Troubleshooting

CGNAT Guide

Carrier-Grade NAT means your ISP is sharing public IPv4 space across many customers. In that situation, your router can be configured perfectly and port forwarding can still fail because the public inbound path is controlled upstream by the carrier network, not by your home router alone.

Expanded troubleshooting review - May 7, 2026

Quick context

CGNAT is different from ordinary home Double NAT. With Double NAT, you can often still fix the problem by changing your own devices. With CGNAT, the real bottleneck is in the ISP network. If you do not receive a routable public IPv4 address, classic inbound hosting, direct NAS access, game server hosting, and many camera or remote desktop flows will never work the way a normal port forwarding guide assumes.

30-second path

Use this order before you start changing settings.

What to know first

What it meansThe ISP controls the shared public IPv4 layer
Typical signYour public IP does not match a directly usable WAN path
Common indicator100.64.0.0/10 or ISP-managed shared address space
Who controls itISP or carrier network, not just your home router
Best direct fixAsk for a real public IPv4 address if available
Fallback alternativesVPN, relay, tunnel, DDNS plus public IP plan

Step-by-step

  1. Check your public IP on the web and compare it with the WAN IP reported by your router. If the path still does not behave like a normal public IPv4 setup, do not assume the router is the only problem.
  2. Look for shared-address clues such as 100.64.0.0/10 or ISP language that says the line uses shared IPv4, private WAN, mobile carrier NAT, or carrier-grade NAT.
  3. Rule out ordinary Double NAT first. If you still control two devices at home, that may be a separate fixable issue. CGNAT becomes the stronger suspect when the public IPv4 path itself is not directly assigned to your connection.
  4. Contact the ISP and ask a direct question: does this line receive a real public IPv4 address for inbound connections, and if not, is there a public IPv4 option, static IP option, bridge mode path, or business plan that provides one?
  5. If the ISP can provide a public IPv4 address, confirm any extra cost, whether the change is dynamic or static, and whether any modem or gateway restart is required after the change.
  6. If the ISP cannot provide a usable public IPv4 path, stop spending time on repeated port forwarding edits. At that point the classic router rule is not the real blocker anymore.
  7. Move to practical alternatives instead: relay-based remote access, VPN products, tunnel services, vendor cloud relay, or an architecture that does not depend on direct inbound IPv4.
  8. If you still need a hostname, combine the chosen alternative with DDNS or the vendor's connection method. The hostname alone does not solve CGNAT if the inbound address is not truly yours.
  9. Document the ISP response and the chosen workaround. This saves time later and prevents repeating the same failed port forwarding steps on the same line.

Checks and notes

  • CGNAT and double NAT can look similar from the outside, but CGNAT is ISP-side and cannot be fixed inside your home router alone.
  • Some services still work through vendor cloud relay even when classic inbound forwarding does not.
  • Mobile broadband, some budget residential lines, and certain shared ISP deployments are more likely to use CGNAT.
  • If the ISP says inbound servers are unsupported on the current plan, that is often a strong sign that a normal public IPv4 path is not being provided.

Warnings

  • A perfectly configured router cannot overcome the lack of a routable public IPv4 address on its own.
  • Do not confuse DDNS with a CGNAT solution. DDNS only tracks an address; it does not make a shared carrier address become your own inbound endpoint.
  • Do not keep opening more ports just to guess your way past CGNAT. If the ISP path is shared, the router is not the real bottleneck.

FAQ

How is CGNAT different from Double NAT?

Double NAT usually happens because two routing devices are active in or near your home, such as an ISP gateway and your own router. CGNAT usually means the shared NAT layer exists in the ISP network itself. With Double NAT, you often still have a local fix. With CGNAT, the carrier network owns the public path, so the home router alone cannot solve inbound IPv4 hosting.

What is the biggest practical sign of CGNAT?

One of the biggest signs is that your connection never behaves like a truly direct public IPv4 path, even when your home router rules are clean. Shared address ranges such as 100.64.0.0/10, ISP confirmation of shared IPv4, or repeated inbound failures across otherwise correct configurations are all strong clues.

Can port forwarding work at all under CGNAT?

Usually not in the classic direct-inbound sense unless the ISP gives you a real public IPv4 address or a special inbound hosting option. That is why users can spend hours changing router rules and still see closed ports: the real inbound endpoint is shared upstream and not individually owned by the home line.

Does DDNS solve CGNAT?

No. DDNS only helps you track a changing address with a hostname. It does not remove the carrier NAT layer or give you exclusive control of the inbound public IPv4 path. DDNS is useful only after you already have a usable public-facing route.

What should I ask my ISP specifically?

Ask whether your line receives a real public IPv4 address for inbound access. If not, ask whether there is a public IPv4 option, static IP option, bridge mode path, or business plan that supports direct inbound connections. Being explicit is better than asking vaguely whether port forwarding should work.

If the ISP says no public IPv4 is available, what should I do next?

Move to an alternative that does not depend on direct inbound IPv4. That may mean vendor cloud relay, VPN-based access, tunnel products, reverse proxy tunnels, or remote access platforms that work through outbound connections. At that point, further tweaking the same router port rule is usually wasted effort.

What should Korean users watch for specifically?

If you use an ISP line where the WAN path is managed tightly and inbound hosting is unclear, do not assume the router alone is at fault. Confirm whether the plan actually provides a usable public IPv4 path. If it does not, focus on the ISP option or on a tunnel or relay architecture rather than repeatedly redoing local port forwarding.

Recommended references

Use these after the RouterWiz guide confirms that the real bottleneck may be upstream at the ISP. These sources help you verify what CGNAT means and when you should stop retrying classic port forwarding.

How to use these references

The RouterWiz page should still be your main decision flow. External references are best used to confirm ISP terminology and to understand when a tunnel, relay, or public IPv4 upgrade is a more realistic next step.

Official and provider confirmations

Use these when you need proof that CGNAT is an ISP-side limitation, not just a router menu problem.

OfficialEnglish resourceLast checked: 2026-05-07

Can I set up a port forward using Carrier Grade Network Address Translation (CGNAT) IP?

SpinTel Support

An ISP FAQ that directly states classic port forwarding is not possible while the line remains behind CGNAT, and that a public IP option is required.

Why RouterWiz recommends it

This is the clearest kind of provider-side confirmation users often need before they stop blaming the home router alone.

ISP supportPublic IPv4 optionPort forwarding limit
Open source
OfficialEnglish resourceLast checked: 2026-05-07

What is CGNAT?

SpinTel Support

A provider explanation of why CGNAT exists, how it affects public reachability, and why some plans need a paid public IP add-on.

Why RouterWiz recommends it

Useful when users need to understand that the restriction may be tied to the service plan, not just to local configuration.

ISP explanationPlan limitationPublic IP upgrade
Open source

Alternatives when public IPv4 is unavailable

Use these when you have already confirmed the router is not the only issue and you need an access model that does not rely on classic inbound port forwarding.

OfficialEnglish resourceLast checked: 2026-05-07

Deploy internal apps anywhere, without changing firewall settings

Tailscale Docs

Tailscale explains an outbound-connection model that avoids opening ports on the public internet and still gives remote reachability.

Why RouterWiz recommends it

This is a strong example of the kind of architecture RouterWiz should recommend when a public IPv4 path is not realistically available.

Alternative architectureNo open portsRemote access
Open source
OfficialEnglish resourceLast checked: 2026-05-07

Connection types

Tailscale Docs

Tailscale's connection-type reference explains how direct, relayed, and hard-NAT scenarios affect reachability and performance.

Why RouterWiz recommends it

Useful for understanding why some networks cannot achieve direct connectivity and why relay-based fallbacks still matter.

Hard NATRelay fallbackNAT traversal
Open source