Back to Blog
cgnatport forwardinggamingnatvpnwireguardnetworking

How to Fix CGNAT: Get a Public IP for Gaming and Port Forwarding

Carrier-Grade NAT (CGNAT) silently blocks port forwarding and cripples gaming NAT types. Here’s how to detect it and four proven ways to escape it — from calling your ISP to running a WireGuard tunnel.

How to Fix CGNAT: Get a Public IP for Gaming and Port Forwarding
8 min read

You set up port forwarding on your router, double-checked every rule, and your gaming console still shows Strict NAT or NAT Type 3. Your self-hosted server is unreachable from outside. Nothing works — and the problem isn’t your router at all. The problem is Carrier-Grade NAT (CGNAT), a layer of address translation that your ISP adds above your router, completely outside your control. This guide explains what CGNAT is, how to confirm you’re behind it, and four practical ways to get out.

What Is CGNAT?

IPv4 addresses are a finite resource — there are only about 4.3 billion of them, and the internet exhausted the global supply years ago. To stretch the remaining pool, ISPs deploy Carrier-Grade NAT: a router rack inside their own network that places hundreds of customer connections behind a single shared public IP address. Your modem gets a private IP in the 100.64.0.0/10 range (RFC 6598, sometimes called the “shared address space”), and the ISP’s CGNAT device handles the translation to a real routable address on your behalf.

The result is two layers of NAT: your home router does NAT from your LAN to its WAN address, and then the ISP’s CGNAT device does NAT again from that address to the public internet. This “Double NAT” situation means inbound connections from the internet never know how to reach your specific device — the ISP’s CGNAT appliance has no forwarding rules for your traffic.

CGNAT is most common on mobile LTE/5G home internet plans (T-Mobile Home Internet, Verizon LTE), some cable ISPs in densely populated areas, and satellite services like Starlink’s standard tier.

How to Confirm You’re Behind CGNAT

There are two reliable ways to check:

Method 1: Compare Your Router’s WAN IP to Your Public IP

  1. Log in to your router admin panel (usually 192.168.1.1 or 192.168.0.1) and find the WAN IP address — the IP your router received from your ISP.
  2. In a browser, visit a site like whatismyip.com and note your public IP address.
  3. If these two addresses are different, you are behind CGNAT. If your router’s WAN IP starts with 100.64–100.127, that is the RFC 6598 shared address space reserved for CGNAT — confirmation in itself.

Method 2: Traceroute

Run tracert [your public IP] on Windows or traceroute [your public IP] on Mac/Linux. If you see one or more hops in the 100.64.0.0/10 range between your router and your public IP, the ISP’s CGNAT infrastructure is visible in the path.

Why CGNAT Breaks Gaming and Port Forwarding

Online gaming consoles and peer-to-peer applications need open inbound connections to achieve Open or Moderate NAT types. When an Xbox or PS5 tries to host a party or accept an incoming game connection, the traffic arrives at the ISP’s CGNAT device, which has no record of that session and drops the packet. Your router’s port forwarding rules are never even consulted. The same problem affects:

  • Self-hosted game servers and web servers
  • Remote desktop tools that rely on direct connections
  • VoIP applications negotiating media streams
  • Torrenting (reduced peer connectivity)
  • Security cameras accessed remotely

Fix 1: Request a Public IP From Your ISP

This is the cleanest solution. Call or chat with your ISP and ask:

  • “Can you remove me from CGNAT and give me a dedicated public IPv4 address?”
  • Alternatively, ask for a static IP add-on — these are almost always routable public addresses outside CGNAT.

Many ISPs will do this for free or for a small monthly fee ($5–$15/month is typical). Not all will — some 5G home internet providers have no public IPv4 inventory left. If your ISP refuses, proceed to the technical workarounds below.

Fix 2: Enable IPv6

IPv6 provides a globally routable address to every device on your network, bypassing NAT entirely. If your ISP supports IPv6 (most modern ISPs do), enabling it can restore direct inbound connectivity for applications that support it. Check your router settings under Internet › IPv6 and enable DHCPv6 or SLAAC. Note that gaming consoles handle IPv6 inconsistently — Xbox supports it well, while PlayStation support varies by game — so this alone may not fully resolve NAT type issues.

Fix 3: WireGuard Tunnel Through a VPS

If your ISP won’t help and IPv6 doesn’t solve the problem, the most powerful technical workaround is a WireGuard reverse tunnel to a cheap cloud VPS. The concept: you rent a virtual server with a real public IP ($3–$6/month from providers like DigitalOcean, Linode, or Hetzner), establish an outbound WireGuard connection from your home network to the VPS, and then forward ports on the VPS back through the tunnel to your home.

The key insight is that your home router makes an outbound connection to the VPS — which always works through CGNAT — and the VPS then has a persistent tunnel it can use to push inbound traffic back to you. This effectively gives your home network a public IP.

The setup requires comfort with Linux command-line tools. Detailed WireGuard configuration guides are available on GitHub (search for “Bypass_CGNAT WireGuard”). Once configured, your VPS public IP becomes your reachable address, and gaming NAT types typically switch to Open.

Fix 4: Tailscale or Cloudflare Tunnel

For users who want a simpler managed solution:

  • Tailscale builds a mesh VPN across your devices using WireGuard underneath. It uses DERP relay servers to punch through CGNAT automatically for most connections. It’s free for personal use and requires no VPS. NAT traversal works in the majority of CGNAT scenarios without any manual configuration.
  • Cloudflare Tunnel (formerly Argo Tunnel) is ideal for exposing web services or remote access tools. A lightweight daemon on your machine makes an outbound connection to Cloudflare’s network; Cloudflare routes your public domain to that tunnel. It’s free for most personal use cases.

Neither Tailscale nor Cloudflare Tunnel will directly fix a gaming console’s NAT type, since you can’t install their clients on a PS5 or Xbox. For consoles, the VPS + WireGuard route or an ISP public IP remains the best option.

Which Fix Should You Use?

Start with the easiest option: call your ISP. If that fails and you run a PC or server, Tailscale solves most remote-access needs instantly. For gaming consoles specifically, a VPS-based WireGuard tunnel provides the most complete Open NAT fix. Once you have a public IP or functioning tunnel, verify with a speed test that your connection speed hasn’t degraded — a well-configured WireGuard tunnel on a nearby VPS typically adds less than 5 ms of latency. For related issues, see our guide on fixing Double NAT and our article on reducing WiFi latency for gaming.

Related Articles

Blog8 min

How to Fix Double NAT on Your ISP Modem/Router Combo: Bridge Mode, IP Passthrough, and When It Matters

Double NAT happens when your ISP gateway and your own router both perform network address translation, causing Strict NAT, failed port forwarding, and VPN problems. Here’s how to detect it and fix it with bridge mode or IP passthrough.

May 8Read
Blog8 min

How to Fix Strict NAT Type on PS5, Xbox Series X, and PC: Port Forwarding, UPnP, and DMZ Explained

Strict NAT kills matchmaking and causes lag. Here’s how to get Open NAT on PS5, Xbox Series X, and PC using UPnP, port forwarding, and DMZ — with the exact ports you need.

May 7Read
Blog8 min

How to Fix Double NAT: What It Is and Why It Slows Gaming

Double NAT happens when two routers both perform address translation on your network, causing Strict NAT types, broken UPnP, and gaming lobby failures. Here’s how to detect it and fix it with three proven methods.

Apr 7Read