CGNAT Explained: Why Your IP Is Shared With Strangers
If your "public" IP shows up at multiple addresses or appears flagged as a hosting provider on our IP lookup, there's a good chance your ISP has stuffed you behind carrier-grade NAT. Dozens — sometimes hundreds — of subscribers share the same outgoing IP. It's saving the IPv4 address pool from exhaustion, and it's quietly breaking things for end users.
What CGNAT actually is
Carrier-grade NAT, also called LSN (Large-Scale NAT) or NAT444, is a translator that sits between your home network and the public internet. Without it, your home router does one layer of NAT: many devices on your LAN share one public IP. With CGNAT, the ISP does a second layer: many homes share one public IP. From the outside, you can't be told apart from your neighbours.
Inside the ISP's network, you get an IP in the 100.64.0.0/10 range — the "shared address space" reserved for exactly this purpose. From your home router's perspective, that looks like a normal public IP. It isn't.
Why ISPs use it
IPv4 ran out of new addresses globally years ago. There are roughly 4.3 billion possible IPv4 addresses and far more devices that want one. CGNAT lets one IPv4 address serve many subscribers, which is far cheaper than acquiring more IPv4 space on the secondary market (where /24 blocks now sell for $50+ per address) and easier than fully migrating everything to IPv6.
Mobile carriers were first to adopt CGNAT, then cable ISPs, and now even some fiber providers. In some countries (Brazil, India, parts of Eastern Europe), CGNAT is the default for residential connections; in the US and Western Europe it's more common with budget ISPs and mobile data.
How to detect CGNAT
The quick test
Log into your router's admin panel and look at the "WAN IP" or "Internet IP" — the address the router shows on its public-facing interface. Now check your IP using our what-is-my-IP tool. If the two don't match, you're behind CGNAT — the IP your router sees isn't the one the rest of the internet sees.
Specific signal
If your router's WAN IP is in the 100.64.0.0 – 100.127.255.255 range, that's the textbook CGNAT range, and you are definitely behind one.
Indirect signals
- Port forwarding for game servers or self-hosted services silently doesn't work.
- CAPTCHAs everywhere, because the same shared IP gets flagged by anti-abuse systems when one neighbour misbehaves.
- IP geolocation shows a city that isn't yours (the CGNAT exit is geolocated, not your home).
What CGNAT breaks
- Inbound connections. Self-hosting a website, mail server, game server, or SSH server is essentially impossible. There's no way to forward a port from a public IP you don't control.
- Some P2P traffic. Peer-to-peer protocols that rely on NAT traversal (BitTorrent, some game matchmaking, peer-to-peer video calls) work less reliably because the double NAT confuses hole-punching.
- IP-based reputation. Your IP picks up whatever reputation hits your neighbours get. Spam blacklists may block the entire shared exit. Streaming services may flag the IP as datacenter or proxy traffic.
- Logging accountability. If something illegal happens from the shared IP, the ISP needs to consult internal NAT translation logs to identify the actual user. Most do keep these logs.
Workarounds
1. Pay for a static IP from your ISP if they offer the option. Often $5–$15/month residential. You get a real public IP that's only yours.
2. Use IPv6 if available. Most CGNAT deployments also hand out a proper IPv6 prefix, often a /56 or /64. IPv6 isn't NAT'd — every device gets a real routable address. Inbound IPv6 connections work natively.
3. Tunnel out. A cheap VPS plus a tool like Cloudflare Tunnel, Tailscale Funnel, or a self-hosted WireGuard endpoint with port forwarding gives you a stable public address that maps back to your home network — completely bypassing CGNAT.
4. Use a VPN with port forwarding. A few VPN providers offer dedicated ports forwarded to your tunnel. This is enough for self-hosted services that don't need a stable DNS hostname.
Privacy implications
CGNAT is a mild privacy net positive — observers can't tell you apart from the other subscribers on the same exit. It's a small net negative for your IP reputation, because one bad neighbour can flag the entire shared IP. The bigger truth is that CGNAT doesn't meaningfully change the deeper picture: your ISP still knows exactly which subscriber made which connection via their internal translation logs.
Frequently asked questions
- How do I know if my ISP uses CGNAT?
- Compare your router's WAN IP to the IP that what-is-my-IP shows. If they differ, you're behind CGNAT. If your router's WAN IP is in 100.64.0.0/10, it's specifically a CGNAT range. You can also ask your ISP's support line — they will know.
- Can I still use a VPN behind CGNAT?
- Yes, completely fine. VPNs make outbound connections from your home to the VPN server, and outbound traffic works perfectly through CGNAT. In fact, a VPN is often a useful workaround for the reputation problems CGNAT causes.
- Does CGNAT make my connection slower?
- Negligibly. The translator adds a tiny amount of latency (typically under 1 ms) and can become a bottleneck during major outages, but for everyday browsing it's not detectable. Real slowness behind CGNAT is usually from upstream congestion at the shared exit, not from the NAT itself.
- Can CGNAT be detected by websites?
- Sometimes. Sites with sophisticated anti-fraud systems can see that an IP is shared by many users at once and treat it more cautiously — extra CAPTCHAs, more aggressive rate limits. Streaming services may also recognize big residential CGNAT pools and apply VPN-style restrictions.