What Is CGNAT (Carrier-Grade NAT)? Why You Share a Public IP

Q: How do I know if I am behind CGNAT?

Compare the WAN or internet IP shown in your router admin page with the public IP a lookup tool reports. On a normal connection they match; under CGNAT they differ because the carrier rewrites your address. A strong sign is a router WAN address inside the 100.64.0.0/10 shared range reserved in RFC 6598 for carrier-grade NAT.

Q: Can you port forward with CGNAT?

Generally no. Because the public IP belongs to the carrier and is shared across customers, inbound connections reach the provider NAT rather than your router, so a port forwarding rule on your own router has nothing public to map. Workarounds include asking the ISP for a public IP, using IPv6, or routing inbound traffic through an external relay or tunnel you control.

Q: Why is my public IP shared with other people?

The internet ran low on IPv4 addresses, so many providers place customers behind carrier-grade NAT and let one public IPv4 serve many subscribers at once. Your traffic is translated as it leaves the carrier network, which is why several households can appear to the outside world under the same public address.

Q: How do I get a real public IP address from my ISP?

Ask your provider for a dedicated public or static IPv4 address, which is often a paid add-on or a business-plan feature. Alternatively use IPv6 if your ISP offers it, since carrier-grade NAT only applies to IPv4 and IPv6 gives each device its own routable address. A VPN with port forwarding or a reverse tunnel can also provide a public endpoint you control.

Q: Does CGNAT affect gaming, hosting, or running a server?

It can. Carrier-grade NAT does not slow ordinary browsing, but it breaks anything that needs the internet to reach you directly: self-hosting a website or game server, peer-to-peer connections, remote access to your home, and some VPN setups. Features that rely on inbound port forwarding are the ones most likely to stop working.

~/sheets/what-is-cgnat.md

When Your Public IP Is Not Really Yours
CGNAT (Carrier-Grade NAT, also called Large-Scale NAT or LSN) is network address translation performed by your internet provider instead of just your home router. It lets one public IPv4 address be shared across many subscribers at once, which is how ISPs cope with the global shortage of IPv4 addresses. The catch is that the public IP the internet sees is not assigned to you alone, and you do not control it.
You can spot CGNAT in seconds: compare the WAN address in your router with the public IP our IP Lookup reports. If they differ, your provider is translating your traffic.
The 100.64.0.0/10 Shared Address Space
CGNAT links between your router and the carrier are numbered from a special block reserved in RFC 6598: 100.64.0.0/10, which spans 100.64.0.0 to 100.127.255.255 and contains 4,194,304 (2 to the power of 22) addresses. This block is deliberately separate from the ordinary private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) so it does not clash with your home network, and like those ranges it is not routable on the public internet. If your router's WAN address sits inside 100.64.0.0/10, you are almost certainly behind carrier-grade NAT.
How to Tell If You Are Behind CGNAT
The simplest test does not need any special software. Open your router's admin page and note the WAN or internet IP it shows, then visit HackMyIP or run an IP Lookup to see the public IP the outside world sees. On a normal connection these match. Under CGNAT they differ, because the carrier rewrites your address as it leaves their network, and the router's WAN IP is often a 100.64.0.0/10 or private-looking address rather than a globally unique one.
Why Hosting and Port Forwarding Break
Because the public IP belongs to the carrier and is shared, inbound connections from the internet arrive at the provider's NAT, not at your router. A port forwarding rule on your own router has no public-facing port to map, so it silently fails. This is why CGNAT commonly breaks self-hosting a website or game server, peer-to-peer transfers, remote access back to home, and some VPN configurations. It does not slow down normal browsing, but anything that needs the outside world to reach you directly tends to stop working.
How to Get a Real Public IP
There are a few vendor-neutral options. You can ask your ISP for a dedicated public or static IPv4 address, which is often available as a paid add-on or on a business plan. You can use IPv6 if your provider offers it, since CGNAT only affects IPv4 and IPv6 gives each device its own routable address. Or you can route inbound traffic through an external relay, such as a VPN that supports port forwarding or a reverse tunnel, so the public endpoint lives somewhere you do control.
Frequently Asked Questions
How do I know if I am behind CGNAT?
Compare the WAN or internet IP shown in your router's admin page with the public IP a lookup tool reports. On a normal connection they match; under CGNAT they differ because the carrier rewrites your address. A strong sign is a router WAN address inside the 100.64.0.0/10 shared range reserved in RFC 6598 for carrier-grade NAT.
Can you port forward with CGNAT?
Generally no. Because the public IP belongs to the carrier and is shared across customers, inbound connections reach the provider's NAT rather than your router, so a port forwarding rule on your own router has nothing public to map. Workarounds include asking the ISP for a public IP, using IPv6, or routing inbound traffic through an external relay or tunnel you control.
Why is my public IP shared with other people?
The internet ran low on IPv4 addresses, so many providers place customers behind carrier-grade NAT and let one public IPv4 serve many subscribers at once. Your traffic is translated as it leaves the carrier network, which is why several households can appear to the outside world under the same public address.
How do I get a real public IP address from my ISP?
Ask your provider for a dedicated public or static IPv4 address, which is often a paid add-on or a business-plan feature. Alternatively use IPv6 if your ISP offers it, since carrier-grade NAT only applies to IPv4 and IPv6 gives each device its own routable address. A VPN with port forwarding or a reverse tunnel can also provide a public endpoint you control.
Does CGNAT affect gaming, hosting, or running a server?
It can. Carrier-grade NAT does not slow ordinary browsing, but it breaks anything that needs the internet to reach you directly: self-hosting a website or game server, peer-to-peer connections, remote access to your home, and some VPN setups. Features that rely on inbound port forwarding are the ones most likely to stop working.
Last updated: April 2026