CGNAT Solutions

Aaron Gould aaron1 at
Wed Apr 29 15:48:17 UTC 2020

In testing, I observed opening a website, for instance can cause >200 ports/sessions to fire off.  Although, many are short-lived sessions, but, ports requests nonetheless.

Overall, I use about 1,500 public ip's for 50,000 private ip customers

I allow 3,000 ports per customer ... 30 blocks of 100 each

We started our port blocks at a nice round number, so that each pba dynamic assignment results in nice 100-199, next 200-299 .... good for parsing, grep'ing logs for doing subpoena info look-ups, etc.

I see most customers hover well below 1,000 ports/sessions active, and what appear to be misbehaving hosts (malware, infected, bots, etc, unsure) hit up at the 3,000 max and trigger a ports exceeded error message.  I see the 3k port limit as putting a cap on free-running suspicious hosts.  We can then investigate and contact customer of the concern.


-----Original Message-----
From: NANOG [mailto:nanog-bounces at] On Behalf Of Robert Blayzor
Sent: Wednesday, April 29, 2020 9:14 AM
To: nanog at
Subject: Re: CGNAT Solutions

On 4/28/20 11:01 PM, Brandon Martin wrote:
> Depending on how many IPs you need to reclaim and what your target
> IP:subscriber ratio is, you may be able to eliminate the need for a lot
> of logging by assigning a range of TCP/UDP ports to a single inside IP
> so that the TCP/UDP port number implies a specific subscriber.
> You can't get rid of all the state tracking without also having the CPE
> know which ports to use (in which case you might as well use LW4o6 or
> MAP), but at least you can get it down to where you really only need to
> log (or block and dole out public IPs as needed) port-less protocols.

I'm wondering if there are any real world examples of this, namely in
the realm of subscriber to IP and range of ports required, etc.  ie: Is
is a range of 1000 ports enough for one residential subscriber? How
about SMB where no global IP is required.

One would think a 1000 ports would be enough, but if you have a dozen
devices at home all browsing and doing various things, and with IOT,
etc, maybe not?


More information about the NANOG mailing list