The IPv4-exhaustion story in one paragraph
IPv4 has a 32-bit address space, which works out to about 4.3 billion addresses. That was enormous in 1981. By the early 2000s, the world's growth had outstripped the available space. The five Regional Internet Registries — ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC — handed out their last fresh allocations between 2011 (APNIC) and 2019 (AFRINIC). Since then, any new IPv4 has to come from the secondary market at $30–$50 per address, which for an ISP with millions of customers is an unmanageable cost. IPv6 is the long-term fix; CGNAT is the bandage.
How CGNAT actually works
Your home network already uses private IPs — 192.168.x.x or 10.x.x.x — and your router translates those to one public IPv4 supplied by the ISP. That's classic single-layer NAT, the same mechanism that's been on home routers since the late 1990s.
With CGNAT, there's a second NAT layer above your router. Your ISP runs a giant NAT box (literally a chassis the size of a fridge in their datacenter) that translates the "public" IP your router thinks it has into a real public IP shared with a few hundred other customers. Your router gets a private address in the RFC 6598 shared-address-space range: 100.64.0.0/10 — anything from 100.64.0.0 to 100.127.255.255.
From your router's perspective, it has a "public" IP and traffic flows. From the rest of the internet's perspective, your IP is the shared egress address that dozens or hundreds of your neighbors also appear to come from. The translation tables are kept in the ISP's NAT gear; outbound connections work transparently; inbound connections to your router are dropped because the ISP's NAT has no entry for unsolicited traffic to your shared IP.
How do you tell if you're behind CGNAT?
Three checks, in increasing order of authority:
- Compare your router's WAN IP to the IP this site shows. Open your router's admin page (usually at
192.168.1.1or192.168.0.1) and look for the WAN IP. Then visit IPFerret's home page. If the two IPs match exactly, you have a real public IP. If they differ — and especially if the router's WAN IP starts with100.6through100.12— you're behind CGNAT. - Try to reach your home from outside. From a phone on cellular data (not your home Wi-Fi), open the IP IPFerret reports plus any port you've forwarded. If a service that should respond doesn't, NAT is in the way somewhere.
- Ask your ISP. The honest ones will tell you. Some sell a non-CGNAT "static IP" upgrade for a few dollars a month; some refuse and tell you to use IPv6.
Who uses CGNAT today
- Mobile carriers, essentially universally. All four US national mobile networks, all major European mobile networks, all Indian carriers. Mobile IPv4 has been CGNAT for over a decade.
- Newer FTTH and wireless ISPs. T-Mobile Home Internet, Verizon LTE Home Internet, Starlink (in some regions), many regional fiber ISPs that came online after 2015. They never had room to give every customer a public IP and never built around assuming they would.
- Some traditional cable ISPs in specific regions. Comcast, Spectrum, Cox have all done CGNAT in pockets where they ran out of allocation. They tend to quietly migrate customers off CGNAT when allocation frees up.
- Most countries outside North America. Europe and Asia ran out of IPv4 first and deployed CGNAT earlier and more broadly. North American residential customers are more likely than the global average to still have unshared IPs.
What CGNAT breaks (and what it doesn't)
What still works fine
- Web browsing, streaming, online shopping — anything where you initiate the connection outward.
- VoIP calls (Zoom, Teams, FaceTime, WhatsApp) — they tunnel through outbound connections.
- Online gaming where the matchmaker hosts the relay — typical for modern games.
- Most apps that talk to cloud services — by definition, they're outbound.
What gets harder or stops working
- Port forwarding. The #1 victim. The forward stops at your router but the ISP NAT layer drops the inbound. You can't reliably host a Minecraft server, a self-hosted Nextcloud, a home security camera reachable from outside, or anything that needs unsolicited incoming connections.
- Peer-to-peer connections. Online games using direct P2P (older Call of Duty titles, some Nintendo Switch games, BitTorrent, Steam Remote Play) often fall back to slower relay servers when both sides are behind CGNAT. The fall-back is invisible but the lag is real.
- WireGuard / OpenVPN servers at home. Same problem as port forwarding — inbound connections can't traverse the ISP's NAT. You can still be a VPN client, just not a server.
- Some geo-restriction services. When hundreds of customers share one IP, IP-based licensing systems sometimes flag the address as suspicious and refuse to load content. Netflix and other major streamers have largely solved this; smaller geo-fenced services still trip on it.
- Abuse-report collateral damage. If anyone on your shared CGNAT pool does something bad — sends spam, runs a credential-stuffing script, attempts to brute-force someone's WordPress — the target server may temporarily block the shared IP. Every other innocent customer behind the same pool gets caught in the same block until the listing decays. This is increasingly visible on IP reputation services for residential ranges.
- Self-hosted email. Mail providers heavily downrank shared residential IPs anyway, and CGNAT makes it worse because they cannot link a specific account to a specific sender for reputation accounting.
How to work around CGNAT
- Use IPv6 end-to-end. If your ISP gives you IPv6 (most do now), every device on your home network has a globally-routable public IPv6 address — no NAT, no port forwarding required. The catch is that the other end of your connection needs IPv6 too; for browser-based access to your home services, that depends on the visitor's ISP. Run the IPv6 reachability test to confirm your connection has working v6 first.
- Pay for a non-shared IP. Often offered as a "static IP" or "public IP" add-on, typically $5–$10/month. Worth it if you self-host anything non-trivial and your ISP offers it.
- Use a reverse tunnel. Cloudflare Tunnel (free), Tailscale Funnel, ngrok, or roll your own with SSH reverse port-forwarding over a cheap VPS. Your home device dials out to the relay; outside visitors talk to the relay's public IP and the relay forwards inbound traffic down the tunnel. Works perfectly behind any NAT, including CGNAT, including mobile cellular. This is the cleanest modern fix for "I want a service at home reachable from anywhere."
- Use a VPN with port forwarding. A handful of consumer VPN providers (AirVPN, OVPN, ProtonVPN on certain plans, formerly Mullvad) hand you a real public port that's forwarded down to your VPN-connected device. This effectively rents you a path around CGNAT — your traffic appears to come from the VPN provider's IP, which is a real non-shared address.
- Move to a wired ISP that doesn't CGNAT residential customers. Most North American cable ISPs (Comcast, Spectrum, Cox) still hand out non-shared IPv4 to residential customers in most regions. If you self-host and have a choice of provider, this is the cheapest long-term fix.
CGNAT vs. double-NAT — they're not the same thing
People mix these up constantly. Double-NAT is what you have when two NAT-doing routers live in your own home — for example, your ISP's combo modem-router has NAT enabled and you've connected your own router behind it (which is also NAT'ing). The classic symptom is that port forwarding works at the inner router but not at the outer one. The fix is to put the outer router in bridge mode, or stop NAT'ing on the inner one.
CGNAT, in contrast, lives upstream of your home network entirely, in the ISP's datacenter, and you can't bridge it away with anything you do at home. The fixes are external (IPv6, a tunnel, paying the ISP for an unshared IP).
Try it now
Open the IPFerret home page in one tab and your router's status page in another. Compare the two IPs. If they match and don't start with100., you have a real public IP and CGNAT is not your problem. If they differ, or your router shows a 100.6-something address, that's CGNAT — and you now know why a chunk of your inbound networking workflows have been mysteriously failing.
Related reading
- Port forwarding explained — the workflow CGNAT most reliably breaks.
- IPv6 reachability test — the modern fix is full v6, and this tells you whether you have it.
- What is my IP? — the broader context for "what websites can learn from your address."
- IP reputation and blocklists — why shared CGNAT IPs sometimes get blanket-flagged.
- RFC 1918 — the private-IP ranges that inspired the CGNAT 100.64.0.0/10 design.
