CGNAT Opensource with support to BPA, EIM/EIF, UPnP-PCP

We are looking for a CGNAT solution open source based.

Yep, I know that basic CGNAT can be done with iptables / nftables, or PF / IPFILTER / IPFW.

But I only know Open Source CGNAT recipes with predefined public-ports <-> private IPs mapping.

What It brings two types of issues:
A - The need to overprovision the number of private IPs (Considering Multiple BNGs behind the CGN).
B - The inability of those basic recipes to deal with incoming auxiliary connections of p2p protocols (mostly used by games).

Te market solutions that I’ve dealt with solves those issues beautifully.
a - Bulk-Port Allocation - BPA, avoid the need overprovisioning private address that is not being used, and give us an excellent rate between public IPv4 Address vs Private IP Address.
b - The support of a framework of protocols(Ex.: UPnP, PCP, EIM/EIF, NAT-PMP, etc…) ensure an acceptable quality of experience to end-users.

But, the market solution brings also some down-sides…

  • The cost, evidently.
  • The need for detouring the traffic that doesn’t need CGNAT(Internal CDNs, Internal Servers, etc), to stay on the license limits of those boxes, sometimes brings some issues.

So, I and some friends are(for a long time) looking for an OpenSource solution that can give us something near what the market solutions give.

Any of you guys ave some suggestions for that?

P.S.: Yes, I know that IPv6 is the only real solution for that, but until there, our customers still want to access a lot os p2p content(mostly audio in game rooms, sip calls, and things like that.)

P.S.2: Yes, I also know that 464 could be a good possibility, but is not possible in this scenario.

Hi Douglas,

There was, long time ago, something developed by ISC, but I think never completed and not updated …

464XLAT is always a solution and becomes much cheaper, than CGN from vendors, even if you need to replace the CPEs. I’m doing that now with 25.000.000 subscribers … (slowed down by the Covid-19).




DANOS 2005 seems to support a lot of your requirements.

So if you have an x86 box with supported NICS you should be able to get some decent performance from it.

The major gotcha in this release is I think route-maps, prefix-lists, access-lists with BGP are broken.

As someone who has spent quite a long time building CGNAT solutions I have some good news for you, there is an easy solution to your below point that works exceptionally well. The solution is dual stack IPv6, its trivial to route your IPv6 to bypass the CGNAT device you are using and pretty much all of the major CDN providers are fully IPv6 enabled. In the real world this halves the amount of traffic your CGNAT solution has to process. Gaming companies (Not Sony!!!) are also starting to support V6 so that can be a win too. I’m not one of those V6 is the solution to everything engineers as I live in the real world, but in this case it absolutely is a good workable answer.

Hi Douglas,

There was, long time ago, something developed by ISC, but I think never completed and not updated …

ISC did a DS-LITE implementation called AFTR. This can be found at:

    Index of /isc/aftr

I have to agree… as “transition” tech. goes, 464XLAT is the least intrusive solution, because as more of your customers acquire IPv6, the demands you put on your 464XLAT systems reduce, naturally. It also means you don’t have to carry out yet-another transition to get the full IPv6 experience. Mark.