CGNAT with Auditing

IPv4 is expensive. Well-sized CGNAT saves tens of thousands per year — but if auditing fails, the ISP is liable under LGPD (Brazilian data protection law).

What CGNAT is

Carrier-Grade NAT shares a public IPv4 across dozens or hundreds of subscribers. Instead of buying a new /22 every expansion, the ISP reuses its existing pool by mapping TCP/UDP port ranges per subscriber.

Obvious savings: a /24 (256 IPs) can serve 16,000 subscribers at 16 ports each. Tight, but it demands rigorous logging to comply with court orders and LGPD.

What RASYS does with CGNAT

  • Pool sizing — port-per-subscriber math based on real usage (P2P, gaming, IoT change everything). Over-provision and you waste IPv4; under-provision and customers complain about games lagging.
  • Deterministic NAT — fixed IP/port-range mapping per subscriber. Cheap auditing: a static table answers any court request without hunting through historic logs.
  • Syslog/IPFIX logging — NAT binding collection with timestamp, internal IP, external IP/port and destination. Retention configured per operator policy.
  • ISP management integration — MK-Auth, IXC, SGP, Voalle: binding-to-CPF (Brazilian tax ID) association when generating forensic reports.
  • Bypass for critical services — corporate VoIP, industrial IoT, dedicated gaming can stay outside CGNAT via prefix-list.
  • IPv6 dual-stack migration — reducing CGNAT dependency as traffic shifts to native IPv6.

Equipment we work with

A10 Thunder CGN, Huawei NE8000/NE40 with service module, Juniper MX, MikroTik (small scale), Linux implementations with NetFilter.

When it makes sense to talk to us

You're running out of IPv4 and renting is absurd; got a court order to identify a subscriber and couldn't from current logs; want to migrate from dynamic to deterministic CGNAT; have recurring complaints about gaming/P2P/VoIP.

Talk to us. See also: IPv6, BGP, CGNAT in glossary.

FREQUENTLY ASKED QUESTIONS

What CGNAT pool size per subscriber is recommended?

General rule: 1 public IPv4 for 32-64 residential subscribers, with 512-1024 ports per session. ISPs with heavy gaming/streaming profiles need a larger pool (1:16 ratio). Exact sizing comes from real peak NAT session counts, not the subscriber headcount.

Deterministic or dynamic CGNAT — which to choose?

Deterministic simplifies auditing (port-to-client is a calculation, not a lookup). Dynamic makes better use of the pool (overlapping peak hours). We recommend deterministic for Brazilian ISPs due to the logging requirement of Marco Civil — investigations become straightforward.

How long does Brazilian law require retaining CGNAT logs?

Brazilian Marco Civil law (Federal Law 12.965/2014) requires 6 months of connection logs (public IP + port + private IP + timestamp + duration). Some sector regulations or specific court orders may require 1 year. We recommend keeping 12 months for legal safety.

Which applications does CGNAT break in practice?

Partially breaks: manual port forwarding from the client side (UPnP/NAT-PMP), some peer-to-peer games (Call of Duty, Pokemon Go), PPTP VPN, active FTP, home hosting. The workaround is native dual-stack IPv6 — Netflix, YouTube, and modern gaming already prefer IPv6 when available.