Everyday Internet & Troubleshooting
What Is Carrier-Grade NAT (CGNAT)?
You might not even have your own public IP address. Many ISPs now share a single public address among many customers using carrier-grade NAT.
NAT, but bigger
You already know home routers use NAT to share one public IP among many devices. Carrier-Grade NAT (CGNAT) takes the same idea and applies it at the ISP level: the provider shares one public IP among many customers. Your home network sits behind your router's NAT, which in turn sits behind the ISP's NAT — two layers deep.
Why ISPs do it
The reason is the IPv4 address shortage. There simply aren't enough IPv4 addresses to give every customer a unique one, so providers stretch their limited supply by sharing addresses across users. CGNAT is a pragmatic stopgap while the internet slowly migrates to IPv6.
How to tell if you're behind CGNAT
Compare two things: the public IP address a tool like IP Ducky reports, and the "WAN" IP shown in your router's status page. If your router's WAN address is a private-looking address (often in the 100.64.0.0/10 range reserved for CGNAT) while IP Ducky shows a different public address, you're behind carrier-grade NAT.
What it affects
- Port forwarding doesn't work — you don't control the shared public IP, so you can't host servers or accept inbound connections the usual way.
- Some peer-to-peer apps and games struggle to establish direct connections.
- Remote access to home devices becomes harder.
Working around it
If CGNAT blocks something you need, options include asking your ISP for a dedicated public IP (sometimes available for a fee), using IPv6 if your ISP offers it (which sidesteps the IPv4 shortage entirely), or using relay/tunneling services that don't require inbound ports. For ordinary browsing, though, CGNAT is invisible and nothing to worry about.