cgnat - how do you handle customer issues

Lee Howard lee at asgard.org
Tue Feb 27 22:42:50 UTC 2018


On 02/27/2018 12:52 PM, Aaron Gould wrote:
> Thanks
>
>   
>
> For #2 – what if the ports allocated aren’t enough for the amount of inet traffic the customer site uses ?  …is the customer denied service based on insufficient port range ?  …or are they assigned another block within that some ip’s range of I think it’s 0-64k or 1025-64k… but how far can you take that before there aren’t anymore port blocks left on that single ip ?  …and if you have to allocate that customer another port block from a *different* ip, then we are in the situation of the bank website not liking the fact that the session is bouncing to a different ip maybe ?


Yes, common problem, and the session just fails (TCY SYN dropped) 
because of insufficient ports.
Most CGNs allow you to configure a range of ports for a customer, and 
reserve an additional range if they need more ports. Yes, if you 
allocate 1000 ports for one IPv4 address to each of 50 customers and 
they all need hundreds more ports than that, you're going to run out of 
ports and connections fail.

This is why you have IPv6. Even while many web sites and apps don't 
support IPv4, enough do that it relieves some pressure on your CGN.

Lee
>   
>
> - Aaron
>
>   
>
> From: Michael Crapse [mailto:michael at wi-fiber.io]
> Sent: Tuesday, February 27, 2018 11:19 AM
> To: Mike Hammett
> Cc: Aaron Gould; NANOG list
> Subject: Re: cgnat - how do you handle customer issues
>
>   
>
> For number 2, I'm a fan of what mike suggests. I believe the technical term is MAP-T.
> For number 1, anyone who wants one, gets one. We provide free public static IP to any customer who asks for one. Another solution, using above solution is to ask them which ports they need, and forward those to them using a port within their assign range. i.e. teach them how to access their home web server using a different port(say 32424, or similar). This won't solve all the issues, which is why we use solution 1.
>
>   
>
> On 27 February 2018 at 09:32, Mike Hammett <nanog at ics-il.net> wrote:
>
> I'm a fan of nailing each customer IP to a particular range of ports on a given public IP. Real easy to track who did what and to prevent shifting IPs.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
>
> Midwest Internet Exchange
>
> The Brothers WISP
>
> ----- Original Message -----
>
> From: "Aaron Gould" <aaron1 at gvtc.com>
> To: Nanog at nanog.org
> Sent: Tuesday, February 27, 2018 10:30:21 AM
> Subject: cgnat - how do you handle customer issues
>
>
> Couple questions please. When you put thousands of customers behind a cgnat
> boundary, how do you all handle customer complaints about the following.
>
>
>
> 1 - for external connectivity to the customers premise devices, not being
> able to access web servers, web cameras, etc, in their premises?
>
>
>
> 2 - from the premise natted device, when customers go to a university or
> bank web site, how do you handle randomly changing ip addresses/ports that
> may occur due to idle time and session tear-down in nat table such that the
> bank website has issues with seeing your session ip change?
>
>
>
>
>
> -Aaron
>
>
>
>   
>
>




More information about the NANOG mailing list