CGNAT (Carrier-Grade NAT)

CGNAT (Carrier-Grade NAT) is a network technique where an ISP assigns customers IP addresses from a private range and uses a shared public IP for multiple subscribers. From the internet's perspective, many homes appear to come from the same IP address. CGNAT was introduced to extend the life of the IPv4 address space, which is nearly exhausted.

How CGNAT works

In a standard home setup without CGNAT, your router gets a public IPv4 address directly from the ISP and performs NAT between your private home network (192.168.x.x) and that public IP. With CGNAT, there is an additional NAT layer at the ISP's network. The ISP assigns your router an address from the reserved 100.64.0.0/10 range (defined in RFC 6598 specifically for CGNAT use) — this is a private range invisible to the public internet. The ISP then runs a large NAT device that translates hundreds or thousands of these 100.64.x.x addresses onto a small pool of public IPv4 addresses. The result is two layers of NAT: your home router translates 192.168.x.x → 100.64.x.x, and the ISP's CGNAT device translates 100.64.x.x → a public IP shared by up to hundreds of subscribers.

Why ISPs deploy CGNAT

IPv4 addresses are exhausted — IANA allocated the last blocks in 2011, and buying IPv4 addresses on the secondary market now costs $40–60 per address. A residential ISP serving 100,000 customers would need to buy 100,000 IPv4 addresses at a cost of $4–6 million just for addresses. CGNAT allows a single public IPv4 address to serve dozens or hundreds of subscribers, dramatically reducing the ISP's address procurement costs. For ISPs that have not fully deployed IPv6, CGNAT is the only practical way to connect new customers to the internet at scale. Mobile carriers were among the earliest large-scale CGNAT deployers; many fixed broadband ISPs have added CGNAT as their IPv4 address pools became exhausted.

Impact on gaming

CGNAT forces strict NAT (Type 3) on gaming consoles and PCs. Because the public IP is shared across hundreds of subscribers, the ISP's CGNAT device cannot reliably map inbound connections to a specific subscriber. UPnP port mapping requests from your router reach your home NAT but cannot propagate through the ISP's CGNAT layer. Manual port forwarding in your router settings is similarly ineffective — there is no way to forward ports through the ISP's CGNAT to your specific connection. The practical result is lobby join failures in peer-to-peer multiplayer games, inability to host game sessions, and voice chat issues in titles that use direct peer connections rather than dedicated servers.

Impact on VPNs and peer-to-peer

Most consumer VPN protocols (WireGuard, OpenVPN in UDP mode) initiate outbound connections and work fine through CGNAT for connecting to VPN servers. However, configuring a self-hosted VPN server at home is not possible behind CGNAT since there is no way to receive inbound connections on a specific port. Peer-to-peer protocols (BitTorrent, some video conferencing tools) that rely on inbound connections for optimal performance will fall back to relay servers or see reduced transfer speeds. WebRTC applications (browser video calls) use STUN/TURN to work around NAT including CGNAT — calls work but may route through relay servers rather than direct peer paths.

Impact on hosting a server from home

Any server that needs to accept inbound connections — a web server, game server, Minecraft server, home automation hub, or remote access tool — is completely blocked by CGNAT. There is no port forwarding path through the ISP's CGNAT layer. Tunneling solutions that initiate outbound connections from inside CGNAT (Cloudflare Tunnel, ngrok, Tailscale, ZeroTier) can work around this by maintaining a persistent outbound tunnel to a relay server, but they add latency and depend on a third-party service.

How to tell if you are behind CGNAT

Compare two IP addresses: the WAN IP shown in your router's admin panel (usually under Status or WAN Settings), and the public IP reported by an external service such as whatismyip.com or running curl ifconfig.me from a device. If they match, your router has a true public IP and you are not behind CGNAT. If they differ — especially if your router's WAN IP starts with 100.64 through 100.127, or with 10., or 172.16 through 172.31 — you are behind CGNAT. The 100.64.0.0/10 range is the official CGNAT range; the others (10.x.x.x, 172.16-31.x.x) may indicate CGNAT or simply an ISP using non-standard private addressing internally.

Solutions

• Request a static public IP from your ISP: Many ISPs offer a dedicated public IPv4 address for a small monthly fee ($5–15/month is common). This is the cleanest solution — it removes CGNAT entirely for your connection.
• Enable IPv6: If your ISP supports IPv6, enabling it on your router gives every device a globally routable IPv6 address with no NAT. Servers accessible via IPv6 work without any port forwarding. This is the long-term solution the industry is moving toward.
• VPN with dedicated IP or port forwarding: Some VPN providers (Mullvad, ProtonVPN, AirVPN) offer port forwarding on their VPN exit nodes. You connect your home device to the VPN, and inbound traffic to the VPN provider's public IP on your assigned port is forwarded through the VPN tunnel to your device.
• Tunnel services: Cloudflare Tunnel (for web services), Tailscale, or a WireGuard tunnel to a cheap VPS can relay inbound connections to your home without requiring a public IP on the home connection.

Frequently Asked Questions

Does CGNAT slow my internet speed?

No — CGNAT does not affect outbound connection speed. It only prevents inbound connections. Download speed, upload speed, and latency are unaffected.

Can ISPs remove CGNAT?

Yes — if you request a dedicated public IP, most ISPs can provision one. It is becoming more common as IPv6 adoption reduces the need for CGNAT on modern networks.