Page MenuHomeVyOS Platform
Create Task
Maniphest T6247

Add CGN "full cone" EIF support per RFC6888 REQ-7
Open, WishlistPublicFEATURE REQUEST
Actions

Description

We see several feature requests to add port mapping and other CGN-friendly featuresets but fundamentally VyOS is missing one of the critical distinguishers of a true CGN verses just standard PAT and that's the ability to support full cone NAT or endpoint independent NAT.

Per RFC this is defined below:
RFC6888 REQ-7 implemented for it to be considered "complete" https://datatracker.ietf.org/doc/html/rfc6888

Ironically it looks like another contributor has attempted the same here:
https://github.com/DmitriyEshenko/vyos-cgnat

This should just be part of any native CGN featureset and is on par with other commercial products of the world such as Juniper/Cisco/A10 implementations.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 Needs testingFEATURE REQUESTNoneT5169 Add CGNAT Carrier-Grade NAT based on nftables
 OpenFEATURE REQUESTNoneT6247 Add CGN "full cone" EIF support per RFC6888 REQ-7

Event Timeline

jmoore created this task.Apr 17 2024, 4:34 PM
jmoore created this object in space S1 VyOS Public.
Viacheslav removed a project: VyOS 1.4 Sagitta.Apr 17 2024, 5:43 PM
Viacheslav subscribed.

We do not use iptables and their modules for new features.
Feel free to add PR for nftables or if you know which commands should be for nftables

Viacheslav added a parent task: T5169: Add CGNAT Carrier-Grade NAT based on nftables.Apr 17 2024, 5:47 PM
jmoore added a comment.Apr 17 2024, 6:03 PM

Another example on nftables: https://github.com/fullcone-nat-nftables/nftables-1.0.5-with-fullcone

pasik subscribed.Apr 17 2024, 6:23 PM
n.fort subscribed.Apr 17 2024, 7:01 PM

I saw such repository more than once, but it seems that it has been abandoned. Last commit is dated two years ago.

jmoore added a comment.Apr 17 2024, 11:11 PM

It very may well have been. That's not really relevant to this request. The repository is an example. We need the feature regardless of the state of the repository.

Viacheslav added a comment.Apr 18 2024, 4:11 AM
In T6247#184232, @jmoore wrote:

. We need the feature regardless of the state of the repository.

It doesn’t work this way. If you need it just integrate it.

Viacheslav added a comment.Apr 18 2024, 9:05 AM

Related topic https://github.com/Chion82/netfilter-full-cone-nat/issues/42

Viacheslav added a comment.May 21 2024, 9:33 AM

https://github.com/debiansid/nftables-fullcone

Goliath5126 subscribed.Aug 4 2024, 9:38 AM
In T6247#189119, @Viacheslav wrote:

https://github.com/debiansid/nftables-fullcone

Is this version already supports EIF?
If so any guide to implement/test it ?

syncer lowered the priority of this task from Low to Wishlist.Nov 1 2024, 3:47 PM
syncer added a project: VyOS Rolling.
syncer changed the subtype of this task from "Task" to "Feature Request".
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
hsw0 subscribed.Jul 10 2025, 12:57 PM
Viacheslav added a comment.EditedAug 25 2025, 9:59 AM

I have found an interesting project with EINat/fullcone NAT implementation https://github.com/EHfive/einat-ebpf
Use cases https://github.com/EHfive/einat-ebpf/blob/main/docs/guide/use-case.md
https://github.com/EHfive/einat-ebpf/blob/main/docs/reference/rfc-compliance.md
You can download a static binary to play with it.