It would be appreciated if you could help me continue to provide valuable network engineering content by supporting my non-profit solitary efforts. Your donation will help me conduct valuable experiments. Click here to donate now.
This article will mostly focus on the cons of deploying CGNAT and how it ultimately affects the end-user and what are some of the methods that we can use to improve it.
A quick recap on CGNAT, CGNAT is just a fancy name for NAT whereby an ISP will NAT or map multiple internal IPs (RFC 1918) to a single external public IP, i.e., enabling a single public IP to be shared among n number of internal IPs, where each internal IP is assigned to an end-user. Methods used can vary from ISP to ISP, some would just use single source NATs, some would use deterministic NAT etc.
Shortcomings
- Breaks P2P traffic
- Increases latency
- It leads to NAT-keep alive traffic (such as NAT punching, NAT traversal mechanisms etc) on end-users’ local network as well as on the CGNAT device itself
- Which in theory could affect battery life on end-user devices
- Increased link utilisation/CPU cycles on the CGNAT device
- Some end-user applications will simply refuse to work or fail miserably like Xbox Networking (P2P Gaming services), Torrent clients etc
- Lacks NAT traversal mechanisms/port forwarding (by default)
Now the IETF published RFC 7021 in 2013 which details how CGNAT affects networking performance and end-user experience, if you want technically backed data and testing methodologies please check that out.
Workarounds
There are two broad ways to workaround CGNAT cons
At ISP Level
- Make use of NAT traversal and very strict NAT rules like mentioned here
- I’ve included port forwarding solution in the above without the need for PCP
- Deploy Port Control Protocol [PCP (RFC 6887)]
- PCP would allow port forwarding to work for end-users behind a CGNAT and hence improve their experience and reduce the visibility of the shortcomings
- Needs a Server/Client model, so a client would need to run on end-users router/CPE
- Can use OpenWRT with minimalist-pcproxy to enable PCP client and PCP connectivity from end-users’ side for a cheap solution
- Many vendors like MikroTik (most widely used as a CGNAT device among Indian ISPs) do not support PCP
- Lack of awareness among ISPs and Network Engineers
- You can also have a web dashboard for PCP to permit users to assign their own ports
- Do the obvious and deploy IPv6
At End User Level
- Get a public IP from your ISP (best and most optimal solution)
- VPN based solution where you route all traffic over the tunnel including multicast traffic (UPnP)
- You could purchase from services like ZeroTier and tunnel your traffic over them
- Set up your own VPN/VPS on a Cloud instance with public IP and then run a VPN client on your home router/client device
Well written blog with so much detail. Thanks for the info man
No problem man.
Informative ..and these form of resources are important for the end users
Yes sir, agreed.
Thank you for the info
Thank you for such a great info. I had PCC configured and was a little different so I decided to try your config, Yesterday I migrate the config to your example. With a few changes like, remove NTH and apply PCC to all ports/protocols with src-address as PCC. If I left the configuration as your example I was having trouble with 3rd party IPTV services. Other than that, is working great.
IPTV would be ISP/Unicast specific/Multicast traffic and shouldn’t be subjected to the load balancing. Create seperate preceding rules for IPTV traffic and ensure it’s always “accepted” before hitting the PCC/Nth rules on the destination IP or port or both. Then you can still use Nth to achieve bandwidth aggregation for everything else.
If you’re an ISP you should be using LACP/Bonding.
I’m sorry, the comment was for the 2 WANs setup post but I pubished it in thr wrong one. Nevertheless, I’m a TIER3 for saying someway. So I can’t use LACP/Bonding because our WANs are from different TIER2 ISPs I don’t have an ASN yet. IPTV services reported are those that aren’t legal, but customers hire them, so I don’t have all the info from them like dst-address, ports etc, because everyone use a different setup or change the address every one in a while. I have been monitoring the balancing since August 5th and is working great, still waiting for a WAN to fail to confirm failover because with my previous config I was having an issue with all the marked connections reamining active until shutting down the interface.