Cloudflared vs CGNAT Part 3 CGNAT Greed

Published on April 18, 2023 at 7:04 am by LEW


A few Internet Service Providers (ISP) have valid technical reason for how they do Carrier Grade Network Address Translation (CGNAT). For the majority, to quote the bard (Jimmy Buffett) “it’s a matter of simple greed”. Let me explain.

I have discussed CGNAT here and here. So I don’t want to spend a lot of space repeating myself in this post. Instead I want to focus on why CGNAT is a bad thing, and why perfectly valid ISP solutions and workarounds are not implemented.

Quick Look CGNAT

However for those who do not want to look at old posts, here is a quick short summery repeat.

CGNAT Example

Your ISP uses routers, just like you do. To deal with the exhaustion of IPv4 addresses, An ISP implements NAT on their routers. This is CGNAT plain and simple.

The major problem is that while you have physical and network control of your router allowing you to forward ports to the Internet, you have neither with your ISP router and no ability to forward ports to the internet. we discussed port forwarding in the previous post about NAT.

Disadvantages of CGNAT

To be fair, the disadvantages of CGNAT can to a large extent be mitigated by the ISP, provided they are willing to do so. And in some cases there are good reasons the ISP does not use certain mitigations. But unfortunate there are also business reasons that many mitigations are not implemented. And most  business reasons can be distilled down to greed, plain and simple.

CGNAT Workarounds

IPV6: The biggest workaround for CGNAT is to go to IPv6. An argument can be made for CGNAT still being needed as long as there are IPv4 users that would need translations across a IPv6 network. However industrial Ipv6 equipment is expensive, and requires expensive infrastructure changes. Financially, especially for a small ISP, the cost is a major consideration in the business model.

Selling Static Public IPv4 addressees: While this is a reasonable method, because not everyone will require or want a static IPv4 address, this is one placed where an ISP can get greedy. I do not, in principle,  object for charging more of a serviced like this as long as the charges are reasonable. However when an ISP wants you to have a business account and then charge additional on top of that for a static IPv4 address, that is greed. Instead of adding maybe 5% to your bill, you are suddenly paying ten or more times as much.

Port Control Protocol (PCP): A suit of protocols that would let end users control some ports, minimizing this particular disadvantage. PCP is rarely implemented. To a certain extent many vendors do not natively support PCP on their equipment. However this is only a partial excuse as it can also be implemented in the ISP software separate from vendor equipment. The associated costs are not prohibitive either. However doing this would limit the market for static IP addresses. There are long term business advantages in markets where every ISP uses CGNAT to increase your customer base, but since it is long term it probably rarely comes up in the corporate board room.

VPN Tunneling: The one option that is really under user control, and the subject of the final post in this series. However setting up a VPN can be somewhat complicated and not for the faint of heart. Most VPN providers offer the service as part of their package.


We have discussed the problems with CGNAT, and some possible workarounds in this post.

I have personally tried using the ExpressVPN method for tunneling past my ISP CGNAT. However it was complicated to setup. Not particularity hard, but complicated as it requires a a lot of steps. It

In the last post I will specifically touch on the Cloudflare solution. I have also set this one up and it is much simpler.

Cloudflared vs CGNAT Part 1 Packets

Cloudflared vs CGNAT Part 2 NAT Router

Cloudflared vs CGNAT Part 3 CGNAT Greed

Cloudflared vs CGNAT Part 4 Using Cloudflare




Add New Comment

Your email address will not be published. Required fields are marked *