Chuck Carroll


How to Tell If You're Behind a CGNAT

Published 2024-12-21

Carrier-Grade Network Address Translation (or CGNAT) is a NAT used by ISPs to manage IPv4 addresses they're assigned. Essentially they allow the ISP to assign a single IPv4 address to multiple customers.

There's a few reasons why some ISPs do this, but it's primarily it's due to the limited availability of IPv4 addresses. There's only 4.3 billion possible unique IPv4 addresses so it helps alleviate the shortages while IPv4 is phased out in favor of IPv6 which has 340 trillion trillion possible addresses. It's also more cost effective for ISPs since it means they can acquire less addresses from the Regional Internet Registry (RIR).

Although this method of IPv4 addressing is understandable from a network management perspective, there are several drawbacks to CGNAT from a user perspective. For someone like myself that runs a home lab, it creates challenges trying to remotely access resources on my home network externally. For example, it would be impossible to set up a WireGuard VPN to access my home network if my ISP was using CGNAT (luckily for me, they're not). It can also disrupt peer-to-peer connections, such as gaming due to the way it handles connections and port mappings.

CGNAT is mostly used in wireless carrier networks (4G, 5G, etc) but can also be found on fixed broadband networks like Comcast and even smaller ISPs.

You can usually tell if you're behind a CGNAT if your IP address is in a private IPv4 address range such as 10.X.X.X, 172.16-31.X.X, or 192.168.X.X, known as RFC 1918. Also, in 2012 IANA allocated 100.64-127.X.X for ISPs to use in CGNAT scenarios, known as RFC 6598. Check your IP address here.

Another method is running traceroute with your public facing IP address. For example, traceroute 204.212.83.101. If there's more than one hop, then you're likely behind a CGNAT. However, if there's only a single hop to your router/gateway, then you have a public IP address.

If you're unfortunate enough to be behind a CGNAT, you can sometimes request a static IP from your ISP (usually at a cost). However, there are options to access resources on your home network, such as using a Cloudflare Tunnel.

Thanks for reading. Feel free to send comments, questions, or recommendations to hey@chuck.is.