Carrier-Grade NAT (CGNAT): What It Means for You
Learn how ISPs use CGNAT to share public IPs among hundreds of customers and what it means for gaming, hosting, and privacy.
What Is Carrier-Grade NAT?
Carrier-Grade NAT (CGNAT), also known as Large-Scale NAT (LSN), is a technique where an Internet Service Provider places an additional layer of NAT between your home router and the public internet. Instead of assigning each customer a unique public IPv4 address, the ISP shares one public IP among dozens or even hundreds of subscribers.
With CGNAT, the network path looks like this:
Your Device (192.168.1.x)
-> Home Router NAT (e.g., 100.64.x.x)
-> ISP CGNAT Device (e.g., 203.0.113.x public IP)
-> Internet
The 100.64.0.0/10 range (defined in RFC 6598) is specifically reserved for CGNAT use — it sits between your private network and the ISP's public address.
Why ISPs Use CGNAT
The primary driver is IPv4 address exhaustion. With only 4.3 billion IPv4 addresses and far more devices in the world, ISPs simply do not have enough public IPs for every customer. CGNAT lets them stretch their existing allocations.
CGNAT is particularly common with:
- Mobile carriers — Nearly all 4G/5G providers use CGNAT.
- Newer regional ISPs — Those who could not acquire large IPv4 blocks.
- ISPs in developing regions — Where IPv4 addresses are scarce and expensive.
How to Detect CGNAT
You can check whether you are behind CGNAT:
-
Compare IPs — Log into your home router and note its WAN IP. Then visit a tool like IPFYI to see your public IP. If they differ, you are likely behind CGNAT.
-
Check the WAN IP range — If your router's WAN address falls in
100.64.0.0/10(100.64.0.0 to 100.127.255.255), CGNAT is confirmed. -
Traceroute test:
traceroute -n 8.8.8.8
# If you see 100.64.x.x hops before the public internet, that is the CGNAT device
Impact on Users
CGNAT introduces several limitations:
Port Forwarding Does Not Work
Since you do not control the public IP, you cannot forward ports from the internet to your home network. This breaks:
- Self-hosted services (web servers, game servers, NAS access)
- Remote desktop and VPN connections to your home
- Security cameras accessible from outside
Gaming Issues
- NAT type restrictions — Console games often report "Strict NAT" or "NAT Type 3," which limits matchmaking and voice chat.
- Peer-to-peer connections — Direct connections between players may fail, forcing relay through game servers (higher latency).
IP-Based Services
- IP reputation — If another CGNAT subscriber on the same public IP sends spam or triggers abuse reports, your traffic may also be affected.
- Rate limiting — Services that limit requests per IP may restrict you unfairly because hundreds of users share your public address.
- Geolocation — The shared IP may geolocate to the ISP's hub, not your actual location.
Workarounds
If CGNAT is causing problems, you have several options:
- Request a public IP — Some ISPs offer a dedicated public IPv4 address for an additional monthly fee. Always ask.
- Use IPv6 — If your ISP supports dual-stack, your IPv6 address is globally unique and not behind CGNAT. Many modern services support IPv6.
- VPN with port forwarding — Some VPN providers (e.g., Mullvad, AirVPN) offer port forwarding on their servers, effectively giving you an accessible public endpoint.
- Reverse tunnels — Tools like Cloudflare Tunnel, ngrok, or Tailscale Funnel can expose local services without needing an inbound public IP.
CGNAT and the Push to IPv6
CGNAT is fundamentally a stopgap solution. The real fix is IPv6 adoption, which provides enough addresses (340 undecillion) for every device on earth to have its own globally routable address. As IPv6 deployment grows, the need for CGNAT diminishes — but in 2026, CGNAT remains widespread and understanding its implications is essential for any network-connected user.