Gaming/RTC-Aware CGNAT · mapping stability on full-cone + EIF · steering immunity · default-off
CGNAT Operations Brief · Gaming/RTC-Aware CGNAT

Your CGNAT pool already gives every subscriber Open NAT. That's not why they're getting kicked from the lobby.

Full-cone + EIF is the architecture most CGNAT operators actually run — every subscriber already reports Open NAT. And gamers behind that pool still get randomly disconnected mid-match. The cause isn't NAT type — it's mapping churn: a gaming or voice UDP flow goes quiet during a lull, ages past the CGNAT idle timeout, gets reaped, and its external port gets recycled to someone else. bngxdpd detects gaming/RTC flows in the XDP fast path and keeps their mapping alive through the lull — extended (but capped) idle timeout, port-block recycle protection, and steering immunity so a pool rebalance never yanks a subscriber mid-match. Works on full-cone + EIF, not just symmetric NAT. Default-off, observe→enforce.
XDP detection
gaming/RTC port set + STUN
known console, game, and RTC ports · 0x2112A442 binding requests
Mapping stability
works on full-cone + EIF
capped extended idle timeout · port block protected during a lull
Steering immunity
defers, never cancels
pool rebalance skips subscribers with an active game
Open NAT
secondary · symmetric-default boxes
full-cone + EIF promotion · no-op if pool is already open
Open NAT type is necessary but not sufficient — a gamer can have a perfectly Open NAT, on a perfectly full-cone + EIF pool, and still get kicked from the lobby when a quiet moment ages out their mapping. Gaming/RTC-Aware CGNAT keeps detected flows' mappings alive through the lull and immune to pool-steering churn — automatically, per flow, with no support ticket.

The problem: mapping churn happens even when NAT type is Open

Ask any gamer behind CGNAT and the complaint isn't "Strict NAT" — most operators today run full-cone + EIF, so every subscriber already reports Open NAT. The complaint is "I get randomly kicked from the lobby" or "my voice chat drops for no reason." An Open NAT type does not prevent this. The cause is mapping churn: a gaming or voice UDP flow goes quiet during a natural lull — between rounds, a paused match, a muted mic — and that idle period exceeds the CGNAT's UDP idle timeout. The mapping is reaped as stale, and its external port block becomes eligible for reuse. When traffic resumes, the flow gets a different external port. The remote peer or matchmaking server is still sending to the old mapping, which no longer exists. The connection is dead, and from the subscriber's point of view they were just "kicked" for no reason. This happens on full-cone + EIF pools exactly as it happens on symmetric pools — it is a session-lifecycle problem, not an openness problem, which is why simply running an open pool doesn't fix it.

What breaks today

Match goes quiet for a minute; UDP mapping ages out; port recycled; traffic resumes on a new port the peer doesn't know about. Console/app shows a dropped connection or lobby kick. NAT type was Open the whole time on a full-cone + EIF pool — it didn't matter.

What flow-aware mapping stability changes

Detected gaming/RTC UDP flows get an extended, capped idle timeout and their port block is protected from recycling while quiet. The mapping survives the lull. When traffic resumes, it's still there, on the same port, for the same peer.

Mapping stability: how it works

Flow-aware mapping stability runs in the same CGNAT data path as ordinary session tracking, on full-cone + EIF pools exactly as on symmetric ones. It uses a lightweight signal: the flow's destination port, which the CGNAT data path already records for every session — no deep packet inspection is needed. When a UDP flow's destination port matches the known gaming/RTC port set:

Extended idle timeout

Lull survives instead of reaping the mapping

  • Normal UDP CGNAT idle timeout is short — tuned for typical query/response traffic
  • Detected gaming/RTC flows get a longer idle allowance
  • Timeout is capped — see honest bounds below
Block-recycle protection

The port block itself is held

  • Normal reaping frees the port block for reassignment to a new flow
  • Protected flows' port blocks are held during their extended-idle window
  • Prevents a race where the old port gets reassigned before the gamer's traffic resumes
Steering immunity

Pool rebalance defers, doesn't yank

  • Self-heal steering (F5) can migrate a subscriber off a pressured pool IP
  • Flow-aware makes steering skip a subscriber with an active game in progress
  • Deferred, not cancelled — see honest bounds below
This reuses existing bngxdpd machinery. The destination-port signal, idle-timeout accounting, and port-block lifecycle are already part of the CGNAT data path's session tracking. Flow-aware mapping stability adds a detection check and a modified timeout/hold policy for matching flows — it does not introduce a new subsystem, external service, or orchestration layer. Steering immunity is a check added to the existing self-heal steering decision (F5): "does this subscriber have a protected flow active?" No new infrastructure, no additional licence.

Why this matters on full-cone + EIF, not just symmetric NAT

Most CGNAT operators running gaming-sensitive subscriber bases already default to full-cone + EIF — it's the pool configuration that avoids the NAT-type support tickets in the first place. That choice solves the openness problem, but it does nothing for mapping churn: idle timeout and port-block recycling are session-lifecycle mechanics that apply identically regardless of how open the NAT filtering is. A full-cone + EIF pool with no flow-aware protection still reaps a quiet gaming flow's mapping on schedule. Flow-aware mapping stability is built for exactly this case — the architecture most operators actually run — not as a niche add-on for symmetric-NAT deployments.

Flow-aware mapping stability in the XDP data path
Subscriber UDP packet upload path XDP Detection Gaming/RTC port? dest-port match already-recorded field YES Protect mapping extended idle timeout (capped) port block held + steer-deferred NO Normal lifecycle standard idle timeout normal steering eligibility CGNAT mapping applied → internet
Detection is a lightweight port check in XDP, on full-cone + EIF pools exactly as on symmetric ones. Protected flows get an extended, capped idle timeout and their port block held; all other flows take the normal CGNAT session lifecycle.

Honest bounds

Bound 1: the extended timeout is capped — it can never exceed a normal established-TCP timeout. A protected gaming/RTC mapping does not get an unlimited or indefinite hold. The extension is bounded so that a wedged, abandoned, or forgotten flow can never hog a port mapping indefinitely. This means there is no port-exhaustion risk introduced by this feature — the worst case is "a bit longer than usual," not "forever."
Bound 2: steering immunity defers, it does not cancel. A subscriber with an active game in progress is skipped in the current steering pass, not exempted from steering permanently. After a bounded number of deferrals, the subscriber is migrated anyway. This means a perpetual or always-on gaming session can never block a pool IP from healing — steering immunity buys the in-progress match time to finish; it does not let one subscriber indefinitely block operational remediation for the rest of the pool.
Bound 3: detection is port-based (+ STUN), not a universal guarantee. Mapping stability matches against a known gaming/RTC destination-port set. It is not a promise that every title or proprietary protocol is covered. Niche or proprietary game-networking stacks that neither use a known game port nor a standard STUN exchange may not be detected.
Bound 4: default-off, observe-before-enforce. Flow-aware mapping stability ships disabled. Observe mode counts what it would protect — flows that would receive the extended timeout, block-recycle holds that would have been applied, and steers that would have been deferred — without changing any behaviour. Enforcement can be toggled live without daemon restart.

Operator commands and illustrative counters

Flow-aware mapping stability — status output
# Check current mode and live counters bngxdpctl cgnat flow-aware --- Flow-Aware Mapping Stability --- Mode: ENFORCE Idle-timeout factor: 3x (capped at established-TCP timeout) Gaming flows protected: 2,418 Block recycles held: 311 Steers deferred (active game): 14 # Enable observe mode first — counts only, no behaviour change cgnat.flow_aware = observe # When satisfied with detection quality, enable enforcement cgnat.flow_aware = enforce
Illustrative counters — representative of the format and typical order of magnitude on a busy consumer BNG at peak gaming hours, not real customer data. Mode, factor, and counter names are illustrative of the CLI shape.

Also: Auto Open-NAT for symmetric deployments

Flow-aware mapping stability assumes the pool is already full-cone + EIF — the common case. Some operators still default to symmetric or restricted-cone NAT, and on those deployments consoles report Strict or Moderate NAT, breaking STUN-based party chat and P2P hosting. For that case, bngxdpd includes a secondary capability: Auto Open-NAT watches for the STUN binding magic cookie 0x2112A442 or a known game-port match in the XDP upload path and promotes just that flow's CGNAT entry to full-cone + EIF, so the console reports Open NAT without opening the whole pool. no-op on full-cone + EIF

On full-cone + EIF, this is intentionally a no-op. If every subscriber's pool IP is already full-cone + EIF — the configuration the rest of this brief assumes — every flow is already Open, so there is nothing for Auto Open-NAT to promote. It exists for operators whose default NAT is symmetric/strict and who want to keep it that way for everything except the flows that specifically need traversal. PCP/NAT-PMP explicit mappings always take precedence over it, and QUIC/UDP-443 is explicitly excluded from the promotion set. Default-off, observe→enforce, same as flow-aware mapping stability.

Interaction with the CGNAT feature set

FeatureInteraction with Gaming/RTC-Aware CGNAT
PCP / NAT-PMPPCP and NAT-PMP explicit mappings always take precedence over Auto Open-NAT. Auto Open-NAT acts only on flows with no existing explicit mapping. Flow-aware mapping stability is orthogonal — it protects whatever mapping a flow already has, explicit or automatic.
Per-subscriber health (F1)The per-subscriber CGNAT X-Ray (bngxdpctl check sub) includes flow-aware's protected-flow and deferred-steer counts, plus Auto Open-NAT's promoted-flow count where relevant, so operators can see both at the subscriber level. See the Per-Subscriber CGNAT X-Ray brief.
Abuser isolation (F3)A subscriber moved to a penalty IP by abuser isolation retains both capabilities — isolation affects which pool IP they are on, not the per-flow NAT behaviour or mapping stability. See the Abuser Auto-Isolation brief.
Self-healing steering (F5)This is the direct integration point for steering immunity: flow-aware mapping stability adds an "active game" check to the F5 steering decision so a rebalance defers rather than migrating a subscriber mid-match. Bounded — see Bound 2 above. See the Self-Healing CGNAT brief.

Open NAT type was never the whole story

Most CGNAT operators already run full-cone + EIF — every subscriber reports Open NAT today. And gamers on those pools still get randomly disconnected mid-match, because the cause was never NAT type. A gaming or voice UDP flow that goes quiet during a lull ages past the CGNAT idle timeout, gets reaped, and comes back on a different external port that the peer no longer knows about. Flow-aware mapping stability closes that gap directly on the architecture operators actually run: a capped, extended idle timeout, port-block recycle protection, and steering immunity so a pool rebalance never yanks a subscriber mid-match.

For the smaller set of operators still defaulting to symmetric or restricted-cone NAT, Auto Open-NAT handles the openness problem the same way — promoting only the flows that need it, automatically, with the pool default untouched for everything else.

Together: detected gaming/RTC flows get exactly the mapping stability — and, where needed, exactly the openness — they need, automatically, in the XDP fast path, with capped, bounded protections that can never create a port-exhaustion or stuck-steering risk. No operator configuration per subscriber. No support tickets.

Want to see observe mode in action? We'll show the detection logs and live counters against real traffic, explain the gaming/RTC port, STUN cookie, and mapping-stability matching logic, and walk through the observe-to-enforce transition on a test subscriber.

Honest framing: This is an operations brief; no throughput or price figures are claimed. Gaming/RTC-Aware CGNAT centers on flow-aware mapping stability, default-off and observe-before-enforce: it matches UDP flows against a known gaming/RTC destination-port set in the CGNAT data path and, for matches, extends the CGNAT idle timeout and protects the port block from recycling during a quiet lull, and defers self-healing pool-steering (F5) for subscribers with an active game. This works on any CGNAT configuration, including — and especially — pools already running full-cone + EIF for every subscriber, because it addresses session-lifecycle churn rather than NAT openness; that is the configuration most CGNAT operators actually run. Its protections are explicitly bounded: the extended idle timeout is capped and can never exceed a normal established-TCP timeout, so there is no port-exhaustion risk; steering immunity defers a migration rather than cancelling it, and after a bounded number of deferrals the subscriber is migrated regardless, so a perpetual gaming session can never block pool-IP remediation. Detection is port-based and does not guarantee coverage of every game title or proprietary peer-to-peer protocol. A secondary capability, Auto Open-NAT, also default-off and observe-before-enforce, detects the STUN binding magic cookie (0x2112A442) or a known game-port match in the XDP CGNAT upload path and promotes matching flows to full-cone NAT with endpoint-independent filtering (EIF) for that CGNAT session entry; all other traffic retains the operator's configured default NAT behaviour. Auto Open-NAT is intentionally a no-op when the CGNAT pool is already configured for full-cone + EIF globally — there is nothing to promote if every subscriber is already Open — and exists for operators whose default NAT is symmetric or restricted-cone. QUIC (UDP/443) is explicitly excluded from promotion by design. PCP and NAT-PMP explicit mappings always take precedence over Auto Open-NAT's automatic promotion. All modes can be changed live without daemon restart. Console NAT-type output, "before/after" examples, and the bngxdpctl cgnat flow-aware counters shown above are illustrative of typical observed behaviour and CLI output format — not real customer data. Related briefs: Per-Subscriber CGNAT X-Ray, Abuser Auto-Isolation, Self-Healing CGNAT Pool Steering.