By Bryan Vest

CodexMCP Future Ideas: cgnat-core-1

CodexMCP Future Ideas: cgnat-core-1
Adding CGNAT to CodexMCP

As the CodexMCP ecosystem continues to evolve, one of the planned future components is a virtual CGNAT router named cgnat-core-1. This VM will handle Carrier-Grade NAT (CGNAT) functions for simulated users inside the CodexMCP environment, allowing for full end-to-end flow simulation, session tracking, and log analysis — all with open source tooling.

The idea is straightforward: once users are requesting DHCP leases from Kea and are able to interact with the broader internet, they’ll eventually need to traverse a NAT boundary, just like in a real ISP. Right now, all simulated users route traffic through a shared default gateway and borrow the host system's IP stack. That’s fine for early-stage testing, but it doesn’t model the behavior of a real carrier environment where private address space must be mapped to a limited number of public IPs — especially when simulating thousands of clients.

When implemented, cgnat-core-1 will act as that middle layer:

  • It will accept traffic from the DHCP-assigned 10.1.0.0/16 pool
  • Perform source NAT translation to a shared CGNAT range (e.g., 100.64.0.0/24)
  • Export logs that emulate real-world NAT session detail (timestamps, source/dest, translated IP/port)

This traffic will then be routed out through the main interface just like today — but with a realistic CGNAT layer in between.

Down the road, this opens up several useful capabilities:

  • Session logging for forensic replay and analysis (via FerroSearch or TSPG)
  • Dynamic simulation of NAT exhaustion, port collisions, or load-based failure conditions
  • Integration with RADIUS or user attribution for full ISP-grade visibility

That said, I’m not building this tomorrow.

Before CGNAT enters the stack, I need to finalize the basic plumbing:

  • Get simulated users fully online and talking to actual services (DNS, SIP, HTTP, etc.)
  • Route their traffic cleanly through controlled test environments
  • Validate lease churn and failure models through Kea and the DHCP simulation layer

CGNAT is a natural second stage — once users are acting like real endpoints, we’ll give them a real network edge to bump up against. When it’s time, cgnat-core-1 will fit in cleanly as a standalone NAT router with log output feeding into the broader observability pipeline CodexMCP is built around.

All open source, fully documented, and dropped in as just another building block of the stack.

More to come.

--Its Always Soemthing
-Bryan

Previous

Logging by Design: Why You Must Architect for Insight, Not Just Capture

 Next

Taming the CMS Flood: A Log Enrichment Pipeline Rebuild for Calix ONTs