New Project: CGNAT – Reorganization

Published on April 11, 2023 at 9:49 am by LEW


I have embarked on a new project that I thought would be fairly simple, getting around Carrier Grade Network Address Translation (CGNAT). At least the method I am testing out should have been simple. Alas things are not always as we would like them to be.

Here in the states i do not have a problem with CGNAT on then land line. I get a publicly facing dynamic IP address. A situation I have dealt with in the past using a Dynamic Domain name Service (DDNS), specifically FreeDNS (which I recommend because they have a free account, their prices on the paid accounts are reasonable, and it is fairly straight forward to use).

The problem will arise when I go back to the Philippines. Pretty much every Internet Service Provider (ISP) there is using CGNAT, and they are very slow about adopting IPV6.

To be fair, the majority of customers there really don’t have a need for public facing IP addresses. You need to be running a public facing service of some sort to need a public IP address.

Getting Around CGNAT

There are several methods for bypassing CGNAT, some more practical than others.

Probably the best method (if  available) is to ask your ISP for either a static or dynamic IP Address. Generally speaking they are not adverse to doing this, but it will usually have some sort of monthly fee attached.

In extreme case, like my current provider, Converge ICT, to get a public facing IP address of any sort requires a business account, with a whole order of magnitude cost increase. If they did not have better customer service (seriously better) than their competitors, I would probably look into switching. Or if they would adopt IPv6 the problem would go away.

The other method involves creating a VPN and tunneling past the CGNAT. This works because your sever maintains connection form its end to a server on the internet. CGNAT blocks any new requests. But if the traffic is in response to a internal customer request, it will pass though with no problem.

So basically you create a secure communications conduit originating within your network and connecting to a server on the internet. You set it up so any query made to the public server will be forwarded through the private VPN (initiated by you) to your server behind the CGNAT.

I have done this a few times through Express VPN. But the setup is somewhat long and it can get complicated.

My Methodology

What I have settled on testing this time around is the Cloudflare tunneling protocol. This is actually a free service, and form my initial review seems much simpler than setting up Express VPN for this service.

However there are going to be some problems. The main one will be the lack of a GUI on my server, meaning no browser (that makes more sense when you get into the actual procedure).

Seeing as i will be revisiting some older posts, I figure this is a great opportunity to both update and correct.


This is basically an outline of my plans for the foreseeable future. So expect to see a lot of older post updates showing up.

I would also like to followup with videos once I have updated a specific series of posts.

We shall see how that all works out, best laid plans and all…


Add New Comment

Your email address will not be published. Required fields are marked *