CGNAT with Auditing

What CGNAT is

Carrier-Grade NAT shares a public IPv4 across dozens or hundreds of subscribers. Instead of buying a new /22 every expansion, the ISP reuses its existing pool by mapping TCP/UDP port ranges per subscriber.

Obvious savings: a /24 (256 IPs) can serve 16,000 subscribers at 16 ports each. Tight, but it demands rigorous logging to comply with court orders and LGPD.

What RASYS does with CGNAT

• Pool sizing — port-per-subscriber math based on real usage (P2P, gaming, IoT change everything). Over-provision and you waste IPv4; under-provision and customers complain about games lagging.
• Deterministic NAT — fixed IP/port-range mapping per subscriber. Cheap auditing: a static table answers any court request without hunting through historic logs.
• Syslog/IPFIX logging — NAT binding collection with timestamp, internal IP, external IP/port and destination. Retention configured per operator policy.
• ISP management integration — MK-Auth, IXC, SGP, Voalle: binding-to-CPF (Brazilian tax ID) association when generating forensic reports.
• Bypass for critical services — corporate VoIP, industrial IoT, dedicated gaming can stay outside CGNAT via prefix-list.
• IPv6 dual-stack migration — reducing CGNAT dependency as traffic shifts to native IPv6.

Equipment we work with

A10 Thunder CGN, Huawei NE8000/NE40 with service module, Juniper MX, Mikrotik (small scale), Linux implementations with NetFilter.

When it makes sense to talk to us

You're running out of IPv4 and renting is absurd; got a court order to identify a subscriber and couldn't from current logs; want to migrate from dynamic to deterministic CGNAT; have recurring complaints about gaming/P2P/VoIP.

Talk to us. See also: IPv6, BGP, CGNAT in glossary.