Drop-in carrier-grade CGNAT for any network. Line-rate translation at the XDP hook, ~900× less logging than per-flow NAT, and no dedicated appliance — runs on commodity x86 with an Intel 40GbE NIC.
IPv4 exhaustion forces every ISP to deploy CGNAT sooner or later. A single public IP now serves dozens or hundreds of subscribers, with private addresses drawn from RFC 6598 100.64.0.0/10 space. The question is not whether to deploy CGNAT, but how.
Today's options are both painful. Dedicated CGNAT appliances from major vendors cost six figures, lock you into proprietary hardware, and require lead times measured in months. Linux/nftables masquerade is free but runs per-packet through the full kernel netfilter stack — conntrack grows without bound, logging explodes at carrier volume, and symmetric NAT breaks gaming, VoIP, and P2P applications your subscribers depend on.
There is a third way: the same XDP-based CGNAT engine that powers full BNG deployments, packaged as a standalone translator that drops in front of or behind any vendor's BNG or router — no BNG, no PPPoE, no subscriber sessions required.
"A private range, a public pool, and a port-block size — that is the entire configuration. Everything else is automatic."
Purpose-built CGNAT hardware costs six figures upfront. Vendor lock-in makes upgrades painful and capacity scaling slow.
Per-flow conntrack runs in the kernel netfilter path on every packet. Spinlock contention degrades under high session rates. CPU climbs steeply with subscriber count.
Per-flow NAT logging at CGNAT volume generates millions of records per hour. Storage and SIEM costs scale with subscriber base.
nftables masquerade produces symmetric NAT. Full-cone-dependent applications — online gaming, VoIP, some P2P — break or degrade significantly.
Configure a private CGNAT range (e.g. 100.64.0.0/10 or 100.100.100.0/24), a public IP pool (e.g. 203.232.123.0/27), a port-block size, and a NAT type. The engine auto-populates its translation tables from the private range — any traffic arriving from that range is translated at line rate in XDP before entering the kernel.
Packet arrives, DMA to kernel memory
PREROUTING → FORWARD → POSTROUTING chain traversal
Per-flow entry allocation, spinlock contention under load
Symmetric NAT — new external port per flow, no determinism
Full stack traversal before the packet leaves the host
Packet arrives via DMA
Runs at driver level — kernel stack is never entered
Port-block lookup in BPF map — no per-flow conntrack, no spinlocks
Deterministic block assigned per private IP — endpoint-independent mapping
Packet forwarded at line rate — no kernel stack traversal
No BNG, no PPPoE/IPoE, no subscriber sessions, no external sync daemon. The standalone CGNAT translator operates independently in front of or behind any vendor's BNG, router, or edge device.
XDP CGNAT figures are from a live production node; the ~23% kernel-path CPU is our own measured pre-XDP baseline. The remaining Linux/nftables bars are qualitative — relative ordering from well-understood architectural characteristics, not a controlled benchmark.
Moving NAT into XDP cut CPU from ~23% to ~2.5% on comparable nodes. Per-packet translation overhead is measured in nanoseconds.
314 million sessions produced only ~347,000 port-block allocation log records — ~900× reduction in log volume while preserving lawful-intercept compliance.
8.4 million session-table capacity per node; 131,072 private-IP capacity. Scale horizontally for larger deployments.
XDP processes packets before the kernel network stack — no socket buffers, no iptables traversal, no scheduling overhead.
nftables masquerade allocates a new external port per flow with no endpoint-independent mapping guarantee. The XDP CGNAT engine provides deterministic port-block assignment and supports endpoint-independent filtering, enabling full-cone behaviour that carrier subscribers expect.
nftables masquerade is a solid solution for SOHO and edge NAT — it was not designed for carrier CGNAT at scale. The table below reflects well-established architectural characteristics of each approach.
| Capability | Linux nftables NAT | CGNAT-only (XDP) |
|---|---|---|
| Data path | Kernel netfilter — full stack traversal per packet (PREROUTING, FORWARD, POSTROUTING) | XDP hook at driver level — kernel stack bypassed entirely for translated traffic |
| Per-packet CPU | High — scales with packet rate; netfilter overhead plus conntrack lock contention at carrier volume | ~3% on a 48-core node at carrier load; per-packet overhead in nanoseconds; XDP cut CPU from ~23% to ~2.5% on comparable nodes |
| Session scale | Kernel conntrack table; contention and memory pressure at millions of flows | 8.4 million session-table capacity; 131,072 private-IP capacity per node; 252,000+ concurrent sessions demonstrated in production |
| NAT behaviour | Symmetric masquerade allocates a new external port per flow; no endpoint-independent mapping — breaks gaming, VoIP, P2P | Full-cone endpoint-independent mapping (RFC 4787 compliant); deterministic port-block per private IP — carrier-grade app compatibility |
| Logging | One log record per connection/flow — generates millions of records/hour at carrier scale; high storage and SIEM cost | ~900× fewer records: 314 million sessions → ~347,000 port-block allocation logs; block↔subscriber mapping satisfies lawful-intercept/data-retention requirements |
| Port allocation | Dynamic per-flow; no determinism; difficult subscriber attribution without per-flow logs | Deterministic port-block allocation (~1.1 blocks per private IP; 31,248-block pool at ~8% utilisation); subscriber attributable from block alone |
| ALG support | Via kernel nf_nat helpers (FTP, SIP, H.323 etc.) | Built-in ALG — FTP, SIP, and related protocols handled in XDP path |
| Hairpin NAT | Supported via hairpin masquerade rules | Native hairpin — subscribers reach each other via the public IP without leaving the CGNAT node |
| Hardware / appliance | Runs on any Linux x86 server; no special NIC required for basic operation | Commodity x86 + Intel 40GbE NIC — no new hardware required; replaces a dedicated CGNAT appliance at a fraction of the cost |
| Drop-in compatibility | Runs inline on existing Linux server; integration with existing routing varies | Standalone translator — inserts in front of or behind any vendor's BNG, router, or edge device; no BNG, PPPoE, or subscriber sessions required |
| Configuration | nftables ruleset; conntrack helper modules; per-rule logging configuration | Private range + public pool + port range + block size + NAT type — tables auto-populated at startup from the configured private range |
Port-block allocation logging is not a compromise on compliance — it is a smarter model. Each port block maps deterministically to one private IP address and a precise allocation timestamp, providing everything lawful-intercept and data-retention regulations require at a fraction of the storage cost.
314 million sessions logged as only ~347,000 port-block allocation records — roughly 900× fewer log entries than per-connection NAT logging, with no loss of subscriber attribution capability. The port block encodes the private IP, the public IP:port-range, and the allocation timestamp in a single compact record.
Per-flow NAT logging at CGNAT volume can produce tens of millions of records per day per node. Port-block allocation logging generates the same subscriber-attribution information in a table that is roughly 900× smaller — dramatically reducing storage, SIEM ingest costs, and log retention infrastructure.
The standalone CGNAT translator packages the full XDP NAT engine as a self-contained drop-in box. Every capability is production-proven on live networks.
100+ private IPs share a single public IP. ~108 sessions per private IP, ~1.1 port-blocks per private IP — efficient utilisation of your public address pool.
Endpoint-independent mapping (RFC 4787). Gaming consoles, VoIP SIP clients, and P2P applications work correctly — no broken matchmaking, no one-way audio.
Each private IP receives a deterministically assigned port block. Subscriber attribution for any logged connection requires only the port block record — no per-flow logging needed.
Application-layer gateway handles FTP, SIP, H.323, and related protocols. Hairpin NAT lets subscribers reach each other via the shared public IP without leaving the CGNAT node.
Operates in front of or behind any BNG, router, or edge device. No integration required beyond configuring the private range and public pool — completely vendor-agnostic.
Runs on standard x86 servers with an Intel 40GbE NIC — the same hardware already in your network. No proprietary CGNAT appliance, no vendor lock-in, no six-figure CapEx.
The figures below are from an anonymised production CGNAT engine on live carrier infrastructure, June 2026. The standalone box runs the identical XDP engine.
Concurrent sessions in production at carrier subscriber load.
Total session-table capacity per node — current utilisation is ~3% of maximum.
131,072 private-IP address capacity per standalone CGNAT node.
314 million NAT sessions processed over the engine's lifetime on this production node.
Packets translated by the XDP engine in production — zero kernel-stack traversal.
~3% CPU on a 48-core node at carrier load; XDP cut CPU from ~23% to ~2.5% vs. kernel-path NAT on comparable nodes.
A commodity x86 server running BNGSOFT XDP CGNAT delivers carrier-grade address sharing, full-cone NAT, and port-block logging — replacing proprietary appliances and reducing operational costs across the board.
100+ private IPs per public IP extends your existing address pool substantially, deferring costly IPv4 address acquisitions and giving time for IPv6 transition at a sustainable pace.
A standalone CGNAT box built on commodity x86 hardware eliminates six-figure CGNAT appliance costs and vendor lock-in. Use hardware you already own or procure at commodity prices.
Port-block logging replaces per-flow logging. 314 million sessions produced only ~347,000 log records — dramatically reducing storage, SIEM ingest volumes, and log retention infrastructure costs.
~3% CPU at carrier load on a 48-core node. XDP processes packets in nanoseconds before the kernel stack — no bottleneck as subscriber count grows, no conntrack spinlock contention.
Endpoint-independent NAT eliminates symmetric-NAT app breakage. Gaming, VoIP, and P2P applications work correctly, reducing support tickets and subscriber churn from CGNAT-related issues.
The standalone CGNAT box inserts in front of any existing BNG, router, or edge device from any vendor. No forklift upgrade, no proprietary integration, no renegotiated contracts.
Talk to BNGSOFT about a standalone CGNAT deployment. We'll walk through your network topology, address pool, and subscriber scale — and have you running a proof of concept on your own hardware.