CGNAT: Why Your ISP Won't Let You Access Your Home Network Remotely
If you've ever tried to access a security camera, home server, or any service at your home from outside your network and couldn't, you're probably behind CGNAT. Let's understand what this means and why ISPs do this.
The Problem: IPv4 Ran Outβ
When the internet was created, the IPv4 protocol was designed with 32-bit addresses, allowing approximately 4.3 billion unique addresses. At the time, it seemed more than enough.
Understanding IPv4 Addressesβ
Let's do a quick overview of IPv4, which is the IP Version 4 that everyone knows. It's good to talk about this because we also have IPv6, but we won't cover that in this post.
An IPv4 address is composed of 4 octets separated by dots:
192 . 168 . 1 . 1
β β β β
1st octet 2nd octet 3rd octet 4th octet
Why "octet"? Because each number represents 8 bits (1 byte). And 8 bits can only represent values from 0 to 255:
8 bits = 2βΈ = 256 possible combinations (0 to 255)
Binary: 00000000 = 0
11111111 = 255
10101000 = 168
Complete example:
192.168.1.1 in binary:
11000000.10101000.00000001.00000001
We won't go into the study of binary number representation, although if you're in IT you should understand this perfectly.
Total possible addresses:
4 octets Γ 8 bits = 32 bits
2Β³Β² = 4,294,967,296 addresses (approximately 4.3 billion)
Reserved IP Blocksβ
Not all 4.3 billion addresses are available for public use. Several blocks were reserved for specific purposes:
| Range | CIDR | Use | Quantity |
|---|---|---|---|
| 0.0.0.0 β 0.255.255.255 | 0.0.0.0/8 | Indicates "this network" or undefined origin (before having an IP) | 16,777,216 |
| 10.0.0.0 β 10.255.255.255 | 10.0.0.0/8 | Internal networks for companies and data centers | 16,777,216 |
| 100.64.0.0 β 100.127.255.255 | 100.64.0.0/10 | Internal use by ISPs for CGNAT | 4,194,304 |
| 127.0.0.0 β 127.255.255.255 | 127.0.0.0/8 | Localhost - always points to the machine itself | 16,777,216 |
| 169.254.0.0 β 169.254.255.255 | 169.254.0.0/16 | Auto-assigned when DHCP fails (APIPA) | 65,536 |
| 172.16.0.0 β 172.31.255.255 | 172.16.0.0/12 | Medium corporate internal networks | 1,048,576 |
| 192.0.0.0 β 192.0.0.255 | 192.0.0.0/24 | Reserved for special IETF protocols | 256 |
| 192.0.2.0 β 192.0.2.255 | 192.0.2.0/24 | Examples in documentation and tutorials | 256 |
| 192.88.99.0 β 192.88.99.255 | 192.88.99.0/24 | IPv6 transition (6to4) - obsolete | 256 |
| 192.168.0.0 β 192.168.255.255 | 192.168.0.0/16 | Home networks (your home Wi-Fi) | 65,536 |
| 198.18.0.0 β 198.19.255.255 | 198.18.0.0/15 | Performance testing and network benchmarking | 131,072 |
| 198.51.100.0 β 198.51.100.255 | 198.51.100.0/24 | Examples in documentation and tutorials | 256 |
| 203.0.113.0 β 203.0.113.255 | 203.0.113.0/24 | Examples in documentation and tutorials | 256 |
| 224.0.0.0 β 239.255.255.255 | 224.0.0.0/4 | Multicast - transmission to multiple destinations (IPTV) | 268,435,456 |
| 240.0.0.0 β 255.255.255.254 | 240.0.0.0/4 | Reserved for "future use" (never released) | 268,435,456 |
| 255.255.255.255 | 255.255.255.255/32 | Broadcast - send to everyone on the local network | 1 |
CIDR Notation: What Does /8, /16, /24 Mean?β
You may have noticed the /8, /16, /24 notation in the ranges above. This is CIDR notation (Classless Inter-Domain Routing) and indicates how many bits are fixed in the network.
/8 = first 8 bits fixed = 1st octet fixed
/16 = first 16 bits fixed = 1st and 2nd octets fixed
/24 = first 24 bits fixed = 1st, 2nd, and 3rd octets fixed
/32 = all 32 bits fixed = a single IP
Practical example:
192.168.1.0/24 means:
βββββββββββββββββββββββββββββββββββββββββββ
β 192.168.1.XXX β
β βββββββββββ βββ β
β fixed (24) variable (8 bits) β
β β
β Range: 192.168.1.0 to 192.168.1.255 β
β Total: 2βΈ = 256 addresses β
βββββββββββββββββββββββββββββββββββββββββββ
10.0.0.0/8 means:
βββββββββββββββββββββββββββββββββββββββββββ
β 10.XXX.XXX.XXX β
β ββ βββββββββββ β
β fixed variable (24 bits) β
β β
β Range: 10.0.0.0 to 10.255.255.255 β
β Total: 2Β²β΄ = 16,777,216 addresses β
βββββββββββββββββββββββββββββββββββββββββββ
Quick reference table:
| CIDR | Mask | Available IPs | Example Use |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | Large corporations |
| /16 | 255.255.0.0 | 65,536 | Medium companies |
| /24 | 255.255.255.0 | 256 | Typical home network |
| /28 | 255.255.255.240 | 16 | Small offices |
| /30 | 255.255.255.252 | 4 | Point-to-point links |
| /32 | 255.255.255.255 | 1 | A single host |
To know how many IPs are in a block: 2^(32 - CIDR)
- /24 = 2^(32-24) = 2^8 = 256 IPs
- /16 = 2^(32-16) = 2^16 = 65,536 IPs
- /8 = 2^(32-8) = 2^24 = 16,777,216 IPs
What Matters to You?β
The blocks in bold in the table are the ones you encounter daily:
| Range | Capacity | Where You Find It |
|---|---|---|
| 10.X.X.X | 16 million IPs | Companies, data centers, corporate VPNs |
| 172.16.X.X | 1 million IPs | Medium corporate environments |
| 192.168.X.X | 65 thousand IPs | Home networks, small offices |
Why is 192.168.X.X the default on network equipment?
Routers, modems, and access points sold to the public come factory-configured with 192.168.0.x or 192.168.1.x because:
- 65 thousand IPs is sufficient for most use cases
- Consumer equipment supports at most ~250 simultaneous devices
- It's an industry convention that facilitates configuration and technical support
- ISP modems and most network devices accessible to the public use this standard
If you access your router or modem interface now, you'll probably see 192.168.0.1 or 192.168.1.1 as the default gateway. If you want to switch to use another block like 10.X.X.X/8, it's perfectly possible.
How Many IPs Are Really Public?β
Let's calculate what's left after all reserved blocks in a generic way.
Total IPv4: 4,294,967,296
Subtracting reserved:
- 0.0.0.0/8 (this network): -16,777,216
- 10.0.0.0/8 (private): -16,777,216
- 100.64.0.0/10 (CGNAT): -4,194,304
- 127.0.0.0/8 (loopback): -16,777,216
- 169.254.0.0/16 (link-local): -65,536
- 172.16.0.0/12 (private): -1,048,576
- 192.0.0.0/24 (IETF): -256
- 192.0.2.0/24 (TEST-NET-1): -256
- 192.88.99.0/24 (6to4): -256
- 192.168.0.0/16 (private): -65,536
- 198.18.0.0/15 (benchmark): -131,072
- 198.51.100.0/24 (TEST-NET-2): -256
- 203.0.113.0/24 (TEST-NET-3): -256
- 224.0.0.0/4 (multicast): -268,435,456
- 240.0.0.0/4 (reserved): -268,435,456
- 255.255.255.255 (broadcast): -1
βββββββββββββ
Total reserved: 592,708,865
βββββββββββββββββββββββββββββββββββββββββββββββ
Available public IPs: 3,702,258,431
(approximately 3.7 billion)
βββββββββββββββββββββββββββββββββββββββββββββββ
Beyond the blocks above, there are IPs allocated to organizations that never used them, DoD (US Department of Defense) blocks that aren't publicly routed, and fragmented IPs that can't be efficiently aggregated. The real number of usable public IPs is even smaller.
In practice, far fewer than 4 billion usable public IPs remain. And with billions of connected devices, there's not enough for everyone.
The problem is that nobody predicted we would have:
- Billions of smartphones
- Computers in every home
- Smart TVs, refrigerators, smart bulbs
- Security cameras, IoT sensors
- Servers, data centers, cloud computing
In 2019, IPv4 addresses officially ran out. IANA (Internet Assigned Numbers Authority) distributed the last available blocks.
NAT: The First Solutionβ
Even before IPv4 ran out, it was already clear there wouldn't be a public IP for everyone. The solution was NAT (Network Address Translation).
The network gateway (usually the router) is the device that performs the NAT function. It's responsible for translating the private IP addresses of your internal network to the public IP address you received from the ISP, and vice versa. That's why the router sits "between" your local network and the internet.
How Home NAT Worksβ
Your modem/router at home uses NAT. You have one public IP from the ISP and several private IPs internally:
How it works:
Imagine three devices accessing websites at the same time (all on port 443 - HTTPS):
| Device | Internal IP | Local Port | Destination | Destination Port |
|---|---|---|---|---|
| PC | 192.168.0.10 | 52431 | google.com | 443 |
| Phone | 192.168.0.11 | 48712 | youtube.com | 443 |
| Smart TV | 192.168.0.12 | 61204 | netflix.com | 443 |
The router creates a NAT table to track each connection:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NAT TABLE β
ββββββββββββββββ¬ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ€
β External Portβ Internal IP:Port β Destination β
ββββββββββββββββΌββββββββββββββββββββββΌβββββββββββββββββββββββββββββ€
β 50001 β 192.168.0.10:52431 β google.com:443 β
β 50002 β 192.168.0.11:48712 β youtube.com:443 β
β 50003 β 192.168.0.12:61204 β netflix.com:443 β
ββββββββββββββββ΄ββββββββββββββββββββββ΄βββββββββββββββββββββββββββββ
What happens:
- PC accesses google.com:443 β Router assigns external port 50001
- Google responds to 189.10.20.30:50001 β Router checks table β Forwards to 192.168.0.10:52431
- Same process for phone (port 50002) and TV (port 50003)
All devices share the same public IP, but each connection uses a different external port. This is how dozens of devices browse simultaneously with just one IP.
To do this NAT at home, we use the private IPs we mentioned earlier (192.168.X.X, 172.16.X.X, or 10.X.X.X)
NAT with Modem and Private Routerβ
Many people prefer to use their own router instead of the ISP's equipment, whether for more features, better Wi-Fi, or greater control over the network. In this case, there are two possible configurations:
Scenario 1: Double NATβ
If you simply connect your router to the LAN port of the ISP's modem, you'll have two devices doing NAT - which can cause problems:
Double NAT Problems:
- Port forwarding needs to be configured on both devices
- Some services don't work well (VoIP, games, VPN)
- More complexity for troubleshooting
- Slightly higher latency
Scenario 2: Modem in Bridge Mode (ideal)β
The best solution is to put the ISP's modem in bridge mode. In this mode, the modem doesn't do NAT - it just converts the signal (fiber/coaxial to Ethernet) and passes the connection through. Your router receives the public IP directly:
Advantages of Bridge Mode:
- Single NAT - your router receives the public IP directly
- Port forwarding configured only on your router
- Better performance for games and VoIP
- Total control of your network
Not all ISP modems allow bridge mode. Some block this option or require you to call the support center to request it.
Services that may stop working in bridge mode:
- VoIP Phone - The ISP's landline phone usually uses the modem to work. In bridge mode, voice service stops working
- Pay TV (IPTV) - TV services that use the same internet connection (IPTV) depend on the modem to receive the multicast signal
- Modem Wi-Fi - The modem's integrated Wi-Fi is disabled in bridge mode
If you use a landline phone or TV from the ISP through the same equipment, bridge mode may not be viable. In this case, use DMZ as an alternative.
Scenario 3: DMZ (Alternative to Bridge)β
When bridge mode isn't available or causes loss of services, an alternative is to configure your personal router's IP as DMZ on the modem. However, it's important to understand: DMZ doesn't eliminate the modem's NAT.
It's the same scenario as Double NAT.
What DMZ does:
The modem still does NAT, but automatically forwards ALL incoming traffic (all ports) to the device configured as DMZ. It's like "automatic port forwarding for all ports".
| Aspect | Bridge Mode | DMZ |
|---|---|---|
| NAT on modem | No | Yes |
| Your router receives | Public IP | Private IP (192.168.x.x) |
| Number of NATs | 1 (only your router) | 2 (double NAT) |
| Port forwarding works | Yes, only on your router | Yes, only on your router |
| Performance | Better | Slightly worse |
DMZ is a good alternative when:
- Bridge mode isn't available on the modem
- You don't want to manually configure port forwarding on the modem
- You need a quick solution that "just works"
Summary: Bridge is ideal (single NAT), DMZ is an acceptable workaround (still double NAT, but with automatic forwarding).
CGNAT: NAT on Top of NATβ
With IPv4 exhausted, ISPs needed to connect more customers than available public IPs. The solution was to apply NAT again, now in their infrastructure.
CGNAT = Carrier-Grade NAT (ISP-level NAT).
Three different configurations, same problem:
| Location | Configuration | Internal NATs | IP received from ISP |
|---|---|---|---|
| Home 1 | Modem only | 1 (modem) | 100.64.1.10 (CGNAT) |
| Office | Bridge modem + router | 1 (router) | 100.64.1.11 (CGNAT) |
| Home 2 | DMZ modem + router | 2 (modem + router) | 100.64.1.12 (CGNAT) |
Regardless of internal configuration, all homes receive an IP from the CGNAT range (100.64.x.x) and share the same public IP (189.10.20.30) on the internet.
What happens:
- Your home receives a "fake" IP from the 100.64.0.0/10 range (reserved for CGNAT)
- Several homes (sometimes hundreds) share the same public IP
- The ISP does NAT again before going out to the internet
Since hundreds of users share the same public IP, if any of them does something that results in IP blocking, everyone is affected.
Common scenarios:
- A neighbor participates in a DDoS attack (even unknowingly, with an infected machine)
- Someone sends spam or does aggressive scraping
- Mass login attempts (brute force)
- Suspicious activities that trigger security systems
Result: You, working from home, suddenly can't access:
- Service APIs (Google, GitHub, AWS)
- Sites with anti-bot protection (Cloudflare, reCAPTCHA)
- Streaming services that block suspicious IPs
- Remote work platforms
And the worst part: you did nothing wrong, but you're "paying" for the behavior of another user who shares the same IP.
Reserved Range for CGNAT (RFC 6598)β
100.64.0.0 - 100.127.255.255 (/10)
Total: 4 million addresses for internal ISP use
If your router shows an IP starting with 100.64.x.x to 100.127.x.x, you're behind CGNAT.
The 100.64.0.0/10 range is officially designated for CGNAT, but not mandatory. Some ISPs use other private ranges:
- 10.0.0.0/8 - Common in smaller or older ISPs
- 172.16.0.0/12 - Less common, but happens
Problem: If the ISP uses 10.x.x.x for CGNAT and you use 10.x.x.x on your internal network, there may be address conflicts and routing problems.
Tip: If you use your own router, prefer to use 192.168.X.X internally to avoid conflicts with possible ISP CGNAT ranges.
How to Know if You're Behind CGNATβ
Method 1: Check the IP Rangeβ
If your router's WAN IP is in these ranges, it's CGNAT:
- 100.64.0.0 - 100.127.255.255 (official CGNAT range)
- 10.x.x.x (some ISPs use)
Access your modem/router interface and check the WAN IP (or external/public IP). If it starts with these numbers, you're behind CGNAT.
Method 2: Compare WAN IP with Public IPβ
Compare the IP your router shows as WAN with the IP the internet sees:
# Check your public IP via internet
curl ifconfig.me
If the router's IP (WAN) is different from the IP returned by the command above, you're behind CGNAT.
Method 3: Tracerouteβ
traceroute 8.8.8.8
If an extra hop appears with IP 100.64.x.x or 10.x.x.x before going out to the internet, it's CGNAT.
The Problem for Those Who Want to Expose Servicesβ
With CGNAT, you cannot receive incoming connections. This directly affects:
Without CGNAT (works):
Internet β Your Public IP β Router β Camera
With CGNAT (doesn't work):
Internet β Shared IP β ??? β How to reach YOU?
Specific Problemsβ
| Service | Problem with CGNAT |
|---|---|
| Port forwarding | Doesn't work - the port is at the ISP, not with you |
| DDNS | Useless - the public IP isn't yours |
| VPN server | Impossible to receive connections |
| IP Cameras | External access blocked |
| P2P Games | NAT type 3 (restricted), lag, disconnections |
| Torrent | Low speed, few peers |
Solutionsβ
1. Request Public IP from ISPβ
The first option is to call the ISP and request a public IP. Responses vary:
| ISP Response | What It Means |
|---|---|
| Dynamic public IP | You exit CGNAT and receive a public IP that changes periodically. Solves the problem - use DDNS to maintain access |
| Static public IP | Rare for residential plans, usually only in business plans or with additional fee |
| Port opening on CGNAT | The ISP configures port forwarding on their CGNAT server for your connection. Works, but limited to specific ports |
| We don't offer | Some ISPs simply don't have this option |
Call the ISP and ask to "exit CGNAT" or request a "valid public IP". Arguments that usually work:
- "I need it for security cameras"
- "I use it for remote work / home office"
- "I need to access my network remotely"
If they refuse the public IP, ask if they can open specific ports on the CGNAT.
When the ISP "opens a port" for you on CGNAT, they're configuring port forwarding on the CGNAT server that redirects traffic from that port to your connection.
It's better than nothing, but having your own public IP is still the ideal solution.
If your ISP doesn't offer a public IP, research other options in your area. When contracting a new service:
- Confirm in writing (chat, email, or recording) that the plan includes a public IP
- Keep the evidence - service protocols and conversations
- Demand what was promised - if they don't comply, you have grounds for a complaint with regulatory agencies.
2. Use IPv6β
IPv6 has enough addresses for every grain of sand on the planet:
IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Format: 128 bits
Total: 340 undecillion (3.4 Γ 10Β³βΈ)
If your ISP offers native IPv6:
# Check if you have IPv6
curl -6 ifconfig.me
Problem: Not all places you want to access from have IPv6.
3. Tunnels and Relay Servicesβ
The most elegant solution for CGNAT is to use reverse tunnels. The concept is simple: since you can't receive incoming connections, you initiate an outgoing connection to an external server that acts as an intermediary.
Cloudflare Tunnel (free)β
Cloudflare Tunnel allows you to expose HTTP/HTTPS services without opening ports on the router. It works like this:
Why it works with CGNAT?
- The tunnel is created via the outgoing port (your server connects to Cloudflare)
- Outgoing connections work normally, even behind CGNAT
- The
cloudflaredagent needs to be running continuously on your server - Users access through the domain configured on Cloudflare
Tailscale / ZeroTier (VPN mesh)β
Creates a virtual private network between your own devices, regardless of where they are:
All devices with Tailscale/ZeroTier installed see each other as if they were on the same local network.
Tailscale and ZeroTier don't expose services to the public internet. Third parties would need to install the client and be part of your network to access.
When to use each solution:
| Need | Solution |
|---|---|
| Access your home from your phone/laptop | Tailscale / ZeroTier |
| Allow anyone to access a service | Cloudflare Tunnel |
| Share with specific friends/family | Tailscale (adding to network) |
Tailscale has a feature called Tailscale Funnel that allows public service exposure, but it's a separate feature from the basic VPN mesh.
4. VPS as a Bridgeβ
If you have a VPS (virtual server) with a public IP, you can create a reverse SSH tunnel. Your home server connects to the VPS, and the VPS redirects traffic back through the tunnel.
It's a more technical solution, but works well for those who already have their own infrastructure.
Why Do ISPs Use CGNAT?β
Economic Reasonsβ
- IPv4 is expensive: Blocks of public IPs are sold on the secondary market for increasingly higher prices
- Economies of scale: 1 public IP for hundreds of customers = massive savings in IPs
Technical Reasonsβ
- IPv4 ran out: There are no more IPs to distribute
- IPv6 didn't catch on: Slow adoption, many sites still don't support it
- Works for 95% of users: Netflix, YouTube, social networks work normally
IPv6: The Definitive Solutionβ
IPv6 solves the problem permanently:
IPv4: 4 billion addresses (ran out)
IPv6: 340,000,000,000,000,000,000,000,000,000,000,000,000 addresses
With IPv6, each device can have its own public IP. No NAT needed.
Why haven't we migrated yet?
- Legacy equipment without support
- Infrastructure update cost
- "It works like this, why change?"
- Lack of market pressure
Summaryβ
| Situation | Can receive connections? | Solution |
|---|---|---|
| Public IP (no NAT) | Yes | Ideal |
| Simple NAT (public IP on router) | Yes, with port forward | Configure router |
| CGNAT | No | Request public IP, tunnels, VPN mesh |
| Native IPv6 | Yes | Use if available |
If you need to access home services remotely, the first thing to do is check if you're behind CGNAT. If you are, the options are:
- Request public IP from ISP (best option if available)
- Use tunnels like Cloudflare Tunnel or Tailscale (always works)
- Wait for IPv6 to become universal (may take years)
The good news is that solutions exist. The bad news is that CGNAT is here to stay until the world migrates to IPv6.