CGNAT Detection
Detect whether your ISP has placed you behind Carrier-Grade NAT. Critical for self-hosting and port forwarding.
What is CGNAT and why should you care?
Carrier-Grade NAT (also called Large-Scale NAT or NAT444) is when your ISP shares one public IPv4 address across many customers. Instead of giving you a real public IP, they put you behind a giant NAT box, similar to what your home router does for your devices β but at the ISP scale.
The IPv4 range 100.64.0.0/10 (RFC 6598) is reserved specifically for ISPs to use for CGNAT. If your "public" IP starts with 100.64 through 100.127, you're behind CGNAT.
Symptoms of being behind CGNAT
- Port forwarding doesn't work β you don't have a unique public IP, so there's nothing to forward from. Self-hosting (game servers, home security cameras, NAS access, VPN servers) is broken.
- VoIP/SIP issues β NAT traversal can fail or be unreliable.
- Some games have issues β peer-to-peer matchmaking, console NAT type warnings.
- Remote desktop / SSH from outside β won't work directly without a tunnel.
- You appear to share an IP with hundreds of others β captchas, IP-based rate limiting, getting blocked from services for someone else's behavior.
What to do if you're behind CGNAT
- Ask your ISP for a real public IP. Usually free if you call; sometimes a small extra fee. Some ISPs require business-class service.
- Use IPv6. CGNAT only applies to IPv4. If your ISP offers IPv6 (most do now), services that support IPv6 work normally.
- Tunnel out. Services like Tailscale, ZeroTier, Cloudflare Tunnel, or a VPS+WireGuard let you reach your home network without needing a public IP on your end.
- Switch ISPs. Not every ISP uses CGNAT. Smaller fiber providers usually give real public IPs.
If you tether to your phone or use a cellular hotspot, you're almost certainly behind CGNAT. T-Mobile, Verizon, AT&T, and basically every mobile carrier uses CGNAT for cellular data. Don't try to self-host over a phone hotspot.