>> On Aug 8, 2020, at 4:36 AM, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2020-08-07, Edward Carver <edwardlcar...@protonmail.com> wrote:
>> Hi Misc,
>>
>> Does OpenBSD support Carrier Grade Nat (cg-nat)?
>> Thanks for helping..
>
> What do you mean by 'support'?
>
> Running as a client behind one? Yes, that's transparent anyway (unless
> you use vmd with its default "local prefix" address range which was
> carefully chosen to conflict with the usual CGN address range).
>
> As a router performing nat for others? Sort-of. Some will just say
> that CGN is "NAT done by the ISP" and OpenBSD can do that. Others will
> say that more is needed - typically CGN installations will dynamically
> block off a range of ports for a user and tie in with logging ("user
> x was assigned ports 1024-2047 from time y to z") so you can track
> activity to a user without recording every single nat mapping (which
> is a lot more intrusive information to store), and often allow all
> traffic to that range through to the user regardless of whether
> the user initiated a connection to that IP (helps for direct machine
> to machine access for online gaming etc), OpenBSD doesn't do either
> of those.
>
Hi Stuart,
All coming from a place of curiosity:
I am definitely not knowledgeable on Carrier Grade NAT; however, regarding your
final two reasons and that OpenBSD may not support this out of the box: Could a
crafty setup accomplish a CGN using PF and other base utilities plus crafty
scripting/API integration with PF?
I can surmise PF rules that cover at least the two final reasons you’ve
mentioned but I’m sure there’s more to it that I’m not understanding.
Thanks,
Brian
