You Probably Don't Have a Real Public IP Address
Most people assume their internet connection comes with its own public IP. It doesn't — not always. Millions of home connections sit behind something called Carrier-Grade NAT (CGNAT), where a single public IP address is shared across hundreds or thousands of households at once.
Your ISP ran out of IPv4 addresses. CGNAT is how they're stretching what's left. The problem is that it quietly breaks things you care about: port forwarding, game servers, remote access to your home network, self-hosted services, and VoIP calls.
This guide explains what CGNAT actually is, how to check if you're behind it, what breaks because of it, and how to work around it.
Why This Exists: IPv4 Ran Out
There are only about 4.3 billion IPv4 addresses in the world. That sounds like a lot until you account for billions of phones, laptops, smart TVs, routers, cameras, and servers all needing addresses simultaneously.
The organization that hands out IP blocks globally (IANA) ran dry in 2011. Regional registries followed. ISPs were stuck: new customers kept signing up, but there were no new IPs to give them.
The real fix is IPv6, which has practically unlimited addresses. But most of the internet still runs on IPv4. So while that transition drags on, ISPs invented CGNAT as a stopgap.
Instead of giving each customer their own public IP, the ISP assigns them a private address and handles the translation to a shared public IP at their own network level. One public IP can serve thousands of homes this way.
What Actually Happens to Your Traffic
On a normal home connection, your router is the only NAT layer. Your devices get private addresses like 192.168.1.x, and your router translates those to your single public IP when packets leave your home.
With CGNAT, there's a second translation happening at your ISP's equipment:
- Your devices get private IPs from your router (
192.168.1.x) — same as usual - Your router's WAN port gets an IP in the
100.64.0.0/10range — this looks like a public IP but it's not. It's a special range reserved just for CGNAT (defined in RFC 6598) - The ISP's CGNAT device translates that
100.x.x.xaddress to one shared public IP that it also gives to potentially thousands of other customers
Your traffic goes through two NAT layers before hitting the internet. That's why it's called Double NAT.
From a website's perspective, your request looks identical to a thousand other people on the same ISP. They all share the same public IP.
How to Check If You're Behind CGNAT
Open your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and find the WAN status page. Look at the IP address your router received from your ISP.
Then check your actual public IP using a tool like this one.
If those two IPs are different — you're behind CGNAT. Your router has a private IP from your ISP, not a real public address.
If your router's WAN IP starts with 100.64 through 100.127, that's the RFC 6598 CGNAT range. That's the clearest sign.
You can also run a traceroute (traceroute google.com on Mac/Linux, tracert google.com on Windows). If you see two or more private IP hops before the first public IP, you have multiple NAT layers — one of them is CGNAT.
What CGNAT Actually Breaks
Port Forwarding
This is the biggest one. Port forwarding lets you expose something on your home network to the internet — a game server, a NAS, a camera, a home automation system. It works by telling your router: if someone connects on port 25565, send that traffic to this device.
With CGNAT, the problem is that your router never even sees the incoming connection. The ISP's CGNAT device receives it and has no idea which of its thousands of customers should get it. It drops the packet. Your perfect port forwarding rule is completely ignored.
This isn't something you can fix by configuring your router differently. The block happens upstream.
Gaming NAT Type
Gaming consoles and PCs report a NAT type based on how well they can connect to peers:
- Open / Type 1 — direct connection, best experience
- Moderate / Type 2 — one NAT layer, works fine
- Strict / Type 3 — multiple NAT layers, limited connectivity
CGNAT almost always forces Strict / Type 3. That means you can't host lobbies, voice chat degrades, and you can only connect to players on Open NAT. For casual gaming it's annoying. For competitive play it's a real problem.
Self-Hosting and Remote Access
Running a home server, Plex instance, Home Assistant, or any service you want to reach from outside your house? CGNAT makes that impossible without workarounds. Same issue as port forwarding — there's no way for incoming traffic to find you specifically.
VoIP Calls
VoIP and SIP-based phone systems need to negotiate media ports with the other end of the call. CGNAT breaks those negotiations in ways that cause one-way audio or dropped calls. Business VoIP adapters are especially prone to this.
Shared Reputation
If anyone sharing your public IP sends spam, runs a botnet, or does something that gets the address blacklisted — you get caught in it. Your emails end up in spam folders, websites show you CAPTCHAs constantly, and some services might block you entirely. None of it is your fault.
CGNAT vs Regular NAT
| Feature | Normal Home NAT | CGNAT |
|---|---|---|
| Who owns the public IP | You (your router) | Your ISP — shared with thousands |
| Port forwarding | Works | Broken |
| Hosting a server | Possible | Requires a workaround |
| Gaming NAT type | Open or Moderate | Strict |
| Incoming connections | Configurable | Blocked at ISP level |
| IP reputation | Your own | Shared with strangers |
| Traceroute private hops | 1 | 2 or more |
How to Fix It
Ask Your ISP for a Static Public IP
The cleanest fix. Call your ISP and ask for a static IP or a real public IP address. Most cable and fiber ISPs charge a small fee — usually $5 to $15 per month. Some include it for free on certain plans.
Just confirm you're getting a genuinely public, routable IP — not just a static assignment within their CGNAT pool. Ask them directly: "Will this IP be reachable from the public internet?"
Use Cloudflare Tunnel (Free)
Cloudflare Tunnel lets you expose a local service to the internet without any incoming connections. You run a small agent on your home machine that connects outward to Cloudflare's network. From there, Cloudflare handles all incoming traffic and passes it through the tunnel.
Since the connection starts from your side, CGNAT doesn't block it. This works for websites, home dashboards, and any HTTP service. It's free and takes about 10 minutes to set up.
VPN with Port Forwarding
Some VPN providers let you forward ports through their servers to your home connection. Traffic hits their public IP on a specific port, gets forwarded through the VPN tunnel to your machine. AirVPN and Mullvad have historically offered this. Useful for game servers, torrenting, or remote access without paying your ISP for a static IP.
A VPS as a Relay
Rent a cheap cloud server (Hetzner, Vultr, DigitalOcean — as low as $3–5/month), set up a WireGuard tunnel between the VPS and your home machine, then forward specific ports on the VPS to your home through the tunnel. Full control, very fast, and works for anything.
Use IPv6 If Your ISP Supports It
IPv6 doesn't need NAT at all. Every device gets a real globally routable address. If your ISP offers dual-stack (IPv4 + IPv6), your devices can use IPv6 to accept incoming connections without any of the CGNAT problems. Ask your ISP if they support it — many do, but it's often not enabled by default.
Who Gets Hit by CGNAT the Most
CGNAT isn't evenly distributed. Some groups of people run into its problems constantly while others never notice it at all.
Gamers notice it immediately because consoles report NAT type on every connection. Strict NAT isn't subtle — matchmaking takes longer, lobbies fail, and some co-op modes flat out don't work.
Remote workers who self-host hit the wall when they try to reach their home server from the office. VPN tunnels that rely on incoming connections at home simply won't establish.
Home lab enthusiasts running Proxmox, Home Assistant, Nextcloud, or their own VPN server quickly realize that nothing is reachable from outside. Every tutorial assumes you have a real public IP — because most were written before CGNAT became this widespread.
Small business owners using a residential ISP for a branch office sometimes get CGNAT without realizing it. SIP phones stop working. Remote desktop connections fail. Security camera systems can't be monitored off-site.
If you mostly browse the web, stream video, and scroll social media, CGNAT is completely invisible. The trouble starts the moment you need traffic to come to you, not just from you.
A Quick Note on Privacy
There's one accidental upside to CGNAT: it makes it harder to trace a specific internet activity back to your household. If ten thousand people share the same public IP and someone does something questionable, investigators need the ISP's internal NAT logs to figure out which customer it was. Some ISPs don't keep those logs long, or keep them in ways that are hard to access.
This isn't a privacy feature — it's a side effect. And it works against you too. If the police get a court order for logs about a shared IP, they may pull records for thousands of innocent customers along with the one they're actually looking for.
Don't rely on CGNAT for anonymity. Use a proper privacy tool if that's what you need. The privacy benefit is accidental, inconsistent, and something your ISP can undo the moment someone asks them to look.
Common Misunderstandings
- Restarting your router won't help. Whether you're behind CGNAT depends on your ISP's infrastructure, not your router's state.
- Paying for faster internet doesn't change it. CGNAT is a network architecture decision, not a speed tier thing. You can be on a gigabit plan and still be behind CGNAT.
- It's not just mobile networks. Many fixed-line DSL and cable providers use CGNAT, especially in regions where IPv4 addresses are scarce.
- Your neighbor might be sending spam under your IP. And you'd never know until a service starts blocking you.
The Bottom Line
CGNAT keeps the internet running while IPv4 exhaustion drags on. For basic browsing it's invisible. But the moment you try to host something, forward ports, or get Open NAT for gaming, it becomes a real obstacle.
The good news is there are solid workarounds. Cloudflare Tunnel is free and takes minutes to set up. A static IP from your ISP costs a few dollars a month. A VPS relay is cheap and gives you full control. You're not stuck.
Check your IP address now and see if your public IP matches your router's WAN address.