that aren’t legal, but customers hire them, so I don’t have all the info from them like dst-address, ports etc, because everyone use a different setup or change the address every one in a while. I have been monitoring the balancing since August 5th and is working great, still waiting for a WAN to fail to confirm failover because with my previous config I was having an issue with all the marked connections reamining active until shutting down the interface.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.