How do I know if I’m behind CGNAT?

Compare your router’s WAN IP with the public IP shown on an IP checker. If the WAN IP is private (e.g., 100.64.0.0/10, 10.0.0.0/8), you’re behind CGNAT.

Can I use port forwarding under CGNAT?

No, not directly. The carrier’s NAT blocks inbound connections. Request a public/static IP from your ISP or use a VPN with port forwarding or a reverse tunnel.

Does CGNAT improve security?

CGNAT is address translation, not a security control. You still need firewalls, updates, strong passwords, and careful exposure of services.

Home › FAQ › What Is CGNAT (Carrier-Grade NAT) and Why It Affects You

What Is CGNAT (Carrier-Grade NAT) and Why It Affects You

Updated: October 15, 2025

CGNAT (Carrier‑Grade NAT) is a large‑scale version of network address translation used by ISPs to put many customers behind a small set of public IPv4 addresses. It helps stretch limited IPv4 space, but it also breaks inbound connections, complicates gaming and P2P, and makes traditional port forwarding impossible. This guide explains how CGNAT works, how to detect it in minutes, and practical workarounds — including requesting a public IP, using a VPN with port forwarding, or adopting IPv6.

How CGNAT works (and how it differs from home NAT)

Home NAT: your router translates many private LAN devices to one public IP.
CGNAT: your ISP translates many customers to one (or a small pool of) public IPs at the carrier network.

Under CGNAT, your router’s WAN may have a private address (not publicly routable). Your traffic is then translated again by the ISP to a shared public IP. This “double NAT” prevents unsolicited inbound traffic from reaching your home network.

Why ISPs use CGNAT

IPv4 exhaustion: not enough public IPv4 addresses for every customer.
Operational simplicity: fewer public IPs to manage; easier abuse handling.
Cost control: buying public IPv4 space is expensive; CGNAT reduces demand.

How CGNAT affects you

No port forwarding: you cannot expose a server, CCTV, or self‑hosted service from home in the usual way.
Peer‑to‑peer limitations: some games, P2P apps, VoIP struggle with symmetric NAT and multiple translation layers.
Remote access headaches: inbound VPNs and admin panels won’t be reachable from the public internet.
Reputation side effects: you share a public IP with others; if one user misbehaves, sites may rate‑limit or block the shared IP.

How to detect CGNAT (2 minutes)

Open What is My IP and note your public IP.
Open your router’s WAN/Internet status and check the WAN IP.
If your router’s WAN IP is in a private range — e.g., 100.64.0.0/10 (CGNAT space), 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 — you are behind CGNAT. The WAN IP will differ from the public IP shown on MyIPScan.
Optional: run DNS Lookup and WebRTC Leak Test to confirm the visible egress IPs.

CGNAT and NAT “types” (gaming)

Multiple translation layers often result in Strict/Symmetric NAT, which limits peer discovery and direct connections. Even enabling UPnP or port forwarding on your home router won’t help — the ISP’s CGNAT layer still blocks inbound traffic.

Workarounds and fixes

Option	What it does	Pros	Cons
Request public/static IP from ISP	Moves you out of CGNAT to a unique public IP	Best long‑term fix; enables port forwarding	May cost extra; not available everywhere
Use a VPN with port forwarding	Tunnels outbound to a server that gives you an open port	Works even under CGNAT; quick to deploy	Added latency; depends on provider support
Reverse tunnel / remote access relay	Initiate an outbound tunnel from home (e.g., to a VPS) and access services via that endpoint	Fine‑grained control; can secure with auth/MFA	More setup; requires hosting endpoint
Adopt IPv6 for inbound	Use globally routable IPv6 with firewall rules	No NAT; direct end‑to‑end connectivity	Apps/sites must support IPv6; configure firewalls carefully

Security notes

CGNAT is not a security product; it only translates addresses. Keep firewalls and OS security enabled.
If you expose services (via VPN port‑forward or IPv6), use strong auth, TLS, and limit IP ranges where possible.
Monitor logs on routers and servers; rotate credentials and keys periodically.

Checklist: diagnose & fix

Confirm CGNAT: compare router WAN IP vs public IP on What is My IP; look for 100.64.0.0/10 or other private ranges on WAN.
Decide your goal: gaming NAT type, hosting a service, or remote access.
Pick a path: request public/static IP from ISP, or use a VPN with port forwarding, or set up a reverse tunnel, or use IPv6.
Test: validate reachability and leaks with WebRTC and DNS.

Test now: See your public IP on What is My IP, then verify DNS and browser exposure using DNS Lookup and WebRTC Leak Test.