Leo Bicknell wrote:
UPNP, NAT-PMP, the ability to enter static bypasses (DMZ's, NAT passthrough), combined with the problems of some applications that make thousands of TCP connections in a short order eating up ports makes it a nightmare to manage and debug.
The applications can simply be debugged to use socket option of REUSEPORT. I pointed it out so along with static port mapping at the last meeting in "Track: IPv4 runout, Doing More with Less".
Of course, if they are doing illegal things you'd better keep some detailed records of who did what when a LEO comes knocking.
Are you saying we MUST record all the IP addresses and port numbers of all peers of your customers to prevent illegal things? If so, we have to do so, even if you are not using NAT, I'm afraid. If not and we only have to have information on which port is used by which customer, static port mapping is just fine. Anyway, developers of virus software will be quite cooperative to use REUSEPORT, to hide symptoms that the virus software is installed.
The key to a low cost service is making it as low cost as possible, moving the NAT inside the carrier will had a huge amount of headache and support costs, not what you want.
Use NAT with static port mapping (and same port numbers are used in and out), there is no headache and support cost caused by NAT.
A possibly relevant question with IPv4 exhaustion coming is could you make this service IPv6 only so you don't have to find IPv4 addresses for it.
IPv6 means considerably more amount of headache and support costs than using NAT cleverly and simply. Masataka Ohta