CGNAT and You – MX and MG Best Practices – Cisco Meraki

As previously mentioned, another caveat when working with cellular as a business uplink is that most cellular providers use Carrier Grade NAT (CGNAT), so it’s important to understand at a basic level how CGNAT can affect your cellular deployment.

At the most basic level, CGNAT is very similar to standard NAT, altering traffic from multiple clients to share the same source IP address before egressing to the public Internet. However, CGNAT takes this to another level by operating at a much larger scale than traditional NAT, oftentimes implementing multiple levels of NAT within the carrier network before traffic egresses to the public Internet to allow potentially thousands of customers to share a single public IP. In effect, this can cause issues with many services that require the use of specific or consistent inbound ports for communication, such as VPN tunneling or port forwarding for inbound connections.

Many carriers that offer business-grade cellular plans also offer the option to either bypass CGNAT entirely or configure advanced forwarding to allow for greater compatibility with services like VPNs and port forwarding. However, this is highly carrier dependent and may not be available everywhere, so it’s critical to explore all aspects of your proposed cellular solution to ensure that the carrier you choose can provide a level of service that works with your intended use case for your cellular uplink, whether that be as a primary uplink or a backup or out-of-band connection.

Pro Tip

Consider leveraging IPv6 to avoid the headaches of CGNAT.