How CGNAT Works
A normal home network has one public IP address assigned to your modem/router. Devices inside your home share it via your router's NAT (Network Address Translation).
With CGNAT (Carrier-Grade NAT, also called double NAT or LSN — Large Scale NAT), your ISP adds another layer of NAT before your router. Dozens to thousands of homes share a single public IP address at the ISP level. Your router's WAN IP is a private address (usually in the 100.64.x.x range), not a real public IP.
How to Detect CGNAT
Compare two IP addresses:
- Your router's WAN IP: log into your router admin panel and find the WAN/Internet IP address
- Your actual public IP: run a speed test or visit whatismyip.com
If they're different, you're behind CGNAT. Common CGNAT WAN IP ranges: 100.64.x.x – 100.127.x.x, 10.x.x.x, 172.16.x.x – 172.31.x.x.
What CGNAT Breaks
- Console NAT type: PS5/Xbox/Switch show Strict or Type 3/C/D NAT — you can't host games or connect to all players
- Port forwarding: doesn't work at all — you can't forward ports through two layers of NAT
- Remote access: VPNs, home servers, NAS remote access, cameras — all require a public IP
- Peer-to-peer applications: torrents, some VoIP, WebRTC — all degraded
How to Fix CGNAT
Option 1: Request a Static or Dynamic Public IP from Your ISP
Call your ISP and ask to be removed from CGNAT and assigned a dedicated public IP. Some ISPs do this for free, others charge $5–15/month, and some refuse entirely (common with LTE/5G home internet providers). This is the cleanest fix.
Option 2: Use a VPN with Port Forwarding
Services like Mullvad, PIA (Private Internet Access), and AirVPN offer port forwarding through their VPN. This bypasses CGNAT by routing traffic through the VPN's public IP. Works for gaming, home servers, and torrents.
Option 3: IPv6
CGNAT only affects IPv4. If your ISP supports IPv6 and your router/devices support it, IPv6 gives every device a real public address with no NAT. Most modern consoles, PCs, and routers support IPv6. Check if your ISP provides it and enable it in your router settings.
Option 4: Switch ISPs
Fiber ISPs (Verizon Fios, AT&T Fiber, Telus PureFibre) almost always provide real public IPs. Mobile-based home internet (T-Mobile, Starlink) is almost always behind CGNAT. If gaming and hosting are priorities, CGNAT is a legitimate reason to choose one ISP over another.
Frequently Asked Questions
What is CGNAT and why does it cause Strict NAT?
CGNAT (Carrier-Grade NAT) means your ISP puts another layer of NAT between your router and the internet. Your router gets a private WAN IP instead of a public IP. Strict NAT happens because incoming connections can't reach your router through two NAT layers.
How do I know if I'm behind CGNAT?
Compare your router's WAN IP (found in router admin panel) to your public IP (whatismyip.com or run a speed test). If they're different — especially if the WAN IP starts with 100.64.x.x — you're behind CGNAT.
Can I fix CGNAT without calling my ISP?
IPv6 bypasses CGNAT if your ISP supports it. A VPN with port forwarding (Mullvad, PIA) also works. But for a clean fix with a real public IPv4, you need to contact your ISP and request removal from CGNAT.
Does Starlink have CGNAT?
Yes — Starlink residential uses CGNAT by default. Starlink Business and the Priority plans offer a public IP. This is why Starlink users commonly see Strict NAT on gaming consoles.
Does CGNAT affect internet speed?
CGNAT doesn't directly reduce download or upload speed. It only affects features that require incoming connections. Your speed test results are unaffected by CGNAT.