How to Fix CGNAT: Get a Public IP for Gaming and Port Forwarding
Carrier-Grade NAT (CGNAT) silently breaks port forwarding, causes Strict NAT on consoles, and prevents you from hosting game servers. Here’s how to detect it and fix it.
If you’ve ever tried to set up port forwarding for a game server, host a Minecraft world, or fix a “Strict NAT” warning on your PlayStation or Xbox — only to find it simply doesn’t work — there’s a good chance your ISP is the problem. Carrier-Grade NAT (CGNAT) is increasingly common, especially on 5G home internet, mobile broadband, and budget ISPs. And it silently breaks everything that depends on inbound connections.
What Is CGNAT?
Carrier-Grade NAT (also called CGN or large-scale NAT) is a method ISPs use to share a single public IPv4 address among dozens or even hundreds of customers. The global pool of IPv4 addresses ran out years ago, so ISPs have resorted to layering an extra NAT translation step between your home network and the internet.
With a normal home router, the chain looks like this: your device → your router (private IP) → the internet (your public IP). With CGNAT, it becomes: your device → your router (private IP) → your ISP’s CGNAT infrastructure (shared public IP) → the internet. You end up with two layers of NAT, and the outermost layer is controlled entirely by your ISP.
How to Tell If You’re Behind CGNAT
The quickest method: log into your router’s admin panel and find the WAN IP address (the IP your ISP assigned to your router). Then compare it to your public IP as seen from the internet — run our speed test and note the IP shown, or search “what is my IP” in your browser.
If those two IP addresses are different, you’re behind CGNAT. Also look at the WAN IP prefix — CGNAT typically uses addresses in the 100.64.0.0/10 range (100.64.x.x through 100.127.x.x), which is the IANA-reserved “Shared Address Space” designated specifically for CGNAT. Some ISPs use 10.x.x.x addresses instead.
On gaming consoles, look at your NAT Type. NAT Type 3 (PlayStation) or Strict NAT (Xbox) are the telltale signs that something upstream — almost always CGNAT — is blocking inbound connections.
Why CGNAT Breaks Gaming and Port Forwarding
Port forwarding works by telling your router: “when a connection arrives on port 25565, send it to my gaming PC at 192.168.1.50.” This only works if incoming connections actually reach your router first. Under CGNAT, incoming traffic hits your ISP’s shared infrastructure, and since hundreds of customers share that same public IP, there is no way for the CGNAT device to know which customer to forward traffic to.
Any port forwarding rules you set in your router simply do nothing. Inbound traffic never arrives. This breaks:
- Hosting game servers (Minecraft, Valheim, Palworld, CS2)
- Peer-to-peer gaming connections in older titles
- PlayStation NAT Type 2 / Xbox Open NAT requirements
- Remote desktop and self-hosted services
- VoIP and SIP phone setups
Fix 1: Request a Public IP from Your ISP (Best Option)
The cleanest solution is to opt out of CGNAT by asking your ISP for a dedicated public IPv4 address. Many ISPs offer this — sometimes free, sometimes for a small monthly fee ($5–$15 is typical). Call or chat with your ISP’s support team and ask specifically for a “static IP” or “dynamic public IP without CGNAT.”
With a true public IP on your router’s WAN interface, standard port forwarding works exactly as expected. This is the recommended approach for home game servers, Plex media servers, or anyone who needs reliable inbound connections.
Note for 5G home internet users: T-Mobile Home Internet and similar services often place all customers behind CGNAT with no public IP option. If that’s your situation, use one of the workarounds below.
Fix 2: VPN with Port Forwarding
Several commercial VPN providers offer dedicated IP addresses or port forwarding features that give you a routable public endpoint. When connected, your gaming device or server becomes reachable through the VPN provider’s infrastructure, bypassing CGNAT entirely.
Providers known to support port forwarding include Private Internet Access (PIA), PureVPN, and AirVPN. Install the VPN on your router or gaming device, then forward the required game ports through the VPN provider’s control panel. Speeds are generally sufficient for gaming, though expect a small latency increase from the VPN routing hop.
Fix 3: Tailscale or ZeroTier (NAT Traversal — Best for Multiplayer With Friends)
For multiplayer gaming with friends, Tailscale and ZeroTier create encrypted virtual LANs that work across CGNAT using NAT traversal (UDP hole-punching). Both players install the client, join the same virtual network, and each device appears to be on the same local network — no port forwarding required.
Tailscale is the easier option: install the app on all devices, sign in with a Google or Microsoft account, and you’re connected. It uses WireGuard under the hood for low-overhead encryption. ZeroTier is a similar alternative with a self-hosted control plane for advanced users. Both work well for Minecraft, Valheim, and any game with LAN play support.
Fix 4: Reverse Tunnel via VPS
For technically inclined users running persistent game servers, renting a cheap VPS (Virtual Private Server) and setting up a reverse tunnel is a powerful long-term option. Tools like frp (fast reverse proxy) or a site-to-site WireGuard tunnel let you route public traffic from the VPS’s real public IP down to your home server. Your home server initiates the outbound tunnel (which CGNAT allows), and all incoming game traffic arrives at the VPS then forwards through the tunnel.
A basic VPS from providers like Vultr or Hetzner costs around $4–$6 per month, making this an affordable solution for dedicated game server hosting.
Fix 5: Enable IPv6
CGNAT only applies to IPv4. If your ISP supports IPv6 (many modern ones do), each device on your network gets a globally routable IPv6 address with no NAT at all. Games and services that support IPv6 connect directly, bypassing CGNAT entirely.
Check your router’s WAN settings for IPv6 or DHCPv6 prefix delegation options. Not every game or server supports IPv6 yet, but this is increasingly a clean long-term path as IPv6 adoption continues to grow.
Which Fix Is Right for You?
- Ask your ISP for a public IP — solves everything cleanly, no ongoing complexity.
- Use Tailscale or ZeroTier if you only need multiplayer with friends and don’t need a public server.
- VPN with port forwarding if your ISP won’t budge and you need to be publicly reachable.
- VPS reverse tunnel for persistent dedicated servers where you want maximum control.
For related networking tips, see our guides on fixing Double NAT and setting up a VPN on your router.
Related Articles
How to Fix WiFi Issues on PS5: Slow Speeds, Drops, and NAT Type Errors
Slow downloads, random connection drops, and strict NAT type on your PS5? Here are the proven fixes — from switching bands to port forwarding — that actually work.
How to Fix Double NAT: What It Is and Why It Slows Gaming
Double NAT happens when two routers both perform address translation on your network, causing Strict NAT types, broken UPnP, and gaming lobby failures. Here’s how to detect it and fix it with three proven methods.
How to Fix WiFi Latency Spikes: Why Ping Jumps Randomly and How to Stop It
Your ping is fine one moment, then rockets to 400 ms the next. Here’s exactly why WiFi latency spikes happen — and the step-by-step fixes that actually work.