How to Fix CGNAT on Your Home Internet: What Carrier-Grade NAT Is, How to Detect It, and How to Request a Public IP From Your ISP

Most home internet subscribers don’t realize they might be sharing a single public IP address with dozens of other households — and that’s exactly what Carrier-Grade NAT (CGNAT) does. If port forwarding consistently fails, your gaming console shows a Strict NAT type, or you can’t host any inbound connection despite correct router settings, CGNAT is often the culprit. This guide explains what CGNAT is, how to confirm you’re behind it, and every practical fix available in 2026. Run a speed test first to rule out general connection issues before investigating NAT.

What Is CGNAT?

Network address translation (NAT) is normally a function your home router performs: it maps all your private devices (192.168.x.x) to a single public IP address assigned by your ISP. Carrier-Grade NAT adds a second layer of translation at the ISP level, between your home router’s WAN interface and the public internet. Instead of your router receiving a true public IP, it gets an address in the RFC 6598 range — 100.64.0.0 through 100.127.255.255 — which is then NATted again by ISP equipment you cannot control.

The result: dozens or even hundreds of customers share a single real public IPv4 address. ISPs deploy CGNAT because IPv4 addresses ran out years ago, and CGNAT lets them extend their existing address pool without fully migrating to IPv6. It is especially prevalent on T-Mobile Home Internet, AT&T Fixed Wireless Access, and many newer cable deployments.

Why CGNAT Causes Problems

Outbound connections — web browsing, streaming, video calls — work perfectly fine through CGNAT. The problems arise with any service that requires another device to initiate a connection inbound to you:

• Gaming (Strict NAT type): Xbox and PlayStation report NAT Type 3 or Strict, blocking peer-to-peer lobbies and voice chat for games that require direct player-to-player connections. PC game launchers report similar restrictions.
• Port forwarding doesn’t work: You can forward a port on your router correctly, but CGNAT intercepts inbound traffic before it reaches your router. The port is open on your equipment and closed to the internet.
• Hosting servers: Running a Minecraft server, Home Assistant, a web server, or any publicly reachable service is impossible without a workaround.
• Self-hosted VPN and remote desktop: WireGuard and OpenVPN servers require inbound access that CGNAT blocks entirely.
• Torrenting: Peer-to-peer uploads require inbound connections from peers; CGNAT severely limits seeding ratios and download speeds from private trackers that require a decent ratio.

How to Detect CGNAT

Method 1: Check Your Router’s WAN IP

Log into your router’s admin page (typically 192.168.1.1 or 192.168.0.1) and find the WAN IP address — often labeled “Internet IP” or “External IP.” If it starts with any value between 100.64 and 100.127, you are behind CGNAT. That range (100.64.0.0/10) is reserved exclusively for carrier-grade NAT by RFC 6598 and has no other valid use on a home connection. This is a 100% confirmation.

Method 2: Compare WAN IP to Your Public IP

Visit a site like WhatIsMyIP.com or browserleaks.com/ip from your browser, then compare the address shown to your router’s WAN IP. If they don’t match, your ISP is running an additional layer of NAT between your router and the internet. If both match and the address is a normal public IP (not in the 100.64.0.0/10 range), you are not behind CGNAT.

Method 3: Traceroute

Run tracert google.com on Windows or traceroute google.com on Mac and Linux. Inspect the first several hops. If you see any address in the 100.64.0.0–100.127.255.255 range appearing before the traffic reaches your ISP’s public backbone, CGNAT is confirmed. An early hop showing something like 100.76.x.x is a reliable indicator.

How to Fix CGNAT

Fix 1: Request a Public IP From Your ISP

This is the cleanest and most permanent fix. Call or chat with your ISP and ask for a dedicated public IPv4 address, or ask to be “removed from CGNAT.” Many traditional cable and fiber ISPs will enable this for free because they have sufficient address space for their subscriber base. Others charge a monthly fee: T-Mobile Fiber charges $10/month as of mid-2026; AT&T charges $15–$25/month depending on plan tier. The conversation is quick. A few ISPs — particularly wireless home internet providers — may decline entirely, in which case the options below apply.

Fix 2: Use IPv6

IPv6 completely sidesteps CGNAT. Every IPv6 address is globally unique, so there is no shared NAT between your device and the internet. If your ISP provides IPv6 (most do in 2026), your devices already have true public IPv6 addresses — confirm by searching “what is my IPv6 address” from a browser. Xbox Live and PlayStation Network fully support IPv6; NAT type issues on modern consoles often resolve themselves without any hardware or ISP changes once IPv6 is active. Port forwarding for IPv6 works exactly as expected, and CGNAT never touches IPv6 traffic.

Fix 3: Use Tailscale or a Mesh VPN

Tailscale is a free peer-to-peer VPN built on WireGuard that uses relay servers to pierce CGNAT for direct device-to-device connections. Install Tailscale on the device you want to reach remotely — a home server, NAS, or desktop PC — and on your remote device. Even behind CGNAT, Tailscale establishes a direct encrypted tunnel using UDP hole-punching. It is free for personal use on up to 100 devices. ZeroTier and NetBird are comparable alternatives. See our guide on setting up WireGuard on your home router for context on how self-hosted tunnels compare to managed mesh VPN services.

Fix 4: VPN With Dedicated IP or Port Forwarding

Commercial VPN providers such as PureVPN and Private Internet Access offer dedicated IP addresses or port-forwarding add-ons that let you receive inbound connections through a stable public address, completely bypassing your ISP’s CGNAT. Costs range from $5–$12/month on top of the base VPN subscription. This approach works for game servers, torrenting, and self-hosted services, but all traffic routes through the VPN provider’s servers — which adds latency and introduces a third-party dependency.

Fix 5: Cloudflare Tunnels for Web Services

If you need to expose a web application or Home Assistant dashboard from behind CGNAT, Cloudflare Tunnel (cloudflared) is a free solution. The cloudflared daemon on your home server makes an outbound connection to Cloudflare, which routes inbound HTTPS traffic back through that tunnel — no port forwarding or public IP required. It is not suitable for game servers (UDP-based) but handles HTTPS web services reliably and at no cost.

Which Fix Should You Use?

• Request a public IP first. It is free or low-cost at most ISPs and resolves every CGNAT limitation permanently.
• Check IPv6 next. If your ISP provides it — and most do — gaming NAT issues often resolve immediately at no cost.
• Use Tailscale for remote access. The best free option for reaching a home server or desktop from outside the network.
• Use paid VPN port forwarding for game hosting or torrenting when neither of the above is available.
• Use Cloudflare Tunnels for HTTPS services only. Free and reliable, but limited to web traffic.

Run a speed test after any network configuration change to confirm your baseline throughput is unchanged, and check our strict NAT type fix guide for additional console-specific steps once CGNAT is resolved.