Skip to main content
Available 24/7 for Emergency Support
(727) 230-8000
Geeks in Sneaks
How to Deal with CG-NAT (Carrier-Grade NAT) from Your ISP
Router & WiFiAdvanced30-45 minutes

How to Deal with CG-NAT (Carrier-Grade NAT) from Your ISP

Difficulty
Advanced
Time
30-45 minutes
Category
Router & WiFi

CG-NAT prevents port forwarding and remote access - here are your options for working around this ISP limitation.

💡What's Happening

You've set up port forwarding perfectly, but it doesn't work. You check your router's WAN IP and it starts with 100.64.x.x or 10.x.x.x instead of a real public IP address. Your ISP is using CG-NAT (Carrier-Grade NAT), which means you're sharing an IP address with other customers. This breaks port forwarding, remote access, and hosting anything from home. It's frustrating, but there are workarounds.

Quick Checks (Do These First)

  • Confirm you have CG-NAT. Check your router's WAN/Internet IP. Then visit whatismyip.com. If they don't match, and the router shows 100.64.x, 10.x, or 172.16-31.x, you have CG-NAT.
  • Check if your ISP offers public IP. Call or check their website. Many ISPs provide a public IP for free or $5-15/month if you ask.
  • Determine what you need. Gaming? Remote desktop? Hosting a server? Different needs have different solutions.
  • Consider if you really need port forwarding. Modern alternatives like VPNs and cloud services can work around CG-NAT.

🔧Step-by-Step Fixes

Fix 1: Request a Public IP Address from Your ISP

The simplest solution is often just asking for a real IP.

  1. Call your ISP's technical support
  2. Ask: "I need a public IPv4 address. I'm currently behind CG-NAT and need to run services from home."
  3. They may offer it free (T-Mobile Home Internet sometimes does if you ask)
  4. Or they may charge $5-15/month for a "business" or "static IP" add-on
  5. If approved, they'll provision it - may take 24-48 hours
  6. Restart your modem/router after the change
  7. Check your WAN IP - it should now match whatismyip.com

Fix 2: Use a VPN with Port Forwarding

Some VPN providers offer port forwarding that works through CG-NAT.

  1. Sign up for a VPN that offers port forwarding (PIA, AirVPN, Windscribe)
  2. Install their VPN client on the device you want to access remotely
  3. Connect to their VPN
  4. In the VPN app, enable port forwarding
  5. Note the port number they assign you (it's usually random)
  6. Configure your service to use that port
  7. Access your service using the VPN IP address and assigned port
  8. Note: This only works for that specific device, and the VPN must stay connected

Fix 3: Use a Tunneling Service

Services like ngrok or Cloudflare Tunnel create a secure tunnel through CG-NAT.

  1. For simple web services, sign up for ngrok.com (free tier available)
  2. Download and install ngrok on your computer/server
  3. Run: ngrok http 80 (or whatever port your service uses)
  4. Ngrok gives you a public URL like https://abc123.ngrok.io
  5. Anyone can access your service at that URL, even through CG-NAT
  6. For permanent solutions, upgrade to a paid plan for custom domains
  7. For non-web services, use ngrok's TCP tunneling feature

Fix 4: Set Up Tailscale or ZeroTier (Mesh VPN)

Create a private network that works regardless of CG-NAT.

  1. Sign up for Tailscale (tailscale.com) - free for personal use
  2. Install Tailscale on every device you want to connect
  3. Log in with the same account on all devices
  4. Devices automatically connect to each other via encrypted tunnel
  5. Access your home computer from anywhere using its Tailscale IP (100.x.x.x)
  6. Works for Remote Desktop, file sharing, SSH, everything
  7. No port forwarding needed - works through CG-NAT, firewalls, everything

Fix 5: Use IPv6 If Available

CG-NAT is an IPv4 problem - IPv6 doesn't have this issue.

  1. Check if your ISP provides IPv6: visit test-ipv6.com
  2. If you have IPv6, enable it on your router
  3. Your devices will get public IPv6 addresses
  4. Configure your service to listen on IPv6
  5. Use DDNS that supports IPv6 (like Hurricane Electric's free DDNS)
  6. Access your service via IPv6 address or DDNS name
  7. Note: The connecting device also needs IPv6 (most modern networks have it)

⚠️If Nothing Worked

If your ISP absolutely won't provide a public IP and you need real server hosting, consider a cheap VPS (Virtual Private Server) from providers like Digital Ocean or Linode ($5-10/month). You can run a VPN server on the VPS and route traffic to your home network, or just host your service on the VPS directly.

📞When to Call a Pro

CG-NAT workarounds can get complex, especially if you need multiple services accessible, or you're running a small business from home. Professional network consultants can set up proper VPN infrastructure, configure tunneling services, or help you negotiate with ISPs for business-grade connections with real IPs.

Need Professional Help?

If you're in the Tampa Bay area, Geeks in Sneaks provides friendly, on-site tech support in Clearwater, Clearwater Beach, and Dunedin. We can help you work around CG-NAT or upgrade to proper internet service for your needs.

Schedule a Visit

Related Topics

routercg-natport-forwardingispremote-accessadvanced

Need Professional Help?

If you're still having trouble, our expert technicians can help.

Learn about our network repair service