CPE NAT IPs

Note

As per general IPv6 recommendations, features employing NAT do not support IPv6. See IPv6 Compatibility for a cheatsheet on the current state of IPv6 compatibility in bonding.

A CPE NAT IP allows a customer to be assigned a single public IP address for communication to the Internet. A private connected IP is used for communication between the bonder and customer’s firewall, and the public IP is translated by the bonder to the firewall’s private IP address. They are called CPE NAT IPs because network translation occurs on the CPE, not on the aggregator.

CPE NAT IPs allow more efficient use of IPv4 address space compared to assigning one public /30 connected IP to each customer, because a single customer only uses one IP address instead of four.

image0

To use CPE NAT IPs, first configure a private connected IP on the bond. For example, add the connected IP 192.168.1.1/24. The customer’s router could be assigned the address 192.168.1.2. Then add a CPE NAT IP, forwarding connections from a single public IP to the given destination IP address. For example, you could assign the public address 203.0.113.4 to the private destination 192.168.1.2 (the customer’s router). All incoming connections to 203.0.113.4 would then be translated to the IP 192.168.1.2. Outgoing connections are also translated from the destination network to the assigned CPE NAT IP. For example, a connection from the customer’s firewall at 192.168.1.2 to a host on the Internet would appear to have come from 203.0.113.4.

The entire private network is able to use the outgoing NAT, not just the host defined in the destination NAT IP field. For example, if the destination NAT IP is 192.168.1.2, but other hosts on the network include 192.168.1.10 and 192.168.1.11, both the .10 and .11 hosts can make connections through the bonder and be NAT’ed to 203.0.113.4.

Connections from private networks other than the one referred to by the destination NAT IP field are not able to use the CPE NAT IP. For example, on a bond with the previously discussed 192.168.1.0/24 connected IP as well as a 192.168.99.0/24 connected IP, hosts in the 192.168.99.0/24 subnet would not be NAT’ed to 203.0.113.4.

Routing for connected IPs and routes is controlled by the private WAN (PWAN) setting of the bond’s space. However, because NAT is unnecessary in a PWAN space, CPE NAT IPs are never routed into a PWAN space, even if the PWAN option is enabled on the bond’s space. CPE NAT IPs always operate similarly to connected IPs or routes that have the “Include in private WAN” option disabled.

Adding, editing, & deleting CPE NAT IPs

CPE NAT IPs are displayed in a table on the bond details page.

To add a CPE NAT IP, click the node-object-add button to the upper-left of the CPE NAT IPs table. This will open the “add CPE NAT IP” modal.

To edit a CPE NAT IP, click the node-object-edit button on the CPE NAT IP action toolbar. This will open the “edit CPE NAT IP” modal.

To delete a CPE NAT IP, click the node-object-delete button on the CPE NAT IP action toolbar. This will ask for confirmation, and is permanent.

Configuring CPE NAT IPs

Enabled

When checked, loads the CPE NAT IP on the bonder and aggregator.

IP

A single public IP address to route to the bonder. This address appears as the source IP of traffic originating from the NATed network. The IP must be within a network allocated to the bond’s space.

Destination NAT IP

The target IP address for incoming connections. This must be in the network of one of the bond’s connected IPs. It would usually be the IP address used by the customer’s router. However, if the customer has no router, consider setting this value to be the connected IP address. In this case, outgoing traffic from the customer’s network will still use the CPE NAT IP, but incoming traffic to the IP will be directed to the bonder itself.