Limit number of ports used on WAN due to CGNAT

  • I'm been having some IPv4 connection issues lately and reached out to my ISP. Long story short, they are saying that due to CGNAT each customer can use 4096 ports on the WAN side. According to them, I am going beyond this limit which results in "Destination Unreachable" a lot more often than I would like. So, is there a way to somehow limit the WAN side number of ports used or more aggressively close inactive ports/connections?


  • LAYER 8 Global Moderator

    And how many states does pfsense currently show having open?

  • At the moment, hovering around 1000 plus or minus a couple hundred. Assuming "State Table Size" is accurate, I guess I should be monitoring that when I have issues.

    Extra bits: When I have those connection issues, if I enable a VPN on a device (my phone for example) I can connect to the sites without issue. When I disable the VPN, the site still refuses to load. I originally posted over on Routing but after hearing back from my ISP, I thought this was a better place for it.

  • LAYER 8 Global Moderator

    well if your only showing 1000 states your no where near the 4096 they say you should have.. Or they are not clearing your old ones out.. That state table is also going to be say double what you would have eternally used, because it will be tracking your local side state through your nat as well.

    But sure a vpn would be one way to mitigate their port issue, since you would only have the 1 connection open to your vpn provider.

  • Yeah, and I imagine my IPv6 connections are in that state table too so probably a little less than half of that table is actually external IPv4 states.

    I figured I would mention the VPN thing to see if that made sense based on what my ISP was telling me (sounds like it does). I originally thought my issues were routing related because the ISP equipment kept responding with "Destination Unreachable" for seemingly random sites at random times.

Log in to reply