CGNAT addresses sit in 100.64.0.0/10 (RFC 6598). Your home router gets one of those; the ISP NATs it again to a shared public IP.
It breaks inbound services — port forwarding, hosting game servers, self-hosted VPN endpoints — because the inbound packet has nowhere to land in the ISP's mapping table.
We have a longer explainer with workarounds (IPv6, reverse tunnels, ISP "static IP" upgrades) at /cgnat.
Try it on IPFerret
See also
- NATRewriting the source/destination IP (and usually port) of packets as they cross a network boundary.
- RFC 1918The IPv4 ranges set aside for private use — 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Not routed on the public internet.
- IPv6The 128-bit successor to IPv4 — addresses look like 2001:db8::1 and there are 2^128 of them.