CGNAT (carrier-grade NAT) is a second layer of network address translation run by your ISP. Instead of giving each customer a unique public IPv4 address, the ISP shares one public address among many customers to conserve scarce IPv4 space. Your home router has its own NAT, and the ISP adds a second NAT on top, which is why it is called carrier-grade or large-scale NAT.

What is CGNAT (carrier-grade NAT), and how to tell

Q: How do I know if I'm behind CGNAT?

Compare the WAN or Internet IP shown on your router's admin page to the IP returned by curl ipconfig.io. If the two differ, your ISP is translating your traffic and you are behind CGNAT. A strong tell is a router WAN IP in the 100.64.0.0/10 range, which RFC 6598 reserves specifically for carrier-grade NAT, or an IP in a private range like 10.0.0.0/8.

Q: Does CGNAT break port forwarding?

Yes. Because you do not own a unique public IPv4 address under CGNAT, inbound port forwarding does not work, since the public IP and its ports are shared with other customers. This makes self-hosting servers, remote access, and some peer-to-peer or gaming setups harder. The usual fixes are to ask your ISP for a public or static IP, often for a fee, or to use a tunnel or relay service.

CGNAT (carrier-grade NAT) is a second layer of NAT that your ISP runs to share one public IPv4 address among many customers, conserving the dwindling supply of IPv4 addresses. Your home router already performs NAT for the devices on your LAN; under CGNAT the ISP adds another NAT in front of it, so the public IP the internet sees is not yours alone. The fastest way to tell if you are behind one is to compare your router's WAN IP to the result of curl ipconfig.io.

Maintained by the ipconfig.io team · Reviewed 17 June 2026

What is CGNAT?

CGNAT, also called carrier-grade NAT or large-scale NAT, is network address translation performed by your ISP on top of the NAT your own router already does. Ordinary home NAT lets many devices on your LAN share one public IP. Carrier-grade NAT extends the same idea one level up: many customers share one public IPv4 address.

The reason is simple arithmetic. IPv4 has a fixed, exhausted pool of addresses, and there are far more devices than addresses. Rather than assign a scarce public IPv4 to every subscriber, ISPs hand out an address from a shared internal range and translate everyone onto a smaller set of real public IPs at the network edge.

The practical effect: the IP the wider internet associates with your connection is shared, not dedicated. You are one of many behind it.

How do I know if I'm behind CGNAT?

Compare two numbers: the WAN IP your router reports, and the public IP the internet actually sees. If they differ, you are behind CGNAT. Here is the check, in two steps:

Find your public IP — the address the internet sees. Run:
sh
```
curl ipconfig.io
```
The bare / endpoint returns your public IP as plain text, exactly as seen from outside your network.
Find your router's WAN IP — the address your ISP handed your router. Open your router's admin page (often 192.168.0.1 or 192.168.1.1) and look for a field labelled WAN IP, Internet IP, or Status.

Now compare:

They match → you have a normal public IP. No CGNAT.
They differ → something between your router and the internet is translating your traffic. That something is your ISP's carrier-grade NAT.

A second, stronger tell is what the router's WAN IP looks like. A public address that you own appears verbatim on ipconfig.io. An address from a reserved internal range never can — those addresses are not routable on the public internet, so seeing one on your WAN interface is a direct sign of CGNAT.

What does my router's WAN IP tell me?

Match the WAN IP on your router's status page against the ranges below. The shared CGNAT range is the clearest signal.

Router WAN IP looks like	Range / source	What it means
`100.64.0.0` – `100.127.255.255`	`100.64.0.0/10` (RFC 6598)	Carrier-grade NAT. This range is reserved specifically for CGNAT.
`10.x.x.x`	`10.0.0.0/8` (RFC 1918)	A private range. Your ISP is almost certainly running CGNAT.
`172.16.x.x` – `172.31.x.x`	`172.16.0.0/12` (RFC 1918)	A private range — same conclusion as above.
`192.168.x.x`	`192.168.0.0/16` (RFC 1918)	A private range. Note: this is also normal inside your LAN, so confirm you are reading the WAN field, not a LAN address.
A normal public address that matches `curl ipconfig.io`	Public IPv4	No CGNAT. You have a public IP, though it may still be dynamic.

The RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are private and never appear on the public internet. The 100.64.0.0/10 block from RFC 6598 was set aside precisely so ISPs could run CGNAT without colliding with customers' own private networks — so a WAN IP in that range is the most unambiguous evidence of all.

What does CGNAT break?

CGNAT breaks anything that depends on owning a unique, reachable public IP — most visibly, inbound connections. Because your public address and its ports are shared with other customers, traffic arriving from the internet has no unambiguous way to reach your router. Specifically:

No inbound port forwarding. You cannot open a port to your network from the outside, because the port lives on a shared public IP you do not control.
Harder self-hosting and remote access. Running a web server, game server, NAS, or remote-desktop endpoint at home becomes difficult, since none of them can be reached directly.
Some P2P and gaming friction. Peer-to-peer apps and certain multiplayer games rely on inbound connectivity or predictable port mapping, both of which CGNAT can disrupt.

Outbound browsing, streaming, and most everyday use are unaffected — CGNAT only complicates connections initiated toward you.

What can I do about CGNAT?

You have two practical options, both neutral trade-offs rather than fixes for everyone:

Ask your ISP for a public or static IP. Many providers offer a dedicated public IPv4 address, sometimes a static one, often for an extra monthly fee or on a business plan. This removes the carrier NAT entirely and restores normal inbound connectivity.
Use a tunnel or relay. A reverse tunnel or relay service exposes a service running on your network through a host that does have a reachable public IP. Your traffic reaches the relay outbound, and the relay accepts inbound connections on your behalf — sidestepping CGNAT without changing your ISP plan.

Which one fits depends on what you are trying to reach and how much control you want. If you only need to confirm whether the problem is CGNAT in the first place, the two-command check above settles it.

Frequently asked questions

What is CGNAT? A second layer of NAT run by your ISP that shares one public IPv4 address among many customers to conserve scarce IPv4 space. Your router does NAT for your LAN; the ISP adds another NAT on top.

How do I know if I'm behind CGNAT? Compare your router's WAN IP to curl ipconfig.io. If they differ, you're behind CGNAT. A WAN IP in 100.64.0.0/10 (RFC 6598) or an RFC 1918 private range confirms it.

Does CGNAT break port forwarding? Yes. You don't own a unique public IP, so inbound port forwarding doesn't work and self-hosting or remote access becomes harder. Ask your ISP for a public IP or use a tunnel.

Next steps

Run the check now — see how to find your public IP from the terminal for the curl ipconfig.io side of the comparison, learn what your IP address actually reveals, or browse the API reference for every endpoint and field.

What is CGNAT (carrier-grade NAT), and how to tell ​

What is CGNAT? ​

How do I know if I'm behind CGNAT? ​

What does my router's WAN IP tell me? ​

What does CGNAT break? ​

What can I do about CGNAT? ​

Frequently asked questions ​

Next steps ​