You have spent some time planning my perfect home web server setup. You have researched load balancers, designed network segmentation, planned your security policies, and even picked out the desired hardware. There's just one problem - my ISP might have quietly killed my entire project without telling me.
Enter CGNAT: the silent dream crusher of home server enthusiasts everywhere.
What Exactly Is CGNAT?
Carrier-Grade Network Address Translation (CGNAT) is essentially NAT on steroids, deployed by Internet Service Providers to deal with the harsh reality that we've run out of IPv4 addresses. While my home router already performs NAT to share one public IP among all my devices, CGNAT takes this one step further up the chain.
With CGNAT, my ISP shares a single public IP address among multiple customers - sometimes up to nine different households. Instead of getting a real public IP address, my router receives a private IP from a special CGNAT range (100.64.0.0 to 100.127.255.255), and the ISP's equipment handles the translation to actual public addresses.
Think of it like living in an apartment building where everyone shares the same street address, but the mailroom sorts everything out. Except in this case, the mailroom refuses to deliver anything unless someone from my apartment ordered it first.
Why CGNAT Destroys “Home Lab” Dreams
The fundamental problem is simple: CGNAT breaks inbound connections. When someone on the internet tries to connect to my web server, they can't reach me directly because:
- My router's "public" IP isn't actually public - it's a private CGNAT address that can't be reached from the internet
- Port forwarding becomes impossible - even if I set up perfect port forwarding on my router, the ISP's CGNAT equipment doesn't know where to send incoming connections
- I'm sharing an IP with strangers - that public IP address that shows up on whatismyip.com is also being used by multiple other customers
As one frustrated BT customer put it: "I can not forward any ports, even in a DMZ. Trying to get anyone in BT to get me off, CGNAT and get a unique IP address back again has been a nightmare. I still can't use my FTP server, or remote desktop connection."
How to Check for CGNAT?
Before I panic and abandon my server dreams, I need to determine if I'm actually affected. The diagnosis is straightforward:
Method 1: The IP Comparison Test
- Check my router's WAN IP: I log into my router's admin interface (usually 192.168.1.1 or 192.168.0.1) and find the WAN/Internet IP address
- Check my public IP: I visit whatismyip.com or browserleaks.com/ip to see what the internet thinks my IP is
- Compare them: If these two addresses match all good in the clear. If they're different, I'm behind CGNAT
You can see that both my WAN address and my public address match meaning in this particular example, I’m not using CGNAT
Method 2: The CGNAT Range Check
If my router's WAN IP falls between 100.64.0.0 and 100.127.255.255, I'm definitely behind CGNAT. This is the reserved address space specifically for carrier-grade NAT implementations.
Method 3: The Port Test
I can try setting up port forwarding for any port and test it with an online port checker. If ports appear closed even with proper forwarding rules and DMZ configuration, CGNAT is likely the culprit.
Who's Using CGNAT?
The bad news is that CGNAT adoption is spreading rapidly, you can either check the advice above, or check directly with your ISP for more information.
The pattern is clear: as IPv4 addresses become more expensive (costs have increased 300-400% recently), more ISPs are turning to CGNAT as a cost-saving measure.
Reality of CGNAT
What makes CGNAT particularly frustrating is that it breaks the fundamental principle of the internet - end-to-end connectivity. Applications that expect to be reachable from the internet simply do not function as they should.
Yet for most users, CGNAT is invisible. Web browsing, streaming, and general internet usage work perfectly because these are all outbound connections that the CGNAT equipment can track and route properly.