CGNAT: when you don't even have your own public address
Carrier-Grade Network Address Translation (CGNAT) is when an internet provider shares a single public address across many customers, applying Network Address Translation at their level rather than yours. You no longer hold a public address of your own, so inbound connections cannot reach you and port forwarding has nothing to bind to.
At a glance
What it stands for
Carrier-Grade Network Address Translation
What it does
Shares one public address across many of the provider's customers
Why it bites
You hold no public address, so port forwarding cannot work
The way around it
Reach out to a tunnel or relay instead of waiting to be reached
Comparison
Ordinary NAT versus CGNAT
Ordinary NAT
CGNAT
Who shares the public address
Your own devices
You and many other customers
Public address you control
One, yours
None of your own
Can port forwarding help?
Yes, you forward on your address
No, nothing of yours to forward
What is CGNAT and why does it exist?
Ordinary Network Address Translation (NAT) happens in your own router: your
devices share the one public address your provider gave you. Carrier-Grade Network
Address Translation (CGNAT) moves that same trick up a level. Public addresses are
scarce, so the provider shares a single one across many customers and applies the
translation in their own network, above your router. You get internet access, but
you do not get a public address of your own. The one on your router’s status page
is itself private, translated again before it ever reaches the open internet.
For browsing this is invisible and harmless. Everything you start reaches out
fine. The trouble only shows up the moment you want something to reach in.
Why does it break home hosting?
Port forwarding works by mapping an inbound port on your public address to a
machine inside. Under CGNAT you have no public address to map, so there is nothing
to forward from and inbound connections simply never arrive. People hit this when
a self-hosted service works on the local network and is unreachable from outside
for no obvious reason. Often the provider will hand out a real public address on
request, sometimes for a fee. When they will not, the fix is to stop waiting to be
reached: an overlay network or a tunnel has the home machine connect outward to a
meeting point, and a small rented public box can serve as the reachable front door
while the real work stays at home.
Check it yourself
curl -s ifconfig.me
If the address this prints does not match the one shown on your own router's status page, your provider is translating it again above you, the signature of CGNAT.
Behind CGNAT you can still
Browse and reach out to the internet normally
Reach home services through an overlay network
Use a tunnel or relay that connects outward to a meeting point
Rent a small public box to be your reachable front door
Behind CGNAT you cannot
Forward a port; you hold no public address to forward from
Accept a direct inbound connection to a machine at home
Run a peer-to-peer link without a relay to broker it
Assume the address on your router is the one the internet sees