What Is CGNAT (Carrier-Grade NAT)?

Your game server setup is perfect. Port forwarding configured exactly right. Firewall rules in place. Yet nobody can connect. Welcome to CGNAT—the invisible wall between you and the Internet you thought you had.

What Is CGNAT?

Carrier-Grade NAT is NAT that happens before your router even gets a chance. Your ISP runs it on their infrastructure, sitting between your home network and the public Internet. Where traditional NAT lives on your router and gives your devices private IPs, CGNAT lives at the ISP and gives your router itself a private IP.

This creates NAT444—a triple layer of address translation. Your laptop has a private IP (192.168.x.x). Your router has a private IP (100.64.x.x). Only the ISP's equipment touches real public addresses.

Your router thinks it has a public IP. It doesn't.

Why ISPs Use CGNAT

IPv4 addresses ran out years ago. Not "getting scarce"—actually ran out. The global pool is exhausted. Yet billions of new devices keep appearing.

CGNAT lets ISPs serve hundreds of customers with a single public IP address. Instead of needing 100,000 public IPs for 100,000 customers, they might need only 1,000. This isn't a technical convenience—it's economic survival when IPv4 addresses cost $50+ each on secondary markets.

You'll find CGNAT almost everywhere now:

• Mobile carriers: Nearly universal for cellular data
• Fixed wireless: T-Mobile Home Internet, Verizon 5G Home
• Satellite: Starlink and competitors
• Budget ISPs: Anyone trying to grow without buying expensive IPv4 blocks

The Hidden Address Space: 100.64.0.0/10

CGNAT needed its own IP range, distinct from traditional private addresses (10.x.x.x, 192.168.x.x). RFC 6598 designated 100.64.0.0/10 specifically for this purpose—addresses from 100.64.0.0 through 100.127.255.255.

This is "shared address space." Not public, not quite private. ISPs assign these addresses to the WAN side of customer routers. If your router's external IP starts with 100.64 through 100.127, you're behind CGNAT.

The RFC specified a /10 range—over 4 million addresses—sized to handle the Greater Tokyo Area, Earth's largest metro region. CGNAT operates at metropolitan scale.

How to Detect CGNAT

Check Your WAN IP

Log into your router (usually 192.168.1.1 or 192.168.0.1). Find the WAN or Internet IP address. If it falls between 100.64.0.0 and 100.127.255.255, you're definitely behind CGNAT.

Compare IPs

Visit whatismyip.com to see your public IP. Compare it to your router's WAN IP. Different? There's extra NAT between your router and the Internet.

Run Traceroute

tracert -4 google.com

Look at the first few hops after your router. Seeing 100.64.x.x addresses? That's the ISP's CGNAT infrastructure.

Test Port Forwarding

Configure any port forward on your router. Test it with an online port checker. Ports appear closed despite perfect configuration? CGNAT is blocking inbound connections.

What CGNAT Breaks

Port Forwarding

You don't have a unique public IP. You don't have stable port mappings. The port forwarding rules on your router work locally, then die at the ISP's equipment. Hundreds of customers share the same public IP and port ranges.

This kills:

• Self-hosting: Web servers, game servers, remote desktop
• Peer-to-peer: BitTorrent, distributed applications
• Gaming: Strict NAT types, no hosting lobbies
• Remote access: VPN servers, SSH from outside
• IoT: Smart home devices expecting external access

Shared IP Reputation

You share a public IP with hundreds or thousands of strangers. If one person on your shared IP runs a spam campaign or launches attacks, the entire IP gets blacklisted.

Consequences ripple to everyone:

• Websites block you for someone else's behavior
• CAPTCHAs appear constantly
• Email servers reject your messages
• Services apply rate limits collectively

Your IP reputation is collective punishment.

Application Incompatibility

NAT444 breaks assumptions built into decades of software:

• VPN protocols struggle with double NAT
• Gaming consoles report strict NAT, won't connect to peers
• Video calls route through relay servers instead of direct connections
• Cryptocurrency nodes can't accept inbound connections

Logging Requirements

ISPs running CGNAT must log everything. Every connection, every port, every timestamp. When law enforcement traces abuse to a shared IP, the ISP needs to answer: "Which of our 500 customers using that IP was actually responsible?"

The logs are massive, detailed, and permanent.

Workarounds

Request a Dedicated Public IP

Some ISPs sell dedicated public IPs for $5–15/month. This eliminates CGNAT entirely. Check your ISP's business plans or call customer service. If this option exists, take it.

Use IPv6

If your ISP provides IPv6, enable it everywhere. IPv6 eliminates NAT entirely—every device gets a globally routable address. The catch: both ends need IPv6, and the Internet is still transitioning.

VPN with Port Forwarding

Services like AirVPN or Mullvad offer VPNs with port forwarding. The VPN gives you a public IP and forwards specific ports to your connection.

Reverse Tunnels

Tailscale, ZeroTier, Cloudflare Tunnel, Pinggy—these tools create outbound connections from your network to their servers. Inbound traffic routes back through these established tunnels. Since you initiate the connection outbound, CGNAT doesn't block it.

VPS as Relay

Rent a $5/month VPS with a public IP. Configure it as a reverse proxy that forwards traffic to your home network. Complete control, complete responsibility.

CGNAT Is Growing

Unless IPv6 adoption accelerates dramatically, CGNAT becomes more prevalent as IPv4 scarcity intensifies. Mobile networks are nearly 100% CGNAT. Fixed wireless and satellite providers use it by default. Cable and DSL providers increasingly deploy it for residential customers.

The Internet was designed so any computer could talk to any other computer. CGNAT is the moment we admitted that dream is over for IPv4.