The Complete Guide · Software BNG on Commodity x86
Carrier-Grade BNG & CGNAT — Without the Carrier Price Tag
MikroTik runs out of headroom at a few thousand subscribers. Cisco and Nokia scale beautifully — for six- and seven-figure chassis. BNGSOFT is the third way: a software BNG that runs CGNAT, per-subscriber QoS, edge security and low-latency in one XDP/eBPF data plane on the commodity x86 servers you already buy — at roughly $0.30 per subscriber. Size your build below, compare the vendors, and see why operators are switching.
There are only three ways to build a BNG today: a cheap router that won't scale, a carrier chassis that won't fit the budget, or software that does both. This guide is about the third one — and it ends with a calculator that sizes it for your network.
~64k
subs / 2×100G node
≈ NIC ÷ busy-hour rate (200G ÷ 3 Mbps); scales w/ NIC
2.5%
data-plane CPU
monolithic XDP — down from 23% (measured)
~$0.30
per subscriber
commodity x86 hardware + software license
0
downtime upgrades
restart the software, traffic keeps flowing
1 · Everything the edge needs — in one data plane
BNGSOFT isn't a point product bolted onto a router. Subscriber termination, IPv4 conservation, security, latency and operations all run as facets of a single eBPF program in the NIC driver path, fed by a control plane that speaks to your existing RADIUS. One box, one image, no per-feature appliance.
BNG & AAA
PPPoE + IPoE on one box · RADIUS auth / accounting / CoA · dual-stack IPv4+IPv6 · DHCPv6-PD · dynamic VLAN / QinQ · storm-survival session handling.
Authorize once in software; enforce every packet in XDP. The control plane writes pinned maps; the data plane forwards, translates, protects and shapes at line rate. NOC2 runs the fleet.
Forwarded, translated, source-validated and shaped before the packet ever reaches the kernel network stack — that single-pass design is why one commodity server carries so many subscribers at so little CPU.
2 · The performance is real — and measured
These aren't datasheet maxima; they're figures from live production fleets and lab validation.
23%→2.5%
data-plane CPU after monolithic XDP (same box)
~800µs
queuing latency held flat at +44% congestion, 0 drops (L4S)
6M+
no-loss ECN marks in a 2-hour peak (L4S workhorse)
Why it's so light: the whole BNG runs as one eBPF program in the NIC driver path, so a packet is forwarded, NAT'd, source-validated and shaped before it ever hits the kernel stack. CPU stops being the bottleneck — which is exactly what lets one commodity server carry up to ~64k subscribers with everything on.
ILLUSTRATIVE Conceptual shape of the effect proven in production (sojourn latency held ~flat at +44% congestion, zero drops). Without active queue management, latency climbs steeply as a line saturates; BNGSOFT's L4S/AQM and Interactive Flow Protection hold it low — which is exactly what a subscriber feels as "fast."
3 · Two modes — match the box to the job
FULL CGNAT XDP — WITH BNG SERVICE
The whole edge in one box.
Full BNG subscriber service (PPPoE/IPoE, RADIUS/CoA) plus carrier-grade port-block CGNAT, firewall and per-subscriber QoS — one data plane, no separate tier.
BPF-managed conntrack; deterministic logging for lawful intercept.
For an ISP terminating subscribers and conserving IPv4 on one server.
CGNAT-ONLY — NO BNG SERVICE
A drop-in CGNAT + firewall appliance.
Carrier-grade port-block CGNAT + stateful firewall at line rate — without subscriber / PPPoE termination.
Sits behind your existing BNG (yours, or MikroTik / Cisco / Nokia) as a pure NAT tier.
Highest NAT density per box — the cheapest way to add IPv4 conservation.
4 · Size your build — interactive calculator ESTIMATOR
Enter your subscriber count, a busy-hour per-subscriber rate, and the mode. The calculator sizes a node fleet against both ceilings — traffic (NIC + PCIe) and subscribers (CPU + RAM) — and gives an indicative hardware bill.
BNGSOFT node sizer
Indicative engineering estimate — validate against your traffic. Hardware only; software license separate.
active subscribers
Mbps average per active sub
full BNG + CGNAT + firewall + QoS
How it sizes: a node carries roughly NIC throughput ÷ busy-hour Mbps per subscriber (given adequate cores/RAM for session state) — so capacity tracks the card, not the CPU. The XDP data plane runs at a few % CPU, so on a 2×100G node ≈ 200 Gbps ÷ 3 Mbps ≈ ~64k subscribers; E810 (100G) ≈ ~33k; XL710 (50G) ≈ ~16k; X710 (20G) ≈ ~6–7k. A per-tier subscriber-state cap (CPU/RAM) only binds at very low per-user rates. Beyond one node it scales out linearly; add a standby (N+1) for resilience. Costs are approximate commodity-server hardware (June 2026), excluding the BNGSOFT software license, optics and operational costs — validate per deployment.
Three networks, three builds — find yours
WISP / SMALL ISP
~2,000 subscribers
1 × 1U server
Intel X710 (2×10G) · 8-core · 32 GB
Full BNG + QoS · ~$2.5k
Subscriber termination, low-latency QoS & anti-spoof on one low-cost box.
REGIONAL FTTH
~20,000 subscribers
1 × 1U server (+1 standby)
Intel E810 (2×100G) · 16-core · 64 GB
Full CGNAT XDP · ~$0.25/sub
~60 Gbps — IPv4 conservation + security + QoS on a single node, N+1.
GROWING ISP
~100,000 subscribers
~2 servers (+1 standby)
2U dual-100G · 2× 16-core · 128 GB
Full CGNAT XDP · ~$0.18/sub
Carrier-scale edge — scale-out, no chassis, no lock-in.
Find your number above with the calculator — these three are just common starting points. The same software runs all of them; you only add nodes.
5 · The silicon — NIC, CPU & memory
Because BNGSOFT runs on standard servers, you choose the components — and the NIC is the single biggest lever. The data plane runs at a few percent CPU, so the limits are the NIC line rate, the PCIe bus, and memory for the session tables. Here's the menu, from cheap edge cards to 400G aggregation.
Adapter
Speed
PCIe
Driver
Where it fits
Intel X710
2 × 10G
Gen3 ×8
i40e
Cheapest edge / small-PoP node (~4 W).
Intel XL710
2 × 40G
Gen3 ×8
i40e
Value mid-node — great for 20–40G; PCIe Gen3 ×8 caps it ~50G.
Intel E810
2 × 100G
Gen4 ×16
ice
Mainstream 100G — many queues + ADQ latency isolation.
Intel E830 / E835 NEW
up to 200G
Gen5 ×16
ice
Newest (2026): 200G on PCIe 5.0, best perf/watt, RDMA + PTP timing.
XL710 vs E810 — when to pick which.XL710 (2×40G) is the cost-optimal choice for a node serving a few thousand subscribers at <~50G: cheap, rock-solid i40e, but its PCIe Gen3 ×8 bus caps real throughput near ~50G, so it can't deliver a full 2×40G. E810 (2×100G) is the default for new high-density nodes: PCIe Gen4 ×16 carries the full 200G of ports, with far more queues and ADQ for latency isolation. Going bigger? E830/E835 put 200G on PCIe 5.0, and ConnectX-7 reaches 400G — both for aggregation tiers and the leanest CPU via hardware offload.
CPU — Intel or AMD
Mid-range is plenty; pick for lanes & bandwidth.
Intel Xeon (Silver/Gold · Sapphire/Emerald Rapids): strong single-thread — good for the BNGSOFT BNG control plane; mature, up to 60 cores, 8× DDR5, 112 PCIe 5.0 lanes.
AMD EPYC (9004 Genoa / 9005 Turin): up to 96+ cores, 12× DDR5 (~50% more memory bandwidth), 128 PCIe 5.0 lanes — best for high-density multi-100G nodes.
The XDP data plane sips CPU — you're buying memory bandwidth + PCIe lanes, not top-bin clocks. 8–24 cores covers most nodes.
MEMORY
Size RAM to the session tables.
RAM holds the CGNAT session/port-block tables, the flow cache and conntrack maps — millions of entries at scale.
DDR5 bandwidth speeds the periodic per-subscriber map walks — another reason EPYC's 12 channels shine at the high end.
Note: Intel E830/E835 launched Q1 2026 (up to 200GbE, PCIe 5.0; 2×25G list ~US$553–574); ConnectX-7 reaches 400GbE on PCIe 5.0 with ASAP² offload — vendor power/price for the newest 200–400G cards vary and aren't always published. All four NIC families run XDP natively on mainline Linux drivers. Match the PCIe slot generation/lanes to the card, or the bus becomes the ceiling.
6 · How it compares — MikroTik · Cisco · Nokia · BNGSOFT
Each has a place. The question is which fits an ISP that has outgrown a cheap router but doesn't need (or want to pay for) a tier-1 carrier chassis.
Dimension
MikroTik
BNGSOFT
Cisco ASR 9000 / cnBNG
Nokia 7750 SR
Engine
CPU router (RouterOS)
XDP/eBPF on x86
NPU chassis + cnBNG (CUPS)
FP4/FP5 NPU chassis (CUPS)
Scale
~4–5k PPPoE/box
~64k / 2×100G server (NIC-limited)
64k–256k sessions/chassis
Very high (Tb/s, NPU)
CGNAT + QoS + security
Add-ons; CGNAT needs separate tier
All in one data plane
Integrated (line cards / cnBNG)
Integrated (carrier-grade)
Hardware
Proprietary router
Any commodity x86 + NIC
Proprietary chassis
Proprietary chassis / VSR
Cost
Low/box, high at scale
~$0.30/sub commodity + license
Very high (capex + support)
Very high (capex + support)
Procurement / lock-in
Easy, low lock-in
Software; no HW lock-in
Long cycle, vendor lock-in
Long cycle, vendor lock-in
Routing (BGP/MPLS)
Mature
Pairs with your routers
Best-in-class
Best-in-class
Sweet spot
Small ISP / edge
Growing regional ISP / WISP / FTTH
Tier-1 carrier
Tier-1 carrier
BNGSOFT occupies the gap: more scale and capability than a cheap router, at a fraction of the cost and lock-in of a carrier chassis — the right fit for ISPs growing from thousands to hundreds of thousands of subscribers.
Fair framing. Cisco and Nokia are carrier-grade platforms with far higher per-chassis scale and best-in-class routing — the right choice for tier-1 networks. MikroTik is excellent value at the small end. BNGSOFT's claim is specifically TCO and simplicity for the ISP segment in between. Competitor figures are from public datasheets/documentation and vary by configuration; see sources.
7 · The economics
Indicative 3-year cost to serve 50,000 FTTH subscribers with CGNAT
Directional, hardware + power, ex-license; see the Hardware Sizing & TCO brief for the full model.
Router-appliance fleet
~16 NAS + CGNAT cluster · ~18U · ~$65k
~$1.30/sub
BNGSOFT consolidated
~2 servers · ~3U · ~$21k + license
~$0.43/sub
Consolidation is the saving. Fewer boxes → less rack, power, optics, sparing and ops, and no second hardware tier for CGNAT — on hardware you already know how to buy and operate.
3-year savings calculator
Enter your subscriber count — see indicative 3-year hardware + power cost vs a router-appliance fleet. Ex-software-license; directional, validate per deployment.
active subscribers
Model: router-appliance fleet ≈ $1.30 / subscriber and BNGSOFT consolidated ≈ $0.43 / subscriber over 3 years (hardware + power), per the §7 example and the Hardware Sizing & TCO brief. Your BNGSOFT software license is separate — and typically covered by the saving.
8 · What it means for you
Why operators switch to BNGSOFT
▲
Scale past the router wallup to ~64k subscribers per server with everything on — no single-thread PPPoE ceiling, no stacking ever more boxes.
$
Carrier features, commodity costCGNAT, QoS, security and low-latency at ~$0.30/sub on x86 — without a six-figure chassis or vendor lock-in.
⊞
One box, not a stackCollapse BNG + CGNAT + scrubber + QoE appliance into a single XDP data plane.
⚡
Low latency your users feelL4S/AQM + Interactive Flow Protection keep games, calls and streaming fast under load — with QoE telemetry to prove it.
🛡
Protected by designAnti-spoof (BCP38), DDoS and outbound-abuse containment inline — your prefixes stay off blocklists.
↺
Upgrade without an outageZero-downtime restarts, CGNAT state preserved — maintenance windows become routine changes.
9 · Migration — no flag day
You don't rip out your edge to adopt BNGSOFT. Stand it up beside what you have and move subscribers when you choose.
1
Run side-by-side
Deploy a BNGSOFT node as a new NAS pointed at your existing RADIUS. Nothing on the current edge changes.
2
Migrate gradually
Move subscribers VLAN-by-VLAN (or PoP-by-PoP). Validate CGNAT, QoS and latency on real traffic, at your pace — easy rollback.
3
Decommission
Once traffic is on BNGSOFT, retire the old NAS / CGNAT tier and reclaim the rack, power and licenses.
Same RADIUS, same subscribers, no cutover weekend. Because BNGSOFT is a standards-based NAS, migration is incremental and reversible — not a risky big-bang.
10 · Straight answers
Is software really fast enough for a BNG?
Yes — because it isn't "in software" the way a router's CPU path is. The data plane runs as eBPF inside the NIC driver (XDP), before the kernel stack, at a few percent CPU. That's how one commodity server carries up to ~64k subscribers with CGNAT, QoS and security all on.
What about CGNAT logging for lawful intercept / compliance?
Deterministic port-block allocation plus IPFIX and syslog export give you per-subscriber, traceable public-IP records. See the CGNAT Compliance & Logging brief.
Do I have to replace my routers?
No. BNGSOFT is the subscriber edge (BNG + CGNAT + QoS + security). It pairs with your existing BGP/OSPF/MPLS core and your RADIUS/billing — it's a drop-in NAS, not a core-router swap.
What hardware do I buy, and from whom?
Any standard x86 server plus a supported Intel or NVIDIA NIC (§5) — from whichever vendor you already use. Size it with the calculator in §4. No proprietary chassis, no line-card lock-in.
How do upgrades and maintenance work?
Zero-downtime restarts: the software reloads while CGNAT state and subscriber sessions are preserved. Maintenance windows become routine changes, not outages.
Is it production-proven?
Yes — running live across operator fleets with the measured results in §2 (23%→2.5% CPU, flat latency under congestion, storm-survival session handling). Ask for a reference and a trial on your own traffic.
The bottom line
BNGSOFT gives an ISP carrier-grade BNG, CGNAT, security and low-latency in one XDP data plane on commodity x86 — the scale a cheap router can't reach, at a fraction of the cost and lock-in of a carrier chassis. up to ~64k subscribers per server. ~$0.30 per subscriber. Zero-downtime upgrades.
Size it above. Compare it. Then talk to us about a live trial on your own traffic.
Sources & honest framing: This is a solution overview and buyer's guide, not a benchmark report. BNGSOFT figures (up to ~64k subscribers/server with full features; ~2.5% data-plane CPU after the monolithic-XDP move from ~23%; ~$0.30/sub hardware; zero-downtime restart; L4S/IFP/anti-spoof/CGNAT capabilities; the live metrics in §2) are from BNGSOFT deployment and lab data and are indicative — exact results depend on hardware, NIC, traffic mix, mode and enabled features, and must be validated per deployment. The §4 calculator is an ESTIMATOR using the two-ceiling model: per-node capacity ≈ min(NIC throughput ÷ busy-hour Mbps, a per-tier subscriber-state cap) — e.g. a 2×100G node ≈ 200 Gbps ÷ 3 Mbps ≈ ~64k subscribers, throughput-limited; subscriber-state scales with cores/RAM and is validated per deployment with indicative commodity-server hardware costs; it excludes the BNGSOFT software license, optics and operational costs. Competitor figures are from public vendor documentation and widely-reported sources and vary by configuration and release: MikroTik per-box PPPoE figures and the single-thread/queue limits — forum.mikrotik.com, aacable.wordpress.com; Cisco ASR 9000 BNG per-chassis subscriber scale (~128k IPv4 RP-based, ~256k LC-based, 64k dual-stack) and cnBNG/CUPS architecture — xrdocs.io, cisco.com (cnBNG); Nokia 7750 SR FP4/FP5 capacity (1.5–13.5 Tb/s, up to 36 Tb/s with IA) and BNG CUPS — nokia.com. NIC specifications (§5): Intel X710/XL710 (PCIe Gen3 ×8) and E810 (2×100G, PCIe Gen4 ×16) — Intel ARK; Intel E830/E835 (up to 200GbE, PCIe 5.0, launched Q1 2026, 2×25G list ~US$553–574) — Intel ARK (E835); NVIDIA ConnectX-6 Dx (ASAP² conntrack offload) and ConnectX-7 (up to 400GbE, PCIe 5.0 ×16) — NVIDIA; CPU/PCIe-lane/memory-channel comparison (Intel Xeon vs AMD EPYC) — public vendor specs. Newest 200–400G card power/price vary and are not always published. MikroTik®, Cisco®, Nokia®, Intel®, NVIDIA®/Mellanox® and product names are trademarks of their respective owners; BNGSOFT is not affiliated with them. Detailed per-topic briefs (CGNAT, Edge Security, L4S, IFP, Hardware Sizing & TCO, Subscriber AAA, IPv6, NOC2, Zero-Downtime) are available alongside this guide. Prepared as a management and operations overview for broadband operators.