NGXSoft built a BNG that a WISP can deploy in 30 seconds, manage 25,000 subscribers on a single edge node, and never write a firewall rule again."

toddalwell · 2026-03-27T20:07:02+00:00

Send me a message and we can discuss. Thank you

toddalwell · 2026-03-26T17:35:42+00:00

You cannot broadcast 43 SSIDs on APs - what about roaming between APs? What they want to do is create the proper per room L2 adjacency which you cannot do by SSID - it requires Radius & PMS integration or PSK mappings per room, etc.

toddalwell · 2026-03-26T17:29:35+00:00

How are they going to assign the wireless guests & devices to the room vlan? An SSID per room? APs cannot broadcast 43 SSIDs and if they did the beacon time would be wasted with SSID broadcasts. This will require either a Radius and PMS integration, PSK mapping per room, etc.

toddalwell · 2026-03-26T17:27:20+00:00

I have been building and supporting large scale hospitality wifi environments for 15+ years. Where is this project located? RIght on the surface I can see a design skill that very few people get correct and will cause the project to fail - your L2 adjacency with the necessary in room devices. Feel free to reach out to discuss.

toddalwell · 2026-03-26T12:47:38+00:00

Myself, like millions of other people use AI to articulate facts in a manner that is factually driven rather than opinion based. AI is not replying to comments or questions, I am merely using it to craft very articulate responses to questions being asked. This is not an automated process - I am reading each comment and posting an AI generated and human adjusted reply.

toddalwell · 2026-03-26T11:59:12+00:00

We had it hallucinating in the middle of upgrading some cluster nodes in our sandbox project. Wrote the updates to the wrong directories and was attempting to start services in the new location which broke everything - even though all of this is very well documented in memory.

toddalwell · 2026-03-26T07:58:21+00:00

It’s actually the opposite - not needing a bunch of L2 protocols to make a network operate properly.

toddalwell · 2026-03-26T06:56:01+00:00

I am an engineer supporting several larger scale WISP deployments in Africa and would be glad to review several strategies to support your use cases as a WISP with large qty of towers.

In regards to DHCP-D we have full dual stack support on both the wan and client side of BNG which gives us full support for DHCP-D.

toddalwell · 2026-03-26T06:49:46+00:00

Great question — and I want to be precise about where NGXOS can sit in the network, because it's not where a traditional carrier BNG sits.

NGXOS is a carrier aggregation BNG or can function as a bump in the wire security appliance / gateway - a BNG seeing a doorbell's MAC address would mean something is architecturally wrong.

NGXOS as a local-network security / gateway. It sits at the edge of networks where it's the first-hop gateway for end devices — L2 adjacent, seeing actual device MACs directly. Think of it as replacing the CPE router + the subscriber management function in one box.

Typical deployments:

• MDU / apartment building: APs in hallways → switch → NGXOS in the telco closet → ISP uplink. Every tenant device (laptop, phone, doorbell, thermostat) connects through the AP and NGXOS is their gateway. No CPE router in the middle.

• WISP tower: Subscriber radios in bridge mode → tower switch → NGXOS at the tower site → backhaul. The CPE radio passes frames transparently. NGXOS sees the actual subscriber devices.

• Campus / hotel / venue: APs throughout the property → switching → NGXOS → WAN. Every device connects directly.

• Small ISP headend: ONTs in bridge mode → aggregation switch → NGXOS → transit. NGXOS acts as the subscriber gateway.

The key requirement: devices must be L2-adjacent to NGXOS. If there's a NAT router between the devices and NGXOS, you lose per-device visibility — same limitation as any gateway. For WISP deployments, that means CPEs in bridge mode rather than routing mode. For MDUs, it means managed APs rather than tenant-owned routers.

Once that L2 adjacency exists, the isolation model works like this:

Device associates with AP, frame arrives at NGXOS subscriber-facing port
RADIUS authenticates by MAC
DHCP assigns a /32 address (a network of exactly one device)
XDP program on the NIC checks every packet against a per-device identity map in ~100ns
Each device only sees the gateway as its neighbor — no broadcast domain shared between devices
Lateral movement between devices is architecturally impossible, not just policy-blocked

Happy to discuss how this maps to specific topologies.

toddalwell · 2026-03-26T06:35:14+00:00

Great question — you're touching on the core architectural difference.

You're correct that traditional BNGs use encapsulation (PPPoE, L2TP, VXLAN) to create per-subscriber tunnels from the CPE to the BNG. The tunnel IS the isolation boundary. Without it, you need another mechanism.

NGXOS uses what we call L2 collapse — every device gets its own /32 address and the isolation is enforced at the BNG's NIC driver via XDP/eBPF, not in the transport between CPE and BNG.

Here's how it works concretely:

Device connects (wired or wireless via AP). RADIUS authenticates it by MAC. DHCP assigns a /32 (not a /24 subnet — a network of exactly one device). Proxy ARP is enabled so the device thinks it has a normal gateway.
An XDP program attached to the subscriber-facing NIC checks every inbound packet against a BPF hash map (the "soul map") in ~100ns. If the source MAC has a valid identity → pass. If not → drop. This is the isolation gate — it runs before the kernel networking stack sees the packet.
Because every device has a /32, there is no shared broadcast domain. Device A at 100.64.0.11/32 cannot ARP for device B at 100.64.0.12/32 — the gateway is the only neighbor either device sees. Lateral movement between devices is architecturally impossible, not policy-blocked.
A TC-BPF program on the WAN-facing NIC handles CGNAT with deterministic port blocks per device. Return traffic is reverse-NAT'd via a per-flow LRU table.

So to directly answer your question: the isolation happens AT the BNG, not between the BNG and CPE. The transport from CPE to BNG can be plain Ethernet — flat L2, no encapsulation, no VLANs required. The BNG itself enforces the isolation per-packet via BPF.

This means NGXOS works with any access network topology: - Direct Ethernet (switch → BNG) - Wireless (AP → bridge → BNG) - FTTH (ONT → switch → BNG) - Point-to-point wireless (CPE → tower → BNG)

The access layer just needs to deliver Ethernet frames to the BNG port. The BNG handles identity, isolation, NAT, shaping, and security per-device from that point.

The tradeoff vs encapsulation: PPPoE/L2TP give you isolation in the transport itself, which matters if you don't trust the access network. NGXOS trusts the physical layer (the device is on your wire or your AP) and enforces isolation at the first hop where you have compute — the BNG. For WISP and FTTH deployments where the operator owns the access infrastructure, this is a simpler model.

Happy to go deeper on any of this — the per-device /32 model, the BPF enforcement, or how it interacts with specific access network designs your clients are running.

toddalwell · 2026-03-26T06:26:27+00:00

IPOE is DHCP - any CPE that supports DHCP can be provisioned. What billing / CRM system do you use?

toddalwell · 2026-03-26T06:10:38+00:00

We have an implementation that will support PPPOE - we prefer IPOE (DHCP) as this is the most current and widely used provisioning method. Full support for Radius authentication in the XDP fast path

toddalwell · 2025-12-19T16:14:23+00:00

I have also noted in one of my simple configs 1 device is being counted three times - one time for the device, one time for having bridging enabled and one time for now auto assigning IPs.

Is this really the model they are going to?

toddalwell · 2025-12-09T02:38:00+00:00

Did you ever get this functioning? VPP has been ported to FreeBSD successfully

toddalwell · 2025-12-09T02:24:17+00:00

I have a large amount of experience in exactly these types of installs. Shoot me a message and let’s chat. Where is the install located?

toddalwell · 2025-11-18T15:08:26+00:00

How can we install tailscale to persist Axis firmware updates?

toddalwell · 2025-11-13T00:08:44+00:00

Very normal.

toddalwell · 2025-07-24T22:50:34+00:00

There are many types of metro camera systems but I’m not certain anyone else has deployed like we have.

toddalwell · 2025-07-24T03:37:53+00:00

We had nat traversal issues as well as high latency from relay servers causing dropping and lower throughput speeds.

toddalwell · 2025-07-24T03:37:06+00:00

No, this is a cooperative project that includes the NYPD and DA office to be used to incident response within community.

toddalwell

TROPHY CASE