I utilize A10 CGNAT that allows dynamic NAT logging, since we're in a similar boat of utilization.
This email has been sent from my phone. Please excuse any brevity, typos, or lack of formality. ________________________________ From: Aaron Gould <aar...@gvtc.com> Sent: Tuesday, February 27, 2018 12:54 To: 'Michael Crapse'; 'Mike Hammett' Cc: 'NANOG list' Subject: RE: cgnat - how do you handle customer issues Thanks For #2 – what if the ports allocated aren’t enough for the amount of inet traffic the customer site uses ? …is the customer denied service based on insufficient port range ? …or are they assigned another block within that some ip’s range of I think it’s 0-64k or 1025-64k… but how far can you take that before there aren’t anymore port blocks left on that single ip ? …and if you have to allocate that customer another port block from a *different* ip, then we are in the situation of the bank website not liking the fact that the session is bouncing to a different ip maybe ? - Aaron From: Michael Crapse [mailto:mich...@wi-fiber.io] Sent: Tuesday, February 27, 2018 11:19 AM To: Mike Hammett Cc: Aaron Gould; NANOG list Subject: Re: cgnat - how do you handle customer issues For number 2, I'm a fan of what mike suggests. I believe the technical term is MAP-T. For number 1, anyone who wants one, gets one. We provide free public static IP to any customer who asks for one. Another solution, using above solution is to ask them which ports they need, and forward those to them using a port within their assign range. i.e. teach them how to access their home web server using a different port(say 32424, or similar). This won't solve all the issues, which is why we use solution 1. On 27 February 2018 at 09:32, Mike Hammett <na...@ics-il.net> wrote: I'm a fan of nailing each customer IP to a particular range of ports on a given public IP. Real easy to track who did what and to prevent shifting IPs. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Aaron Gould" <aar...@gvtc.com> To: Nanog@nanog.org Sent: Tuesday, February 27, 2018 10:30:21 AM Subject: cgnat - how do you handle customer issues Couple questions please. When you put thousands of customers behind a cgnat boundary, how do you all handle customer complaints about the following. 1 - for external connectivity to the customers premise devices, not being able to access web servers, web cameras, etc, in their premises? 2 - from the premise natted device, when customers go to a university or bank web site, how do you handle randomly changing ip addresses/ports that may occur due to idle time and session tear-down in nat table such that the bank website has issues with seeing your session ip change? -Aaron
