You followed every port forwarding tutorial to the letter. You set up the rule in your router. You double-checked the IP and port. And it still doesn’t work. If this sounds familiar, there’s a good chance your ISP is using CGNAT — and it fundamentally changes how your internet connection works in a way that makes standard port forwarding impossible.
What Is CGNAT?
CGNAT stands for Carrier-Grade Network Address Translation (also called Large-Scale NAT or LSN). It’s a technique ISPs use to share a single public IP address among multiple customers simultaneously.
You already know about NAT — your home router uses it to let all your devices share one public IP. CGNAT adds another layer of NAT at the ISP level. So instead of:
Your devices → [Your router NAT] → Public IP
You get:
Your devices → [Your router NAT] → ISP’s private IP → [CGNAT] → Shared public IP
This means you’re behind double NAT and you don’t have your own public IP address at all.
How to Tell if Your ISP Uses CGNAT
The easiest way: check if your WAN (external) IP address on your router matches your public IP as seen from the internet.
- Log in to your router admin page (usually 192.168.1.1)
- Find your WAN IP address (the IP assigned by your ISP)
- Check your public IP at tools.examineip.com
- If they’re different, you’re behind CGNAT
Additionally, if your router’s WAN IP falls in the 100.64.0.0/10 range (100.64.x.x through 100.127.x.x), you are definitely behind CGNAT — that range is specifically reserved for carrier-grade NAT by RFC 6598.
Why CGNAT Makes Port Forwarding Impossible
Port forwarding tells your router to accept incoming connections on a specific port and forward them to an internal device. But if you’re behind CGNAT, incoming connections to “your” public IP actually arrive at your ISP’s CGNAT device first — which has no rule to forward them to your router. The connection dies before it even reaches you.
Your router’s port forwarding rules only work for traffic that reaches your router’s WAN interface. Under CGNAT, unsolicited inbound connections never get that far.
Why ISPs Use CGNAT
The simple answer: IPv4 address exhaustion. There are only about 4.3 billion IPv4 addresses in existence. With billions of internet-connected devices, ISPs ran out of unique public IPs to assign to every customer. CGNAT lets an ISP serve 100+ customers from a single public IP address.
Mobile carriers are the worst offenders — virtually every mobile internet connection globally is behind CGNAT. Fixed broadband ISPs in densely populated countries (parts of Asia, South America, some of Europe) increasingly use it too.
How to Fix CGNAT (Get a Real Public IP)
Option 1: Request a Static IP from Your ISP
Many ISPs offer static IP addresses as a paid add-on — typically $5–$15/month for residential, more for business plans. A static IP takes you out of CGNAT entirely and gives you a dedicated, permanent public IP. Best solution if available.
Option 2: Ask Your ISP to Remove CGNAT
Some ISPs will remove CGNAT from your account on request, assigning you a dynamic public IP instead (still better than CGNAT even though it changes occasionally). Worth a phone call — success rates vary by ISP and region.
Option 3: Use a VPN with Port Forwarding
Some VPN providers offer port forwarding as a feature. Your server connects to the VPN, and traffic to the VPN’s server:port gets forwarded to your device. This works even behind CGNAT because your server initiates the outbound VPN connection — no inbound path needed.
Option 4: Use a VPS as a Relay
Rent a cheap VPS (virtual private server) with a public IP. Set up a reverse tunnel (using SSH, WireGuard, or frp) from your home server to the VPS. Traffic hits the VPS’s public IP and gets forwarded through the outbound tunnel to your home server.
Option 5: Use Cloudflare Tunnel, Tailscale, or ngrok
These services create outbound tunnels from your home network to their infrastructure. No inbound ports needed. Cloudflare Tunnel is free for basic use. Tailscale creates a private mesh VPN. ngrok works well for temporary tunnels during development.
Does IPv6 Solve CGNAT?
Yes — partly. IPv6 provides enough addresses for every device on earth to have its own public IP, eliminating the need for NAT entirely. If your ISP provides IPv6 and your devices have IPv6 addresses, you can accept inbound IPv6 connections directly without any port forwarding setup (though you still need to configure your firewall appropriately).
However, many services and users are still IPv4-only, so IPv6 alone doesn’t fully replace the need for IPv4 public addresses yet.
Check whether your current IP is a public IP or a CGNAT address
Visit tools.examineip.com and compare the displayed IP to your router’s WAN IP. If they differ, you’re behind CGNAT.
Frequently Asked Questions
Does CGNAT affect gaming?
Yes. Many games rely on peer-to-peer connections or require open NAT type. CGNAT usually results in “Strict NAT” or “NAT Type 3” which prevents direct connections to other players and can cause matchmaking issues. Requesting a public IP from your ISP is the best fix.
Does CGNAT slow down my internet?
In theory, CGNAT adds negligible latency (microseconds). In practice, heavily loaded CGNAT devices at your ISP can occasionally add a few milliseconds or cause dropped connections during peak hours.
Can I tell if I’m behind CGNAT from the command line?
Run tracert 8.8.8.8 (Windows) or traceroute 8.8.8.8 (Mac/Linux). If the first few hops show private or 100.64.x.x addresses before reaching the public internet, you’re behind CGNAT.