How to Fix CGNAT: What to Do When Your ISP Uses a Shared Public IP Address

You set up port forwarding, double-checked the rules, and your router shows the port as open — but connections from the internet still fail. Or your gaming console reports “Strict NAT” no matter what you try. The culprit is often something happening outside your home entirely: Carrier-Grade NAT, or CGNAT. This guide explains exactly what CGNAT is, how to confirm you’re behind it, what it actually breaks, and the five practical methods to work around it.

What Is CGNAT?

Carrier-Grade NAT (also called CGN, Large-Scale NAT, or LSN) is a technique ISPs use to stretch the dwindling supply of IPv4 addresses. Instead of giving each subscriber a unique public IP address, the ISP assigns a private IP from the reserved 100.64.0.0/10 range to your router’s WAN port, then shares a small pool of real public IPs across hundreds or thousands of customers simultaneously.

The result is two layers of NAT: one inside your home router, and a second inside the ISP’s own infrastructure. Your home devices → home router NAT → ISP CGNAT box → the internet. Outbound traffic (browsing, streaming, gaming as a client, video calls) passes through both layers invisibly. Inbound connections — which require the ISP to know which specific customer behind a shared public IP should receive the traffic — simply cannot reach you.

How to Tell If You’re Behind CGNAT

The fastest check is to compare the IP address your router sees on its WAN port to the IP address the internet sees from your connection.

1. Log into your router’s admin interface (typically 192.168.1.1 or 192.168.0.1) and find the WAN or Internet Status page. Note the IP address listed there.
2. In a browser on any device at home, search “what is my IP” and note the public IP the site reports.
3. If the two addresses match, you have a real public IP and CGNAT is not the issue. If they differ — especially if the WAN IP starts with 100.64, 10., 172.16–31., or 192.168. — you are behind CGNAT.

A WAN address in the 100.64.0.0/10 range (100.64.x.x through 100.127.x.x) is the definitive fingerprint of CGNAT — that range is IANA-reserved specifically for ISP shared-address space and will never appear as a genuine public IP.

What CGNAT Actually Breaks (and What It Doesn’t)

CGNAT is invisible to the vast majority of internet activity. If your household mainly browses the web, streams video, plays games as a client, or makes video calls, CGNAT causes zero problems. The affected use cases are specifically those that require inbound connections:

• Port forwarding: Entirely non-functional behind CGNAT. Rules on your home router have no effect because the ISP’s CGNAT box does not know to forward incoming traffic to you.
• Self-hosting: Running a web server, game server, Plex media server with remote access, or any service that outside users need to reach by IP or domain will not work without a workaround.
• Gaming NAT type: Games that report NAT Type A/Open, B/Moderate, or C/D/Strict use inbound connections to set up peer sessions. CGNAT often forces “Strict” or “Type D,” which prevents hosting and limits matchmaking pools. Pure client-to-server games (most modern online games) are unaffected.
• Remote desktop and VPN servers: Services like RDP, WireGuard server, and OpenVPN server at home require inbound connections and will fail behind CGNAT.
• IP-based security cameras with direct remote access: Cameras that rely on direct port forwarding to a DVR or NVR will not connect remotely. Cloud-relay cameras (Ring, Arlo, Nest) are unaffected since they use outbound tunnels to their cloud.

Fix 1: Ask Your ISP for a Public IP

The cleanest solution is to simply opt out of CGNAT by requesting a dedicated public IP address from your ISP. Many providers offer this as a business or static-IP add-on:

• Cost: Typically $5–$30 per month on residential plans, sometimes free for business tiers.
• What you get: A real, routable public IPv4 address on your WAN port. Port forwarding, self-hosting, and gaming NAT all work normally.
• Availability: Not all ISPs offer this. Mobile broadband providers (T-Mobile Home Internet, Verizon 5G Home) and some budget ISPs have no public-IP option for residential subscribers.

Call or chat with your ISP and ask specifically for a “dedicated public IP” or “static IP.” If they say it’s not available on your plan, ask whether upgrading to a business plan includes it — often the cost difference is modest.

Fix 2: Use IPv6 (If Your ISP Offers It)

IPv6 addresses are globally unique by design — there is no NAT at the ISP level, so every device in your home can have a fully routable public IPv6 address. Many ISPs that use CGNAT for IPv4 nonetheless provide native IPv6 alongside it.

To check: run ipconfig /all on Windows or ifconfig on macOS and look for an address starting with a non-link-local prefix (not fe80::). Better yet, visit a site like test-ipv6.com to confirm full IPv6 connectivity. If your ISP delivers IPv6, services that support it — including many modern games and VPN protocols — will bypass CGNAT entirely on the IPv6 path.

The limitation: IPv6 adoption is incomplete. If you need to host a service accessible from networks that don’t have IPv6 connectivity, you still need one of the tunnel-based workarounds below.

Fix 3: Cloudflare Tunnel (Free, HTTPS Services Only)

Cloudflare Tunnel is a free service that creates an outbound encrypted connection from a device on your network to Cloudflare’s edge. Traffic arrives at Cloudflare’s global network and is forwarded through the tunnel to your local server — no inbound connection required, so CGNAT is bypassed entirely.

Setup involves installing the cloudflared daemon on the machine you want to expose, authenticating it with a free Cloudflare account, and assigning a subdomain of your domain (or a free trycloudflare.com subdomain) to the tunnel. The result is a publicly accessible HTTPS URL that points to a service running at home.

The key limitation: Cloudflare Tunnel is designed for HTTP and HTTPS web services. Raw TCP or UDP ports — game servers, custom VPN servers, RDP — require a Cloudflare Teams account (free for up to 50 users with WARP-based access). For pure web hosting, Cloudflare Tunnel is the best free option available.

Fix 4: WireGuard Reverse Tunnel via a VPS

If you need arbitrary TCP/UDP port access — a game server, custom VPN, NAS with remote access — the most flexible DIY approach is a WireGuard reverse tunnel through a cheap cloud VPS. A $4–$6/month VPS from providers like Hetzner, Linode, or DigitalOcean gives you a public IP. You configure WireGuard so that your home server creates an outbound connection to the VPS, and the VPS forwards specific inbound ports back through that tunnel to your home network.

The technical flow: internet user → VPS public IP:port → WireGuard tunnel → your home server. Since the tunnel is initiated outbound from your home, CGNAT cannot block it. A typical setup takes 20–30 minutes with a basic Linux VPS and the WireGuard documentation. Our guide on setting up WireGuard on your home router covers the fundamentals of WireGuard configuration.

Fix 5: Tailscale or ZeroTier (Peer-to-Peer Mesh VPN)

Tailscale and ZeroTier are mesh VPN services that create an encrypted peer-to-peer network between your devices using NAT traversal techniques. Both use STUN/ICE-style hole punching to establish direct encrypted connections between nodes behind NAT, including CGNAT, without requiring any inbound port access.

• Tailscale: Free for personal use (up to 100 devices). Install the Tailscale client on your home server and on the remote device you want to connect from. They appear on the same virtual network, with direct encrypted tunnels automatically negotiated — CGNAT is invisible. Best for personal remote access, home lab management, and team access to home resources.
• ZeroTier: Similar approach, free up to 25 devices. Slightly more technical setup but fully self-hostable for the controller node.

The tradeoff: these tools give invited peers access to your home network, not the general public. If you need to run a publicly accessible web server or game server that anyone can reach, Cloudflare Tunnel or the WireGuard VPS approach are more appropriate.

Which Fix Is Right for You?

Match the solution to your actual use case:

• General self-hosting / web service: Cloudflare Tunnel (free) or ISP static IP ($5–$30/month).
• Game server or raw TCP/UDP: WireGuard VPS tunnel ($4–$6/month VPS) or ISP static IP.
• Personal remote access to home network: Tailscale (free for personal use) — easiest setup, no VPS needed.
• Gaming NAT type fix: ISP public IP is the most reliable; Tailscale can help for specific peer-to-peer games; IPv6 fixes it for games with native IPv6 support.
• Nothing above matters to you: CGNAT is not your problem. Run a speed test to find the actual source of any slowness.

For most households that only experience outbound-traffic issues, the real culprit is WiFi signal quality, not CGNAT. Check your WiFi signal strength vs. speed before assuming CGNAT is to blame. And if you’re on T-Mobile Home Internet or a similar 5G home broadband service, see our dedicated guide on fixing CGNAT for gaming consoles for platform-specific steps.