============
CPE NAT IPs
============

.. note::
    As per general IPv6 recommendations, features employing NAT do not support IPv6.
    See `IPv6 Compatibility <../ipv6-compatibility/index.html>`__ for a cheatsheet
    on the current state of IPv6 compatibility in bonding.

A CPE NAT IP allows a customer to be assigned a single public IP address
for communication to the Internet. A private connected IP is used for
communication between the bonder and customer's firewall, and the public
IP is translated by the bonder to the firewall's private IP
address. They are called CPE NAT IPs because network translation occurs
on the CPE, not on the aggregator.

CPE NAT IPs allow more efficient use of IPv4 address space compared to
assigning one public /30 connected IP to each customer, because a single
customer only uses one IP address instead of four.

|image0|

To use CPE NAT IPs, first configure a private connected IP on the bond.
For example, add the connected IP 192.168.1.1/24. The customer's router
could be assigned the address 192.168.1.2. Then add a CPE NAT IP,
forwarding connections from a single public IP to the given destination
IP address. For example, you could assign the public address 203.0.113.4
to the private destination 192.168.1.2 (the customer's router). All
incoming connections to 203.0.113.4 would then be translated to the IP
192.168.1.2. Outgoing connections are also translated from the
destination network to the assigned CPE NAT IP. For example, a
connection from the customer's firewall at 192.168.1.2 to a host on the
Internet would appear to have come from 203.0.113.4.

The entire private network is able to use the outgoing NAT, not just the
host defined in the destination NAT IP field. For example, if the
destination NAT IP is 192.168.1.2, but other hosts on the network
include 192.168.1.10 and 192.168.1.11, both the .10 and .11 hosts can
make connections through the bonder and be NAT'ed to 203.0.113.4.

Connections from private networks other than the one referred to by the
destination NAT IP field are not able to use the CPE NAT IP. For
example, on a bond with the previously discussed 192.168.1.0/24
connected IP as well as a 192.168.99.0/24 connected IP, hosts in the
192.168.99.0/24 subnet would not be NAT'ed to 203.0.113.4.

Routing for connected IPs and routes is controlled by the private WAN
(PWAN) setting of the bond's space. However, because NAT is unnecessary
in a PWAN space, CPE NAT IPs are never routed into a PWAN space, even if
the PWAN option is enabled on the bond's space. CPE NAT IPs always
operate similarly to connected IPs or routes that have the "Include in
private WAN" option disabled.

Adding, editing, & deleting CPE NAT IPs
------------------------------------------------------------------------------------------------------------------------

CPE NAT IPs are displayed in a table on the bond details page.

To add a CPE NAT IP, click the |node-object-add| button to the upper-left of the CPE NAT IPs table. This will open the "add CPE NAT IP" modal.

To edit a CPE NAT IP, click the |node-object-edit| button on the CPE NAT IP action toolbar. This will open the "edit CPE NAT IP" modal.

To delete a CPE NAT IP, click the |node-object-delete| button on the CPE NAT IP action toolbar. This will ask for confirmation, and is permanent.

Configuring CPE NAT IPs
-------------------------------------------------------------------------------

Enabled
++++++++

When checked, loads the CPE NAT IP on the bonder and aggregator.

IP
+++

A single public IP address to route to the bonder. This address appears
as the source IP of traffic originating from the NATed network. The IP
must be within a network allocated to the bond's space.

Destination NAT IP
+++++++++++++++++++

The target IP address for incoming connections. This must be in the
network of one of the bond's connected IPs. It would usually be the IP
address used by the customer's router. However, if the customer has no
router, consider setting this value to be the connected IP address. In
this case, outgoing traffic from the customer's network will still use
the CPE NAT IP, but incoming traffic to the IP will be directed to the
bonder itself.


.. |image0| image:: /attachments/1639375/11667715.png

.. |node-object-add| image:: /attachments/bonds/node-object-add.png
.. |node-object-edit| image:: /attachments/bonds/node-object-edit.png
.. |node-object-delete| image:: /attachments/bonds/node-object-delete.png
