The Software BNG · XDP · CGNAT · QoS · Edge Security · Low-Latency · NOC2
The Complete Guide · Software BNG on Commodity x86

Carrier-Grade BNG & CGNAT — Without the Carrier Price Tag

MikroTik runs out of headroom at a few thousand subscribers. Cisco and Nokia scale beautifully — for six- and seven-figure chassis. BNGSOFT is the third way: a software BNG that runs CGNAT, per-subscriber QoS, edge security and low-latency in one XDP/eBPF data plane on the commodity x86 servers you already buy — at roughly $0.30 per subscriber. Size your build below, compare the vendors, and see why operators are switching.
There are only three ways to build a BNG today: a cheap router that won't scale, a carrier chassis that won't fit the budget, or software that does both. This guide is about the third one — and it ends with a calculator that sizes it for your network.
~64k
subs / 2×100G node
≈ NIC ÷ busy-hour rate
(200G ÷ 3 Mbps); scales w/ NIC
2.5%
data-plane CPU
monolithic XDP — down
from 23% (measured)
~$0.30
per subscriber
commodity x86 hardware
+ software license
0
downtime upgrades
restart the software,
traffic keeps flowing

1 · Everything the edge needs — in one data plane

BNGSOFT isn't a point product bolted onto a router. Subscriber termination, IPv4 conservation, security, latency and operations all run as facets of a single eBPF program in the NIC driver path, fed by a control plane that speaks to your existing RADIUS. One box, one image, no per-feature appliance.

BNG & AAA

PPPoE + IPoE on one box · RADIUS auth / accounting / CoA · dual-stack IPv4+IPv6 · DHCPv6-PD · dynamic VLAN / QinQ · storm-survival session handling.

CGNAT

Port-block allocation · Full-Cone / Symmetric / FCFS / 1:1 · deterministic + IPFIX logging · IPTV/exempt destinations · make-before-break pool swap · graceful restart.

Edge security

Anti-spoof (BCP38) per-sub uRPF v4+v6 · in-data-plane DDoS / upload-protect · outbound anti-abuse quarantine · forged-source visibility.

Latency & QoS

Per-subscriber shaping at line rate · L4S / AQM dual-queue ECN · Interactive Flow Protection (ACK/DNS/gaming) · per-sub QoE telemetry.

Performance

Native XDP on Intel i40e/ice · monolithic eBPF · BPF verifier ceiling raised 1M→4M · NUMA-aware IRQ · batch map ops · kernel & FRR tuning.

Operations · NOC2

Fleet metrics + licensing + capacity projection · per-sub sub show diagnostics · startup self-test · zero-downtime restart · crash telemetry.

Subscribers PPPoE / IPoE v4 + v6 dual-stack VLAN / QinQ Control plane (BNGSOFT BNG) RADIUS auth · acct · CoA → writes maps XDP / eBPF data plane — line rate forward + QoS CGNAT anti-spoof DDoS/abuse L4S/AQM · IFP one program · pinned maps · zero tail-calls (full-mono) NOC2 metrics · licensing capacity · diagnostics Internet / upstream CGNAT public IPs · BGP
Authorize once in software; enforce every packet in XDP. The control plane writes pinned maps; the data plane forwards, translates, protects and shapes at line rate. NOC2 runs the fleet.
A packet's journey — one pass, one program, line rate RX ParseL2/VLAN/L3 Classifysubscriber lookup CGNAT Protectanti-spoof · DDoS ShapeQoS · L4S/AQM · IFP TX All in the NIC driver path (XDP) — no trip to the kernel stack, no hairpin to a scrubber or NAT box. ~few % CPU at line rate.
Forwarded, translated, source-validated and shaped before the packet ever reaches the kernel network stack — that single-pass design is why one commodity server carries so many subscribers at so little CPU.

2 · The performance is real — and measured

These aren't datasheet maxima; they're figures from live production fleets and lab validation.

23%→2.5%
data-plane CPU after monolithic XDP (same box)
~800µs
queuing latency held flat at +44% congestion, 0 drops (L4S)
6M+
no-loss ECN marks in a 2-hour peak (L4S workhorse)
0 dup IPs
1,500-session PPPoE flap storm, 0 cores pegged (BNGSOFT BNG)
Why it's so light: the whole BNG runs as one eBPF program in the NIC driver path, so a packet is forwarded, NAT'd, source-validated and shaped before it ever hits the kernel stack. CPU stops being the bottleneck — which is exactly what lets one commodity server carry up to ~64k subscribers with everything on.
Latency as the link fills — lower is better Offered load on the subscriber line → 100% Latency → Without AQM — bufferbloat BNGSOFT L4S/AQM + IFP — stays flat games · calls · DNS stay responsive even at peak
ILLUSTRATIVE   Conceptual shape of the effect proven in production (sojourn latency held ~flat at +44% congestion, zero drops). Without active queue management, latency climbs steeply as a line saturates; BNGSOFT's L4S/AQM and Interactive Flow Protection hold it low — which is exactly what a subscriber feels as "fast."

3 · Two modes — match the box to the job

FULL CGNAT XDP — WITH BNG SERVICE
The whole edge in one box.
  • Full BNG subscriber service (PPPoE/IPoE, RADIUS/CoA) plus carrier-grade port-block CGNAT, firewall and per-subscriber QoS — one data plane, no separate tier.
  • BPF-managed conntrack; deterministic logging for lawful intercept.
  • For an ISP terminating subscribers and conserving IPv4 on one server.
CGNAT-ONLY — NO BNG SERVICE
A drop-in CGNAT + firewall appliance.
  • Carrier-grade port-block CGNAT + stateful firewall at line rate — without subscriber / PPPoE termination.
  • Sits behind your existing BNG (yours, or MikroTik / Cisco / Nokia) as a pure NAT tier.
  • Highest NAT density per box — the cheapest way to add IPv4 conservation.

4 · Size your build — interactive calculator ESTIMATOR

Enter your subscriber count, a busy-hour per-subscriber rate, and the mode. The calculator sizes a node fleet against both ceilings — traffic (NIC + PCIe) and subscribers (CPU + RAM) — and gives an indicative hardware bill.

BNGSOFT node sizer
Indicative engineering estimate — validate against your traffic. Hardware only; software license separate.
active subscribers
Mbps average per active sub
full BNG + CGNAT + firewall + QoS
How it sizes: a node carries roughly NIC throughput ÷ busy-hour Mbps per subscriber (given adequate cores/RAM for session state) — so capacity tracks the card, not the CPU. The XDP data plane runs at a few % CPU, so on a 2×100G node ≈ 200 Gbps ÷ 3 Mbps ≈ ~64k subscribers; E810 (100G) ≈ ~33k; XL710 (50G) ≈ ~16k; X710 (20G) ≈ ~6–7k. A per-tier subscriber-state cap (CPU/RAM) only binds at very low per-user rates. Beyond one node it scales out linearly; add a standby (N+1) for resilience. Costs are approximate commodity-server hardware (June 2026), excluding the BNGSOFT software license, optics and operational costs — validate per deployment.

Three networks, three builds — find yours

WISP / SMALL ISP

~2,000 subscribers

1 × 1U server
Intel X710 (2×10G) · 8-core · 32 GB
Full BNG + QoS · ~$2.5k
Subscriber termination, low-latency QoS & anti-spoof on one low-cost box.
REGIONAL FTTH

~20,000 subscribers

1 × 1U server (+1 standby)
Intel E810 (2×100G) · 16-core · 64 GB
Full CGNAT XDP · ~$0.25/sub
~60 Gbps — IPv4 conservation + security + QoS on a single node, N+1.
GROWING ISP

~100,000 subscribers

~2 servers (+1 standby)
2U dual-100G · 2× 16-core · 128 GB
Full CGNAT XDP · ~$0.18/sub
Carrier-scale edge — scale-out, no chassis, no lock-in.
Find your number above with the calculator — these three are just common starting points. The same software runs all of them; you only add nodes.

5 · The silicon — NIC, CPU & memory

Because BNGSOFT runs on standard servers, you choose the components — and the NIC is the single biggest lever. The data plane runs at a few percent CPU, so the limits are the NIC line rate, the PCIe bus, and memory for the session tables. Here's the menu, from cheap edge cards to 400G aggregation.

AdapterSpeedPCIeDriverWhere it fits
Intel X7102 × 10GGen3 ×8i40eCheapest edge / small-PoP node (~4 W).
Intel XL7102 × 40GGen3 ×8i40eValue mid-node — great for 20–40G; PCIe Gen3 ×8 caps it ~50G.
Intel E8102 × 100GGen4 ×16iceMainstream 100G — many queues + ADQ latency isolation.
Intel E830 / E835 NEWup to 200GGen5 ×16iceNewest (2026): 200G on PCIe 5.0, best perf/watt, RDMA + PTP timing.
NVIDIA ConnectX-6 Dx2 × 100GGen4 ×16mlx5Lowest latency + hardware conntrack/NAT offload (ASAP²).
NVIDIA ConnectX-7up to 400GGen5 ×16mlx5High-end aggregation — 400G, ASAP² offload, lowest latency.
XL710 vs E810 — when to pick which. XL710 (2×40G) is the cost-optimal choice for a node serving a few thousand subscribers at <~50G: cheap, rock-solid i40e, but its PCIe Gen3 ×8 bus caps real throughput near ~50G, so it can't deliver a full 2×40G. E810 (2×100G) is the default for new high-density nodes: PCIe Gen4 ×16 carries the full 200G of ports, with far more queues and ADQ for latency isolation. Going bigger? E830/E835 put 200G on PCIe 5.0, and ConnectX-7 reaches 400G — both for aggregation tiers and the leanest CPU via hardware offload.
CPU — Intel or AMD
Mid-range is plenty; pick for lanes & bandwidth.
  • Intel Xeon (Silver/Gold · Sapphire/Emerald Rapids): strong single-thread — good for the BNGSOFT BNG control plane; mature, up to 60 cores, 8× DDR5, 112 PCIe 5.0 lanes.
  • AMD EPYC (9004 Genoa / 9005 Turin): up to 96+ cores, 12× DDR5 (~50% more memory bandwidth), 128 PCIe 5.0 lanes — best for high-density multi-100G nodes.
  • The XDP data plane sips CPU — you're buying memory bandwidth + PCIe lanes, not top-bin clocks. 8–24 cores covers most nodes.
MEMORY
Size RAM to the session tables.
  • RAM holds the CGNAT session/port-block tables, the flow cache and conntrack maps — millions of entries at scale.
  • Rule of thumb: 32 GB edge · 64 GB mainstream 100G · 128 GB high-density / dual-100G.
  • DDR5 bandwidth speeds the periodic per-subscriber map walks — another reason EPYC's 12 channels shine at the high end.
Note: Intel E830/E835 launched Q1 2026 (up to 200GbE, PCIe 5.0; 2×25G list ~US$553–574); ConnectX-7 reaches 400GbE on PCIe 5.0 with ASAP² offload — vendor power/price for the newest 200–400G cards vary and aren't always published. All four NIC families run XDP natively on mainline Linux drivers. Match the PCIe slot generation/lanes to the card, or the bus becomes the ceiling.

6 · How it compares — MikroTik · Cisco · Nokia · BNGSOFT

Each has a place. The question is which fits an ISP that has outgrown a cheap router but doesn't need (or want to pay for) a tier-1 carrier chassis.

DimensionMikroTikBNGSOFTCisco ASR 9000 / cnBNGNokia 7750 SR
EngineCPU router (RouterOS)XDP/eBPF on x86NPU chassis + cnBNG (CUPS)FP4/FP5 NPU chassis (CUPS)
Scale~4–5k PPPoE/box~64k / 2×100G server (NIC-limited)64k–256k sessions/chassisVery high (Tb/s, NPU)
CGNAT + QoS + securityAdd-ons; CGNAT needs separate tierAll in one data planeIntegrated (line cards / cnBNG)Integrated (carrier-grade)
HardwareProprietary routerAny commodity x86 + NICProprietary chassisProprietary chassis / VSR
CostLow/box, high at scale~$0.30/sub commodity + licenseVery high (capex + support)Very high (capex + support)
Procurement / lock-inEasy, low lock-inSoftware; no HW lock-inLong cycle, vendor lock-inLong cycle, vendor lock-in
Routing (BGP/MPLS)MaturePairs with your routersBest-in-classBest-in-class
Sweet spotSmall ISP / edgeGrowing regional ISP / WISP / FTTHTier-1 carrierTier-1 carrier
Scale per box / chassis → Cost-effectiveness → MikroTikcheap, low scale Ciscohuge scale, high cost Nokia BNGSOFTcarrier features, commodity cost
BNGSOFT occupies the gap: more scale and capability than a cheap router, at a fraction of the cost and lock-in of a carrier chassis — the right fit for ISPs growing from thousands to hundreds of thousands of subscribers.
Fair framing. Cisco and Nokia are carrier-grade platforms with far higher per-chassis scale and best-in-class routing — the right choice for tier-1 networks. MikroTik is excellent value at the small end. BNGSOFT's claim is specifically TCO and simplicity for the ISP segment in between. Competitor figures are from public datasheets/documentation and vary by configuration; see sources.

7 · The economics

Indicative 3-year cost to serve 50,000 FTTH subscribers with CGNAT

Directional, hardware + power, ex-license; see the Hardware Sizing & TCO brief for the full model.
Router-appliance fleet
~16 NAS + CGNAT cluster · ~18U · ~$65k
~$1.30/sub
BNGSOFT consolidated
~2 servers · ~3U · ~$21k + license
~$0.43/sub
Consolidation is the saving. Fewer boxes → less rack, power, optics, sparing and ops, and no second hardware tier for CGNAT — on hardware you already know how to buy and operate.
3-year savings calculator
Enter your subscriber count — see indicative 3-year hardware + power cost vs a router-appliance fleet. Ex-software-license; directional, validate per deployment.
active subscribers
Model: router-appliance fleet ≈ $1.30 / subscriber and BNGSOFT consolidated ≈ $0.43 / subscriber over 3 years (hardware + power), per the §7 example and the Hardware Sizing & TCO brief. Your BNGSOFT software license is separate — and typically covered by the saving.

8 · What it means for you

Why operators switch to BNGSOFT
Scale past the router wallup to ~64k subscribers per server with everything on — no single-thread PPPoE ceiling, no stacking ever more boxes.
$
Carrier features, commodity costCGNAT, QoS, security and low-latency at ~$0.30/sub on x86 — without a six-figure chassis or vendor lock-in.
One box, not a stackCollapse BNG + CGNAT + scrubber + QoE appliance into a single XDP data plane.
Low latency your users feelL4S/AQM + Interactive Flow Protection keep games, calls and streaming fast under load — with QoE telemetry to prove it.
🛡
Protected by designAnti-spoof (BCP38), DDoS and outbound-abuse containment inline — your prefixes stay off blocklists.
Upgrade without an outageZero-downtime restarts, CGNAT state preserved — maintenance windows become routine changes.

9 · Migration — no flag day

You don't rip out your edge to adopt BNGSOFT. Stand it up beside what you have and move subscribers when you choose.

1

Run side-by-side

Deploy a BNGSOFT node as a new NAS pointed at your existing RADIUS. Nothing on the current edge changes.

2

Migrate gradually

Move subscribers VLAN-by-VLAN (or PoP-by-PoP). Validate CGNAT, QoS and latency on real traffic, at your pace — easy rollback.

3

Decommission

Once traffic is on BNGSOFT, retire the old NAS / CGNAT tier and reclaim the rack, power and licenses.

Same RADIUS, same subscribers, no cutover weekend. Because BNGSOFT is a standards-based NAS, migration is incremental and reversible — not a risky big-bang.

10 · Straight answers

Is software really fast enough for a BNG?
Yes — because it isn't "in software" the way a router's CPU path is. The data plane runs as eBPF inside the NIC driver (XDP), before the kernel stack, at a few percent CPU. That's how one commodity server carries up to ~64k subscribers with CGNAT, QoS and security all on.
What about CGNAT logging for lawful intercept / compliance?
Deterministic port-block allocation plus IPFIX and syslog export give you per-subscriber, traceable public-IP records. See the CGNAT Compliance & Logging brief.
Do I have to replace my routers?
No. BNGSOFT is the subscriber edge (BNG + CGNAT + QoS + security). It pairs with your existing BGP/OSPF/MPLS core and your RADIUS/billing — it's a drop-in NAS, not a core-router swap.
What hardware do I buy, and from whom?
Any standard x86 server plus a supported Intel or NVIDIA NIC (§5) — from whichever vendor you already use. Size it with the calculator in §4. No proprietary chassis, no line-card lock-in.
How do upgrades and maintenance work?
Zero-downtime restarts: the software reloads while CGNAT state and subscriber sessions are preserved. Maintenance windows become routine changes, not outages.
Is it production-proven?
Yes — running live across operator fleets with the measured results in §2 (23%→2.5% CPU, flat latency under congestion, storm-survival session handling). Ask for a reference and a trial on your own traffic.

The bottom line

BNGSOFT gives an ISP carrier-grade BNG, CGNAT, security and low-latency in one XDP data plane on commodity x86 — the scale a cheap router can't reach, at a fraction of the cost and lock-in of a carrier chassis. up to ~64k subscribers per server. ~$0.30 per subscriber. Zero-downtime upgrades.

Size it above. Compare it. Then talk to us about a live trial on your own traffic.

Sources & honest framing: This is a solution overview and buyer's guide, not a benchmark report. BNGSOFT figures (up to ~64k subscribers/server with full features; ~2.5% data-plane CPU after the monolithic-XDP move from ~23%; ~$0.30/sub hardware; zero-downtime restart; L4S/IFP/anti-spoof/CGNAT capabilities; the live metrics in §2) are from BNGSOFT deployment and lab data and are indicative — exact results depend on hardware, NIC, traffic mix, mode and enabled features, and must be validated per deployment. The §4 calculator is an ESTIMATOR using the two-ceiling model: per-node capacity ≈ min(NIC throughput ÷ busy-hour Mbps, a per-tier subscriber-state cap) — e.g. a 2×100G node ≈ 200 Gbps ÷ 3 Mbps ≈ ~64k subscribers, throughput-limited; subscriber-state scales with cores/RAM and is validated per deployment with indicative commodity-server hardware costs; it excludes the BNGSOFT software license, optics and operational costs. Competitor figures are from public vendor documentation and widely-reported sources and vary by configuration and release: MikroTik per-box PPPoE figures and the single-thread/queue limits — forum.mikrotik.com, aacable.wordpress.com; Cisco ASR 9000 BNG per-chassis subscriber scale (~128k IPv4 RP-based, ~256k LC-based, 64k dual-stack) and cnBNG/CUPS architecture — xrdocs.io, cisco.com (cnBNG); Nokia 7750 SR FP4/FP5 capacity (1.5–13.5 Tb/s, up to 36 Tb/s with IA) and BNG CUPS — nokia.com. NIC specifications (§5): Intel X710/XL710 (PCIe Gen3 ×8) and E810 (2×100G, PCIe Gen4 ×16) — Intel ARK; Intel E830/E835 (up to 200GbE, PCIe 5.0, launched Q1 2026, 2×25G list ~US$553–574) — Intel ARK (E835); NVIDIA ConnectX-6 Dx (ASAP² conntrack offload) and ConnectX-7 (up to 400GbE, PCIe 5.0 ×16) — NVIDIA; CPU/PCIe-lane/memory-channel comparison (Intel Xeon vs AMD EPYC) — public vendor specs. Newest 200–400G card power/price vary and are not always published. MikroTik®, Cisco®, Nokia®, Intel®, NVIDIA®/Mellanox® and product names are trademarks of their respective owners; BNGSOFT is not affiliated with them. Detailed per-topic briefs (CGNAT, Edge Security, L4S, IFP, Hardware Sizing & TCO, Subscriber AAA, IPv6, NOC2, Zero-Downtime) are available alongside this guide. Prepared as a management and operations overview for broadband operators.