CGNAT for ISPs in Compliance with Marco Civil

What Marco Civil requires from ISPs

Brazil's Internet Civil Rights Framework (Law 12.965/2014) requires ISPs to keep connection logs for 12 months. For those using CGNAT, a public IP log is not enough: you must record the subscriber's private IP, the allocated source port, the destination port and a precise timestamp for each connection — or at least the port block (PBA) allocated per subscriber for each time interval.

Responding to a court order without this data results in fines and the risk of co-liability for any act committed by the subscriber in that period. The most common failure we see is ISPs that have CGNAT running but never collected logs from the start.

Why CGNAT is still necessary in 2025

Public IPv4 is exhausted at LACNIC. New ISPs cannot obtain enough blocks to assign a public IP to each subscriber without prohibitive cost. CGNAT is the market standard for scaling IPv4 while IPv6 dual-stack is not yet 100% deployed. We implement both in parallel — CGNAT for IPv4 now and native IPv6 for subscribers already reachable.

Pool sizing and sharing ratio

We work with 1:64 when IPv6 dual-stack is active: part of the traffic goes over native IPv6 and what remains fits comfortably in 64 subscribers per public IP. Without dual-stack, we drop to 1:32. Incorrect sizing causes port exhaustion (refused connections, games that won't connect, VoIP drops) and subscriber complaints.

• Traffic profile analysis per segment (residential, business, schools)
• Minimum and ideal pool calculation for your current base and growth projection
• Fallback policy for subscribers with above-average demand
• Periodic review as the subscriber base grows

Port Block Allocation (PBA) and log collection

PBA assigns a fixed port block per subscriber for each time interval. This drastically simplifies log volume: instead of recording each TCP/UDP session, you record public IP + port range + subscriber + block start/end. Reduces storage by 99% without losing identification capability. We apply PBA where the equipment supports it natively — Cisco ASR is the typical scenario. On MikroTik and A10 we use CGNAT with static allocation (each subscriber gets a fixed port range within a public IP), which meets Marco Civil with the same compact log volume.

• PBA configuration on Cisco ASR; static CGNAT on MikroTik and A10 (meets the same legal requirement with a simpler log pipeline)
• Log collection pipeline (centralized syslog + parsing + structured storage)
• 12-month retention with compression and search by IP+port+timestamp
• Daily validation that logs are arriving and properly indexed

Subscriber identification: from public IP to individual

A court order arrives with a public IP, port and timestamp. You need to respond with the subscriber's name and tax ID. The chain is: public IP + port → active PBA at that moment → subscriber's private IP → active PPPoE/DHCP session → ERP record.

• Mapping of the complete identification flow in your environment
• Integration of CGNAT logs with RADIUS and ERP (MK-Auth, IXC, SGP, Voalle)
• Documented procedure for responding to a court order in under 1 hour
• Periodic testing of the identification flow to ensure it works when needed

CGNAT troubleshooting in production

Misconfigured CGNAT shows up as subscriber complaints ("can't join the game", "VoIP drops", "banking site won't load") with no obvious cause. The real problem is port exhaustion, protocols blocked by aggressive ALG or too-short timeouts for established TCP.

• Per-subscriber port exhaustion diagnosis and pool adjustment
• ALG review (Application Layer Gateway) for SIP, FTP, H.323 and PPTP
• Per-protocol timeout adjustment (TCP established: 7200 s, UDP: 300 s, ICMP: 60 s)
• Port usage monitoring per public IP with alert before saturation

Equipment migration without losing historical logs

Migrating from one CGNAT device to another is risky if historical logs stay trapped in the old system. We plan the migration so that logs from the previous period are exported and integrated into the new pipeline before cutover.

• Inventory of existing logs and integrity verification
• Export and format conversion if required
• New equipment configuration with the same pools and port blocks
• Post-migration validation: historical subscriber identification test

How we work and how to get started

We work on a monthly plan — no one-off projects and no hourly-rate diagnostics. The first conversation is at no cost: we call, you share an AnyDesk session and show us the live environment while we share observations. If it makes sense for both sides, we close the monthly plan and go from there.

Talk to us — initial conversation, no commitment. See also: IPv6 for ISPs, PPPoE, RADIUS and B-RAS/BNG.