Living with CGNAT

Published on March 16, 2022 at 3:08 am by LEW


I was recently exposed to something called Carrier Grade Network Address translation (CGNAT or just CGN for short). I have sort of heard about/known what it was in the back of my mind. However I recently ran up against it with my new Internet Service Provider (ISP). And of course I could find no reference to this on their web site (to many advertisements I guess).

In this post I do not want to engage in sour grapes about deceptive advertising most ISPs engage in, so I will be focusing on what CGNAT is and why it may be a problem (depending on what you are doing on line). To be fair to the IPS, CGNAT will probably not make much of a difference to ninety plus percent of their subscribers. However if you want to run a server of some sort, it can be a deal breaker.

CGNAT Defined

The below diagram should provide some idea about what CGNAT is. Note this example is strictly fictional, and is solely for expounding on the concept of CGNAT. Also note that CGNAT is a IP4 service. If you are using IP6, you can probably ignore this

Double NAT or CGNAT

In the above example, we have a private LAN using class C private IP addresses in the range of 192.168.10.X. Our gateway router performs local NAT functions, and has an IP address of Without CGNAT, our modem would have a public IP address. In our example, our ISP has instituted CGNAT, and instead of a public IP address, we get a class A private IP address, in this example All ISP subscribers will be in the same class A private address range, and an ISP router will NAT our data to a public IP address.

Why Do This

The reason touted for doing this are generally two fold; conservation of public IP4 addresses, and also another level of security. I would wonder if there is an economic factor, in that the ISP would need less public IP addresses?

Like our local NAT, the ISP NAT is basically transparent to the end user. And for normal usage, there will be no notable differences, with the possible addition of a small amount of delay being added. The issue arises when you want to run a server of some sort.

Not without Problems

In the case of a server that needsĀ  to be accessible publicly, you would normally setup port forwarding on your router. However you have zero ability to setup port forwarding on the ISP router you are behind in CGNAT.

If you have properly setup a DDNS service (a standard method of dealing with a dynamic IP address), you would find packets still being dropped at the ISP CGNAT level and never making it to your LAN.


So I am experiencing server issues due to CGNAT. From now on this will be a question I plan to ask any perspective ISP. Although I suspect it will take digging though several levels of Help before being able to actually talk with someone technical enough to answer my questions.

My first step to resolve my server issue will be to work though my ISP service department. There are work around protocols that they may be using. If that does not work, then I will nee to investigate tunneling with a VPN.

Either way, stay tuned, and I will pot a update on my progress.

Add New Comment

Your email address will not be published. Required fields are marked *