Last updated: May 2026 · 9 min read

You've followed every tutorial. You've set up port forwarding on your router. You've configured your home server, NAS, CCTV system, or game server correctly. And yet, you still can't connect to it from outside your home network. The problem might not be your configuration — it might be CGNAT, and it's becoming increasingly common on residential internet connections.

What Is CGNAT?

CGNAT stands for Carrier-Grade Network Address Translation. It's a technique used by internet service providers (ISPs) to allow multiple customers to share a single public IP address.

To understand why this exists, you need to understand the IPv4 address problem. There are approximately 4.3 billion possible IPv4 addresses — and they've run out. Every device that connects to the internet needs a unique IP address, but there aren't enough to give one to every home router, let alone every device inside every home.

The original solution was NAT (Network Address Translation) at the home router level. Your router has one public IP address, and all your devices inside the home (phone, laptop, TV) share it. Your router keeps track of which device sent which request and routes responses back correctly. This is how home networking has worked for decades.

CGNAT adds another layer of this same technique, but at the ISP level. Instead of each customer getting their own public IP address, the ISP groups many customers behind a single shared public IP. Your home router gets a private IP from the ISP (usually in the 100.64.x.x range — known as "shared address space"), and the ISP's own CGNAT device handles the translation between your private IP and the shared public one.

Why ISPs Use CGNAT

It comes down to IPv4 address scarcity and cost. Public IPv4 addresses are now a scarce commodity — organisations buy and sell them, and the price has risen significantly over the past decade. For a large ISP with millions of customers, providing every customer with a dedicated public IP address requires purchasing millions of IPv4 addresses. CGNAT lets them serve far more customers with a smaller pool of public IPs.

CGNAT is especially common on:

• Mobile/4G/5G home broadband connections
• Budget or entry-level residential broadband plans
• ISPs in regions where IPv4 exhaustion hit hardest
• Newer ISPs that couldn't acquire large IPv4 allocations

How to Tell If You're Behind CGNAT

There are two reliable ways to check:

Method 1: Compare Your Router's WAN IP to Your Public IP

Log into your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and find the WAN IP address — this is the IP your router has been given by your ISP. Then check your public IP using GoIPScan.

If they're the same, you have a real public IP and are not behind CGNAT.

If they're different, you're behind CGNAT. Specifically, if your router's WAN IP starts with 100.64., 100.65. through 100.127., that's the IANA-designated shared address space used for CGNAT. You might also see private ranges like 10.x.x.x or 172.16.x.x depending on how your ISP has configured things.

Method 2: Attempt Port Forwarding

Set up a port forward on your router and try to reach it from outside your network (use a mobile data connection to test, not your home Wi-Fi). If it consistently fails despite correct configuration, CGNAT is a likely cause.

What CGNAT Breaks

Port Forwarding and Home Servers

This is the most common complaint. Port forwarding works by telling your router to send incoming connections on a specific port to a specific device inside your network. But with CGNAT, there is no direct path from the public internet to your router — all incoming connections go to the ISP's CGNAT device first, which has no knowledge of your port forwarding rules. The connection never reaches your router.

This means home servers, self-hosted services, remote desktop access, NAS devices, CCTV systems with remote viewing, and anything else that requires incoming connections simply won't work without an alternative solution.

Online Gaming

Some online games require a direct peer-to-peer connection between players. Behind CGNAT, your NAT type will typically show as "Strict" or "Type 3" — the most restrictive setting. This can prevent you from hosting game sessions, cause connection issues with other players behind CGNAT, and increase latency. Games that use relay servers (where all traffic goes through a central server rather than directly between players) are generally unaffected.

VoIP and Video Calls

Most modern VoIP applications and video calling services use relay servers as a fallback, so they usually work behind CGNAT. However, the relay routing adds latency and can reduce call quality compared to a direct connection. Some older or specialist VoIP systems that require incoming SIP connections may not work at all.

VPN Hosting

If you want to run your own VPN server at home (using WireGuard or OpenVPN, for example) to access your home network securely when you're away, CGNAT makes this impossible without workarounds — external connections can't reach your home IP.

Solutions and Workarounds

Request a Static Public IP from Your ISP

The cleanest solution. Many ISPs offer static public IP addresses as an add-on for a small monthly fee (typically £5–15/month on residential plans, often included on business plans). This gives you a dedicated, non-shared public IP that supports normal port forwarding. Contact your ISP and ask whether they offer a static IP or a dedicated public IP add-on.

Use a VPN with Port Forwarding

Some VPN providers offer port forwarding as a feature. You connect your home system to the VPN, and the VPN provider forwards a specific port on their public IP to your device through the VPN tunnel. This effectively bypasses CGNAT by routing incoming connections through the VPN provider's infrastructure rather than directly to your home IP.

Use a Tunnel Service

Services like Cloudflare Tunnel, ngrok, and Tailscale provide ways to make home services accessible from the internet without requiring incoming connections to your home IP. They work by having your home device initiate an outbound connection to the tunnel service, which then relays incoming traffic back through that connection. This works even behind CGNAT because the connection is initiated from inside your network.

Tailscale is particularly popular for home users — it creates a private mesh network between your devices using WireGuard, with a relay system that works behind CGNAT. It's free for personal use.

Use Dynamic DNS with IPv6

If your ISP provides IPv6 connectivity (many do now, even on CGNAT connections), your devices may have public IPv6 addresses that can receive incoming connections directly — bypassing the IPv4 CGNAT problem entirely. Check whether your devices have IPv6 addresses and whether your router's firewall allows incoming IPv6 connections.

Switch ISP or Plan

If CGNAT is causing significant problems and your ISP won't provide a public IP, switching to a provider that offers public IPs by default (or on a standard residential plan) may be worth considering. Business broadband plans almost always include a static public IP.

CGNAT and Privacy

There's an unexpected privacy angle to CGNAT: because many customers share a single public IP address, it becomes harder for websites and services to track individual users by IP address alone. Your IP-based identity is diluted across many households. However, this cuts both ways — if another customer on your shared CGNAT IP engages in abuse, your shared IP may get blacklisted, affecting you too.

Frequently Asked Questions

Does CGNAT affect my download or upload speeds?

CGNAT itself adds minimal latency (usually under 1ms) and doesn't reduce your bandwidth. For typical browsing, streaming, and downloading, you likely won't notice any difference. The problems are specifically with incoming connections.

My ISP says I have a public IP — could I still be behind CGNAT?

Yes, it's worth verifying by comparing your router's WAN IP to your visible public IP as described above. Some ISPs describe CGNAT connections inaccurately, or their customer service staff may not be aware that CGNAT is in use on certain network segments.

Will IPv6 eventually eliminate CGNAT?

That's the intention. IPv6 provides enough addresses for every device to have its own public IP, eliminating the need for any form of NAT. As IPv6 adoption increases, CGNAT becomes less necessary. However, the transition is slow — many devices, services, and ISPs still rely primarily on IPv4, so CGNAT will remain common for years to come.

Can I check my NAT type without setting up a server?

Yes — many online gaming platforms report your NAT type directly (PlayStation shows it in network settings, Xbox and PC gaming clients often report it too). "Open" or "Type 1" means no CGNAT issues. "Moderate/Type 2" means standard home NAT. "Strict/Type 3" strongly suggests CGNAT.