CGNAT: Why Gamers Hate It and What You Can Do

You set up port forwarding correctly. You've done it before. But this time nothing works — incoming connections never arrive, NAT type is Strict, and your gaming experience suffers for it. The likely culprit is Carrier-Grade NAT: your ISP is translating your traffic through a second NAT layer that you have no control over.

What CGNAT Is

Carrier-Grade NAT (also called Large Scale NAT) is NAT performed by the ISP itself, before traffic even reaches your router. Instead of assigning you a real public IP address, the ISP assigns you a private IP from the 100.64.0.0/10 range (the 'Shared Address Space' defined in RFC 6598), then NATs all their customers through a shared pool of real public IPs.

You end up behind two NAT layers: your ISP's NAT and your router's NAT. Your router gets a private IP (not a public one) from your ISP. When you configure port forwarding on your router, you're opening ports in your router's NAT table — but the connection still hits your ISP's NAT layer first, which has no matching rule, and drops it.

Why ISPs Use It

IPv4 addresses are exhausted. ISPs can't get new public IPv4 addresses, so they stretch their existing pool by having many customers share each address. A single public IP might serve 50 to 100 residential customers simultaneously through CGNAT. It's cheap for the ISP and creates real problems for the customers.

How to Tell If You're Behind CGNAT

Check the WAN IP shown in your router's admin interface. If it's in the 100.64.0.0 to 100.127.255.255 range, you're behind CGNAT. If it's a private range like 10.x.x.x or 172.16-31.x.x, same conclusion. If it matches the public IP shown on an IP lookup site, you have a real public IP — no CGNAT.

Wait — this matters. Even 192.168.x.x on your router's WAN interface can indicate CGNAT if your ISP uses that range for their customer-facing IPs, though that's less common.

What You Can Actually Do

The most reliable fix is requesting a static public IP from your ISP. Many offer this for business accounts, and some offer it as a paid add-on for residential customers. Failing that, a VPN with port forwarding capabilities (like Mullvad or ProtonVPN's port forwarding options) creates an accessible endpoint through the VPN server, bypassing your CGNAT entirely. For gaming specifically, some platforms use NAT traversal techniques that can work even through CGNAT, with varying success.