Skip to main content
Explainer · networking

What is CGNAT? (Carrier-grade NAT, in plain English)

Your ISP is sharing one public IP between dozens or hundreds of customers because IPv4 ran out years ago. The mechanism is called Carrier-Grade NAT, and it is silently breaking things you might want to do — here is what it is, what it breaks, and how to work around it.

The IPv4-exhaustion story in one paragraph

IPv4 has a 32-bit address space, which works out to about 4.3 billion addresses. That was enormous in 1981. By the early 2000s, the world's growth had outstripped the available space. The five Regional Internet Registries — ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC — handed out their last fresh allocations between 2011 (APNIC) and 2019 (AFRINIC). Since then, any new IPv4 has to come from the secondary market at $30–$50 per address, which for an ISP with millions of customers is an unmanageable cost. IPv6 is the long-term fix; CGNAT is the bandage.

How CGNAT actually works

Your home network already uses private IPs — 192.168.x.x or 10.x.x.x — and your router translates those to one public IPv4 supplied by the ISP. That's classic single-layer NAT, the same mechanism that's been on home routers since the late 1990s.

With CGNAT, there's a second NAT layer above your router. Your ISP runs a giant NAT box (literally a chassis the size of a fridge in their datacenter) that translates the "public" IP your router thinks it has into a real public IP shared with a few hundred other customers. Your router gets a private address in the RFC 6598 shared-address-space range: 100.64.0.0/10 — anything from 100.64.0.0 to 100.127.255.255.

From your router's perspective, it has a "public" IP and traffic flows. From the rest of the internet's perspective, your IP is the shared egress address that dozens or hundreds of your neighbors also appear to come from. The translation tables are kept in the ISP's NAT gear; outbound connections work transparently; inbound connections to your router are dropped because the ISP's NAT has no entry for unsolicited traffic to your shared IP.

How do you tell if you're behind CGNAT?

Three checks, in increasing order of authority:

  1. Compare your router's WAN IP to the IP this site shows. Open your router's admin page (usually at 192.168.1.1 or 192.168.0.1) and look for the WAN IP. Then visit IPFerret's home page. If the two IPs match exactly, you have a real public IP. If they differ — and especially if the router's WAN IP starts with 100.6 through 100.12 — you're behind CGNAT.
  2. Try to reach your home from outside. From a phone on cellular data (not your home Wi-Fi), open the IP IPFerret reports plus any port you've forwarded. If a service that should respond doesn't, NAT is in the way somewhere.
  3. Ask your ISP. The honest ones will tell you. Some sell a non-CGNAT "static IP" upgrade for a few dollars a month; some refuse and tell you to use IPv6.

Who uses CGNAT today

What CGNAT breaks (and what it doesn't)

What still works fine

What gets harder or stops working

How to work around CGNAT

  1. Use IPv6 end-to-end. If your ISP gives you IPv6 (most do now), every device on your home network has a globally-routable public IPv6 address — no NAT, no port forwarding required. The catch is that the other end of your connection needs IPv6 too; for browser-based access to your home services, that depends on the visitor's ISP. Run the IPv6 reachability test to confirm your connection has working v6 first.
  2. Pay for a non-shared IP. Often offered as a "static IP" or "public IP" add-on, typically $5–$10/month. Worth it if you self-host anything non-trivial and your ISP offers it.
  3. Use a reverse tunnel. Cloudflare Tunnel (free), Tailscale Funnel, ngrok, or roll your own with SSH reverse port-forwarding over a cheap VPS. Your home device dials out to the relay; outside visitors talk to the relay's public IP and the relay forwards inbound traffic down the tunnel. Works perfectly behind any NAT, including CGNAT, including mobile cellular. This is the cleanest modern fix for "I want a service at home reachable from anywhere."
  4. Use a VPN with port forwarding. A handful of consumer VPN providers (AirVPN, OVPN, ProtonVPN on certain plans, formerly Mullvad) hand you a real public port that's forwarded down to your VPN-connected device. This effectively rents you a path around CGNAT — your traffic appears to come from the VPN provider's IP, which is a real non-shared address.
  5. Move to a wired ISP that doesn't CGNAT residential customers. Most North American cable ISPs (Comcast, Spectrum, Cox) still hand out non-shared IPv4 to residential customers in most regions. If you self-host and have a choice of provider, this is the cheapest long-term fix.

CGNAT vs. double-NAT — they're not the same thing

People mix these up constantly. Double-NAT is what you have when two NAT-doing routers live in your own home — for example, your ISP's combo modem-router has NAT enabled and you've connected your own router behind it (which is also NAT'ing). The classic symptom is that port forwarding works at the inner router but not at the outer one. The fix is to put the outer router in bridge mode, or stop NAT'ing on the inner one.

CGNAT, in contrast, lives upstream of your home network entirely, in the ISP's datacenter, and you can't bridge it away with anything you do at home. The fixes are external (IPv6, a tunnel, paying the ISP for an unshared IP).

Try it now

Open the IPFerret home page in one tab and your router's status page in another. Compare the two IPs. If they match and don't start with100., you have a real public IP and CGNAT is not your problem. If they differ, or your router shows a 100.6-something address, that's CGNAT — and you now know why a chunk of your inbound networking workflows have been mysteriously failing.

Related reading