🦆 IP Ducky

Everyday Internet & Troubleshooting

What Is Carrier-Grade NAT (CGNAT)?

You might not even have your own public IP address. Many ISPs now share a single public address among many customers using carrier-grade NAT.

NAT, but bigger

You already know home routers use NAT to share one public IP among many devices. Carrier-Grade NAT (CGNAT) takes the same idea and applies it at the ISP level: the provider shares one public IP among many customers. Your home network sits behind your router's NAT, which in turn sits behind the ISP's NAT — two layers deep.

Why ISPs do it

The reason is the IPv4 address shortage. There simply aren't enough IPv4 addresses to give every customer a unique one, so providers stretch their limited supply by sharing addresses across users. CGNAT is a pragmatic stopgap while the internet slowly migrates to IPv6.

How to tell if you're behind CGNAT

Compare two things: the public IP address a tool like IP Ducky reports, and the "WAN" IP shown in your router's status page. If your router's WAN address is a private-looking address (often in the 100.64.0.0/10 range reserved for CGNAT) while IP Ducky shows a different public address, you're behind carrier-grade NAT.

What it affects

Working around it

If CGNAT blocks something you need, options include asking your ISP for a dedicated public IP (sometimes available for a fee), using IPv6 if your ISP offers it (which sidesteps the IPv4 shortage entirely), or using relay/tunneling services that don't require inbound ports. For ordinary browsing, though, CGNAT is invisible and nothing to worry about.

🦆 Check your own IP address