SMIP
All articles
networkingispipv4

What is CGNAT? Carrier-Grade NAT explained

If you can't host a server at home, port forwarding doesn't work, and your 'public' IP looks like 100.x.x.x — you're behind CGNAT. Here's what carrier-grade NAT is, why ISPs use it, and what to do about it.

May 6, 20266 min read

You set up a game server on your home computer. Friends try to connect. Nothing works. Port forwarding on your router looks correctly configured. The "public" IP your router shows starts with 100.64.x.x, which seems weird.

Welcome to CGNAT — Carrier-Grade NAT. It's the reason a lot of "but my port forwarding worked five years ago" conversations exist now.

What CGNAT is

Normal home internet works like this:

  • Your ISP gives your router one public IP.
  • Your router uses NAT to share that IP among all your home devices.
  • Inbound traffic to your public IP can reach your home — port forwarding rules decide which device.

CGNAT inserts a second layer. Your ISP runs a giant NAT box at their network edge that shares one public IP among many customers — sometimes hundreds, sometimes thousands. From the inside, your router sees a "public" IP that's actually part of CGNAT-only address space (typically 100.64.0.0/10). From the outside, you and other customers all appear under the same real public IP.

It's NAT-on-NAT — your router NATs your devices, then the carrier NATs your router.

Why ISPs do it

Two reasons:

  1. IPv4 exhaustion. The global IPv4 pool ran out years ago. Buying public IPv4 addresses on the secondary market costs $50–80 each. Multiplied by millions of customers, ISPs face huge ongoing IP costs. CGNAT lets them serve many customers from one public IPv4.

  2. Mobile networks need it. Mobile carriers add and remove customers continuously. Allocating a unique public IPv4 to each phone is impractical. CGNAT is the default.

For ISPs, CGNAT is a cost-saver and an operational simplification. For users, it's mostly transparent — until you try to do something that requires inbound connectivity.

How to tell if you're behind CGNAT

Three checks:

1. Compare your router's WAN IP to your public IP

Log into your router (192.168.1.1 or whatever the address is). Find your WAN IP — what your ISP assigned to your router's outside interface.

Then check your public IP — what websites see.

If the two are different, you're behind CGNAT.

2. Check the IP range

CGNAT space is 100.64.0.0/10 — IPs from 100.64.0.0 through 100.127.255.255. If your router's WAN IP falls in that range, that's a definitive sign.

Some ISPs use private RFC 1918 ranges (10.x.x.x) instead, which is technically incorrect but happens.

3. Try port forwarding

Set up a port forward on your router. Use an external service (we'll have a Port Checker tool when ready) or a friend on a different network to test it.

If the port shows closed even though your router says it's forwarded, your forwarding is being intercepted by the carrier's CGNAT box upstream. You're behind CGNAT.

What CGNAT breaks

Most things work fine — browsing, video, email, streaming, gaming as a client all work because they're outbound-only connections. CGNAT routers track outbound flows and let return traffic back.

What breaks:

  • Hosting a server at home — game server, web server, media server. Inbound connections to your public IP go to the carrier's CGNAT, which doesn't know to forward them to you.
  • Port forwarding for any reason — security cameras, smart home gateways, remote desktop, BitTorrent inbound seeding.
  • Some peer-to-peer apps — older P2P protocols that need inbound connectivity may work poorly. Modern ones (most messaging apps, Discord, modern games) use NAT-traversal tricks (STUN, hole-punching, relays) and are fine.
  • VPN servers run from home — same problem; inbound on UDP 1194 or whatever port goes nowhere.
  • VoIP / SIP — sometimes works, sometimes doesn't, depending on whether the SIP provider tolerates double NAT.
  • Email server reputation — sending mail from a CGNAT-shared IP usually triggers blacklisting.

What CGNAT doesn't break

Outbound connections all work fine. Streaming Netflix, browsing the web, joining online games, video calls (Zoom/Meet/FaceTime), instant messaging — none of these care about CGNAT.

You're still on the internet, you can still reach anywhere, and other devices can still respond to your requests. You just can't be the one initiating inbound connections.

How to work around CGNAT

If CGNAT is breaking something you need, here are the realistic options.

1. Ask your ISP for a public IPv4

Many ISPs will move you off CGNAT on request. Some do it free; some charge a small monthly fee for a "static" or "public" IP. Worth asking — five minutes on the phone could solve the problem.

Caveat: some ISPs simply don't offer public IPv4 anymore. Mobile carriers in particular usually say no.

2. Use IPv6

Your CGNAT IPv4 might be shared, but your IPv6 address is almost certainly your own. If both your ISP and the service you're hosting support IPv6, run the inbound side on v6 instead. Many services already do — the world is steadily becoming IPv6-first.

For self-hosting, this often means giving your home server an AAAA record and accepting connections on IPv6.

3. Cloudflare Tunnel

The cleanest modern solution. Cloudflare Tunnel runs a small client on your home server that maintains an outbound connection to Cloudflare. Inbound traffic to your domain hits Cloudflare's network, which forwards it down the tunnel to your server. CGNAT never enters the picture.

Free for personal use. Setup takes 15 minutes. Works for almost anything HTTP-based and many other protocols.

4. Other reverse-tunnel services

Similar idea, different vendors:

  • ngrok — best-known, free tier limited.
  • Tailscale Funnel — for users already on Tailscale.
  • Cloudflare Quick Tunnels — even simpler than full Tunnel for one-off testing.
  • localtunnel, serveo, FRP — open-source/self-host options.

5. Cloud relay

Run a small VPS ($5/month) with a public IP. Have your home server connect outbound to it. Forward inbound traffic from the VPS to your home over the tunnel. Same effect as Cloudflare Tunnel, more control, more setup work.

6. Switch ISPs

Last resort. Some ISPs are more CGNAT-aggressive than others. If hosting from home is critical and your ISP refuses to move you off CGNAT, a competitor with public IPv4 may be the answer.

CGNAT and your privacy

CGNAT actually has a small privacy upside: many users share each public IP, so a website seeing your IP can't uniquely identify you on it. Tracking by IP becomes weaker.

The downside: when one user on the shared IP misbehaves (sends spam, scrapes a site, etc.), the entire IP can be blacklisted, affecting everyone behind it. Innocent users get caught in CAPTCHAs and bans they didn't earn.

TL;DR

  • CGNAT is your ISP NATing your router behind a giant shared public IP.
  • It's invisible until you try to host or accept inbound connections from outside.
  • Test: if your router's WAN IP differs from your real public IP (especially if it's in 100.64.0.0/10), you're behind it.
  • Workarounds, easiest first: Cloudflare Tunnel, IPv6, ask the ISP for a public IPv4.
  • For most users, CGNAT is a non-issue. For self-hosters, it's a real obstacle that has become more common over the past decade.

If you've got friends complaining "your server's down" but everything looks fine on your end — start by checking whether you're behind CGNAT.