Does vyos supports CGNAT

Saad · April 22, 2024, 8:33pm

I want to know whether vyos supports CGNat. If not, is there any possibility in future

tjh · April 22, 2024, 9:48pm

There’s discussion about it here.

Viacheslav · April 23, 2024, 5:28am

Try the config described here

Saad · April 24, 2024, 8:37am

let me check. I will update after testing

Saad · April 27, 2024, 5:28pm

I have setup pn laptop and almost 1Gig traffic is passing through it. Till npw its working fine. I will test this for almost a week. In order to resolve all the issues before shifting into prosuction

Viacheslav · May 16, 2024, 12:37pm

How does it work in production?
Could you describe in detail how many internal/external addresses you use?
Do you have any issues?

Saad · May 16, 2024, 12:46pm

I tested for about 1 week. /22 private ip pool and 2 / 29 external pools. 1001-65535 port. With 1000 port per user. Work perfectly. Got no complaint. Today, I made a test environment again. Almost 400 subscribers are connected. Note, number of subscribers were same in previous test.

Saad · May 16, 2024, 12:48pm

One thing I noticed today. If remove a public ip pool its enyries are not flushed from nat translation table

Viacheslav · May 16, 2024, 12:56pm

@Saad How to reproduce?
Did you use two external addresses for the pool and then delete one of them? Something else?
Can you add steps to reproduce and open a bug report?

Thanks

Viacheslav · May 16, 2024, 3:36pm

By the way we have documentation about this feature CGNAT — VyOS 1.5.x (circinus) documentation

Saad · May 16, 2024, 3:40pm

I added another /29 external pool and removed a previous. Means, I replaced a previous external pool with another one.

Saad · May 16, 2024, 3:41pm

Excellent. I will check this

archous · May 20, 2024, 2:03am

What NAT type are your users reporting on real-time applications such as gaming? While yes, the implementation here “functions”, online matchmaking capabilities are reduced for users due to NAT type being too strict. This is a direct result of not having endpoint independent filtering support in the VyOS NAT implementation.

Xbox Support.

I encourage you to check your NAT types and follow closely to user reports of limited matchmaking opportunities, higher gaming latency due to having to expand the match making search radius, and voice chat capabilities.

Viacheslav · May 20, 2024, 3:04am

Do you have any idea how to implement it via nftables?
What will be if 2-4 subscribers behind one external address needs to use the same ports, port-ranges?

Are there easy way to check peer-to-peer communication without Xbox?

Rfc 6887 and 6888 still requires developing process, not all requirements are implemented

The root task for CGN ⚓ T5169 Add CGNAT Carrier-Grade NAT based on nftables
You can add more subtasks or claim any sub task if you want.

archous · May 20, 2024, 5:03am

EIF does not have anything to do with re-using the same ports or ranges. It can operate on any external port translated by the underlying NAT technique (not dependent on the technique). In an Xbox scenario what happens is that one Xbox host (“server”) calls out to an external server (Xbox Live) which opens a public IP:port translation. Then the Xbox Live network communicates to the other Xbox hosts (clients) to connect to the public IP:port of the server host’s opened connection described previously. In an EIF implementation the connection is allowed and communication to the server public IP:port is treated as transparent in regards to limiting the IPs and ports that can connect to it. Without EIF, the connection to the server’s public IP:port would be blocked and restricted to only work between the Xbox server host and Xbox Live network thus preventing any clients from being able to connect to it.

You can check EIF easily by running tcpdump and opening an outbound connection on a Linux host configured to be behind CGN to some host on the Internet, notate the public IP:port translated by the CGN, and try to initiate an inbound connection from a different Linux host on the Internet to the public:IP port. If tcpdump captures the inbound packets on the Linux host then the CGN is working transparently and passing packets with EIF. If it doesn’t then there’s some other issue or EIF is not working.

Subtask is already here: ⚓ T6247 Add CGN "full cone" EIF support per RFC6888 REQ-7
Unfortunately this would require modification of the base nftables and recompile in C which I do not know. I’m a network development engineer, not a SDE My capabilities stop at Python but I can definitely test and explain how the feature should work functionally. These patch files seem to have been made to implement to OpenWRT though:

github.com

wongsyrone/lede-1/blob/master/package/network/config/firewall4/patches/999-01-firewall4-add-fullcone-support.patch

From aa3b56e289fba7425e649a608c333622ffd9c367 Mon Sep 17 00:00:00 2001
From: Syrone Wong <[email protected]>
Date: Sat, 9 Apr 2022 13:24:19 +0800
Subject: [PATCH] firewall4: add fullcone support

fullcone is drop-in replacement of masq for non-udp traffic

add runtime fullcone rule check, disable it globally if fullcone expr is
invalid

defaults.fullcone is the global switch, while zone.fullcone4 and
zone.fullcone6 are switches for IPv4 and IPv6 respectively, most
IPv6 traffic do NOT need this FullCone NAT functionality.
---
 root/etc/config/firewall                      |  2 +
 root/usr/share/firewall4/templates/ruleset.uc | 11 ++++-
 .../firewall4/templates/zone-fullcone.uc      |  4 ++
 root/usr/share/ucode/fw4.uc                   | 44 ++++++++++++++++++-
 4 files changed, 58 insertions(+), 3 deletions(-)
 create mode 100644 root/usr/share/firewall4/templates/zone-fullcone.uc

This file has been truncated. show original

If someone could just get this over the line into Debian/Gnu for VyOS we would be golden!

system · June 19, 2024, 10:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.