What is CGNAT? (Carrier-grade NAT, in plain English)

Short version: your ISP is sharing one public IP between many customers because there aren't enough IPv4 addresses to go around. The mechanism is called Carrier-Grade NAT (CGNAT), sometimes also "Large-Scale NAT" (LSN). It's invisible most of the time, but it quietly breaks things you might want — port forwarding, hosting a game server, running a home VPN endpoint, or reaching your home camera from your phone.

How it works (a 60-second tour)

Your home network has private IPs (10.x, 172.16–31.x, 192.168.x). Your router does NAT to translate those to one public IP supplied by your ISP. Classic single-layer NAT.

With CGNAT, there's a second layer above your router. Your ISP also runs NAT, translating the "public" IP your router thinks it has into one shared with a few hundred other subscribers. The block your router actually has is reserved for this purpose: 100.64.0.0/10 — the "shared address space" defined by RFC 6598. If your router's WAN side falls in 100.64.0.0 through 100.127.255.255, you're almost certainly behind CGNAT.

How do I know if I'm behind CGNAT?

Three quick tests, in increasing order of trustworthiness:

1. Compare your router's WAN IP to the IP this site shows you. Open your router's admin page and find the WAN IP. Then open IPFerret's home page and look at the IP we report. If they differ — especially if your router shows 100.64.x.x through 100.127.x.x — you are behind CGNAT.
2. Try to reach your home from outside. From a phone on cellular (not your home Wi-Fi), try to connect to your home's public IP on any port you've supposedly opened. If it doesn't work, NAT is interfering.
3. Ask your ISP directly. The honest ones will tell you. Some offer to remove you from CGNAT for a fee, sometimes called a "static IP" upgrade.

Why ISPs do this

• IPv4 ran out years ago. The five regional internet registries handed out their last fresh allocations between 2011 and 2019. Anything new comes from the resale market at $30–$50 per address.
• Most subscribers don't notice. Browsing the web works fine through CGNAT. The breakage is concentrated in the minority of users who run inbound services.
• CGNAT defers IPv6 deployment costs. The real long-term fix is dual-stack IPv6, but that's an organisational lift. CGNAT is plug-and-play.

What CGNAT breaks (and what it doesn't)

Works fine:

• Web browsing, streaming, app traffic — anything where you initiate the connection outward.
• Most VoIP calls — they tunnel through outbound connections.

Breaks or gets harder:

• Port forwarding to home services. The forward stops at your router but the ISP's NAT layer drops the inbound. You can't host a Minecraft server, a self-hosted Nextcloud, or a home security cam reachable from outside.
• Peer-to-peer connections. Online games that try direct P2P (Call of Duty, some Nintendo titles, BitTorrent, Steam Remote Play) often fall back to slower relay servers when both sides are behind CGNAT.
• WireGuard / OpenVPN servers at home. Same reason — inbound connections can't traverse the ISP's NAT.
• Some IP-based licensing. Geo-restriction services occasionally flag CGNAT IPs as suspicious because hundreds of customers share them.
• Abuse reports. If something bad happens from a CGNAT-shared IP, every customer behind that IP can be temporarily blocklisted by a target server.

How to work around CGNAT

1. Use IPv6 end-to-end. If your ISP gives you IPv6 (most do now), every device on your network gets a real public IPv6 address. No NAT, no port forwarding. The catch: the other end of your connection needs IPv6 too. Test your IPv6 here.
2. Ask your ISP for a non-CGNAT'd IP. Often offered as a "static IP" add-on, $5–$10/month. Worth it if you self-host.
3. Use a VPN with port forwarding. A handful of consumer VPN providers (Mullvad used to, OVPN, AirVPN, ProtonVPN on certain plans) will give you a real public port forwarded to your VPN-connected device. This effectively rents you a path around CGNAT.
4. Use a reverse tunnel. Services like Cloudflare Tunnel, Tailscale Funnel, ngrok, or rolling your own SSH-R reverse tunnel through a cheap VPS skip the inbound NAT problem entirely — your home device dials out and the outside world talks to a public-facing relay.
5. Move to a wired ISP that doesn't CGNAT residential customers. Most cable ISPs in North America still hand out non-shared IPv4 to residential. Most mobile carriers and cheaper FTTH operators don't.

CGNAT vs. double-NAT

These aren't the same. Double-NAT usually means you have two NAT-doing routers in your home — e.g. your ISP's combo modem-router has NAT enabled and you've connected your own router behind it (which is also NAT'ing). The fix is to bridge the modem or stop NAT'ing on one of them. CGNAT is upstream of your router, run by the ISP, and you can't bridge it away.

Try it

Go to the home page and compare the IP IPFerret shows you with what's on your router's status page. If they match and don't start with 100., you've probably got a real public IP. If they differ or the router shows 100-something, that's CGNAT — and now you know why your port forwarding wasn't sticking.