What Is CGNAT? The Hidden Reason Your Port Forwarding Does Not Work
Carrier-Grade NAT (CGNAT) is when your ISP puts your connection behind a shared public IP address before traffic even reaches your home router. It means port forwarding will not work, hosting game servers is impossible, and you may see higher latency and stricter NAT types no matter what you change in your router settings. Here is how to detect CGNAT, which ISPs use it, and what you can actually do about it.
You followed every guide. You set up port forwarding on your router. You enabled UPnP. You even tried DMZ. And your NAT type is still strict. Matchmaking still fails. Your self-hosted game server is still unreachable from the outside.
The problem is not your router. The problem is that your ISP has placed your entire connection behind Carrier-Grade NAT (CGNAT) — a second layer of NAT that sits between your home network and the public internet. No amount of router configuration can fix something that is happening upstream at your ISP's infrastructure level.
CGNAT is increasingly common as ISPs run out of IPv4 addresses. If you are on T-Mobile Home Internet, Starlink, many 5G fixed wireless services, or certain budget broadband plans, you are almost certainly behind CGNAT. Here is what it does, how to detect it, and your options for working around it.
Measure your real-world speed, ping, jitter, and bufferbloat. Free, no signup required.
> Run Free Speed TestWhat Is CGNAT and How Does It Work?
Under normal circumstances, your ISP assigns your home connection a public IP address — a unique address that is routable on the internet. Your router then uses NAT (Network Address Translation) to share that single public IP among all your devices. This is the NAT you configure in your router settings, and it is the NAT that determines whether your NAT type shows as Open, Moderate, or Strict.
With CGNAT, your ISP adds a second layer of NAT before your connection ever reaches the public internet. Instead of giving you a public IP, they give your router a private IP from a special range (usually 100.64.0.0/10). Hundreds or even thousands of customers share a single public IP address. Your home NAT translates your devices to your router's IP. Then the ISP's CGNAT translates your router's IP to a shared public IP. That is two translations between you and the internet.
Why Do ISPs Use CGNAT?
The reason is simple: IPv4 addresses ran out. There are only about 4.3 billion IPv4 addresses in existence, and every device on the internet needs one (or shares one). The global pool was exhausted years ago. New ISPs and expanding services cannot just buy more — they are scarce and expensive.
CGNAT lets an ISP serve thousands of customers with a fraction of the IPv4 addresses they would otherwise need. Instead of one public IP per household, they can share one public IP among 50, 100, or more customers. The long-term solution is IPv6, which has enough addresses for every grain of sand on Earth, but the transition has been painfully slow.
- Mobile and fixed wireless ISPs almost always use CGNAT because their customer growth far outpaced their IPv4 allocations
- Satellite ISPs like Starlink use CGNAT because assigning public IPs to tens of millions of terminals is not feasible with remaining IPv4 stock
- Budget broadband plans sometimes use CGNAT to reduce infrastructure costs, while premium tiers get dedicated IPs
- Some major ISPs like Comcast, BT, Airtel, Telstra, and Vodafone use CGNAT in parts of their network, particularly for newer deployments
How CGNAT Affects Gaming, Hosting, and Remote Access
Gaming: Strict NAT and Failed Matchmaking
CGNAT forces a strict NAT type on your connection regardless of your router settings. Since the ISP's NAT does not know how to forward inbound game traffic to your specific connection behind the shared IP, peer-to-peer connections fail. The result: you cannot join certain lobbies, voice chat does not work, and matchmaking takes longer or fails entirely. Games like Call of Duty, Destiny 2, and Halo are particularly affected because they rely heavily on peer-to-peer connections.
Hosting: Game Servers, Plex, and Remote Access Are Broken
Port forwarding is completely non-functional behind CGNAT. Even if you forward port 25565 on your router for a Minecraft server, incoming connections from the internet hit the ISP's CGNAT first — which has no forwarding rule for your traffic. Your Plex server, security cameras, self-hosted websites, home VPN, and remote desktop are all unreachable from outside your network.
Latency: A Small but Measurable Penalty
Every packet has to pass through an additional translation step at the ISP's CGNAT device. On well-maintained infrastructure, this adds 1–5 ms of latency. On overloaded CGNAT boxes, it can add 10–30 ms and introduce jitter. For competitive gaming where every millisecond matters, this is a real disadvantage.
IP Reputation: Someone Else's Bad Behavior Affects You
Because you share a public IP with other customers, their online behavior affects you. If someone on your shared IP sends spam, gets flagged for abuse, or triggers rate limits, you may see more CAPTCHAs, get blocked from certain websites, or experience degraded service on platforms that use IP-based rate limiting.
| Feature | Public IP (No CGNAT) | Behind CGNAT |
|---|---|---|
| Port forwarding | Works normally | Does not work |
| NAT type (gaming) | Can be set to Open | Stuck on Strict |
| Hosting servers | Fully supported | Not possible |
| Remote access (VPN, RDP) | Works with forwarding | Blocked |
| Latency penalty | None | 1–30 ms added |
| IP reputation | Only yours | Shared with strangers |
| Peer-to-peer apps | Full speed | May be restricted |
How to Check If You Are Behind CGNAT
There are three reliable ways to detect CGNAT. You only need one to confirm, but checking multiple gives you certainty.
Method 1: Compare Your Router's WAN IP to Your Public IP
This is the fastest test. Log into your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and find the WAN IP address — this is the IP your ISP assigned to your connection. Then visit a site like pong.com/whatsmyip to see your public IP address — this is what the rest of the internet sees. If the two IPs are different, you are behind CGNAT.
Method 2: Traceroute to Your Public IP
Open a terminal or command prompt and run tracert (Windows) or traceroute (Mac/Linux) to your public IP address. If the output shows only one hop (your router), you have a public IP. If it shows two or more hops before reaching the public IP, there is a CGNAT device in the path between your router and the internet.
Method 3: Try Port Forwarding
Set up a port forward on your router for any port (say, 8080). Then use an online port checker tool to test if that port is open from the internet. If the port shows as closed despite correct router configuration, CGNAT is blocking inbound connections. This method is less conclusive on its own since firewalls can also block ports, but combined with Method 1 it confirms CGNAT.
Which ISPs Use CGNAT?
CGNAT is most common on mobile, satellite, and fixed wireless connections, but some traditional broadband ISPs use it too. Here is the current landscape:
| ISP / Service | CGNAT Status | Public IP Available? |
|---|---|---|
| T-Mobile Home Internet | Always CGNAT | No (use IPv6 instead) |
| Starlink | Always CGNAT | Can purchase static IP add-on |
| Verizon 5G Home | Typically CGNAT | Not on fixed wireless plans |
| Comcast Xfinity (fiber/cable) | Some markets | Usually available on request |
| AT&T Fiber | Usually public IP | Yes, by default on most plans |
| Google Fiber | Public IP | Yes |
| Spectrum | Usually public IP | Yes, most plans |
| Cox | Some markets | Available by request |
| CenturyLink / Lumen | Varies by market | Usually on fiber plans |
| Most MVNOs / resellers | Almost always CGNAT | Rarely available |
How to Get Around CGNAT: Your Options
Option 1: Ask Your ISP for a Public IP
The simplest fix — and the one most people do not try — is to call your ISP and request a dedicated public IPv4 address. Many ISPs will provide one for free if you ask, especially traditional cable and fiber providers. Some charge a small monthly fee ($5–15). Fixed wireless and satellite providers are less likely to offer this option, but it is always worth asking. The exact phrasing that works best: "Can I be taken off carrier-grade NAT and assigned a dedicated public IPv4 address?"
Option 2: Use IPv6 Instead
If your ISP provides IPv6 (and most do now), your devices already have globally routable IPv6 addresses that bypass CGNAT entirely. The catch: the service you are connecting to also needs to support IPv6, and not all games and applications do yet. However, major platforms like Xbox Live, PlayStation Network, and many PC games increasingly support IPv6. Check your ISP's IPv6 status and enable it in your router settings if it is not already on.
Option 3: Use a VPN with Port Forwarding
Some VPN providers (like AirVPN and Mullvad) offer port forwarding as a feature. You connect to the VPN, get assigned forwarded ports on the VPN server's public IP, and incoming connections reach you through the VPN tunnel — bypassing your ISP's CGNAT entirely. This works for hosting game servers and remote access but adds latency from the VPN hop, so it is not ideal for competitive gaming.
Option 4: Set Up a Reverse Tunnel (Cloudflare, Tailscale, Ngrok)
Reverse tunnels create an outbound connection from your network to a relay server, then route incoming traffic back through that tunnel. Cloudflare Tunnel (free) works for web-based services. Tailscale and ZeroTier create mesh VPN networks that let your devices connect to each other regardless of NAT. Ngrok provides temporary public URLs for development. These solutions work well for remote access and hosting but are not practical for real-time gaming due to added latency.
Option 5: Switch ISPs
If CGNAT is a dealbreaker and your ISP will not provide a public IP, switching to an ISP that assigns public IPs by default may be your best option. Fiber providers like AT&T Fiber and Google Fiber generally do not use CGNAT. Cable providers like Spectrum and Xfinity usually assign public IPs on standard residential plans. Check before you sign up — ask specifically about CGNAT and public IP availability.
| Solution | Cost | Gaming Latency Impact | Hosting Support | Ease of Setup |
|---|---|---|---|---|
| Request public IP from ISP | Free – $15/mo | None | Full | Easy (one call) |
| Enable IPv6 | Free | None | Partial (IPv6-only) | Easy |
| VPN with port forwarding | $5–12/mo | +10–40 ms | Limited ports | Moderate |
| Reverse tunnel (Cloudflare, Tailscale) | Free – $5/mo | +5–20 ms | Web/app only | Moderate |
| Switch ISPs | Varies | None | Full | Hard (contract, availability) |
CGNAT vs Regular NAT: What Is the Difference?
Your router's NAT and your ISP's CGNAT serve the same basic function — translating private IP addresses to a shared IP — but they operate at completely different levels and have different implications for your connection.
| Router NAT | CGNAT | |
|---|---|---|
| Controlled by | You | Your ISP |
| Where it runs | Your home router | ISP's data center |
| Port forwarding | You can configure it | Not possible |
| NAT type (gaming) | Can be changed to Open | Cannot be changed |
| Number of users | Your household | Hundreds to thousands |
| UPnP support | Usually available | Not available |
| Can be disabled | Yes (bridge mode) | Only by ISP |
The key takeaway: if you have already followed a guide to fix your NAT type and nothing works, the issue is almost certainly CGNAT, not your router settings. No router-level change — port forwarding, UPnP, DMZ, or bridge mode — can solve a CGNAT problem because the restriction happens upstream at your ISP.
Frequently Asked Questions
?>Does CGNAT increase my ping?
?>Can I port forward behind CGNAT?
?>Will a gaming router fix CGNAT problems?
?>Does CGNAT affect download and upload speeds?
?>Is CGNAT the same as double NAT?
?>How do I know if my WAN IP is a CGNAT address?
Bottom Line
CGNAT is the invisible wall between your router and the internet that no amount of router configuration can break through. It is why your port forwarding does not work, why your NAT type is permanently strict, and why you cannot host anything from home. As ISPs continue to stretch a shrinking pool of IPv4 addresses, CGNAT will only become more common.
- Check first: Compare your router's WAN IP to your public IP at pong.com/whatsmyip — if they differ, you are behind CGNAT
- Easiest fix: Call your ISP and ask to be taken off CGNAT and given a public IPv4 address
- Free alternative: Enable IPv6 if your ISP supports it — it bypasses CGNAT entirely for IPv6-capable services
- For hosting: Use Cloudflare Tunnel or Tailscale as a reverse tunnel workaround
- For gaming: Request a public IP or switch to an ISP that assigns them by default
- Do not waste money on a gaming router thinking it will fix a CGNAT problem — it will not
Run a speed test on pong.com to check your current latency, then use our What Is My IP tool to see your public IP. Comparing that to your router's WAN IP takes 30 seconds and tells you definitively whether CGNAT is affecting your connection.