CGNAT Explained: Why You Cannot Open Ports on Fiber and Mobile

The IPv4 address pool ran out years ago. To keep adding subscribers, ISPs adopted CGNAT (Carrier-Grade NAT). If you are on a mobile network, Starlink, or many modern Fiber connections, you likely don't have a public IP address.

1. What is CGNAT?

In a traditional setup, your router gets a unique Public IP. In CGNAT (Double NAT), your router gets a private IP from the ISP (usually in the 100.64.0.0/10 range). The ISP then shares one Public IP among hundreds of customers.

2. How to Detect CGNAT

Compare your router's WAN IP with what you see on myipaddress.app.

• Router WAN IP: 100.72.x.x (Private/Carrier range)
• Public IP (Site): 185.22.x.x

If these don't match, or if your WAN IP starts with 100.x.x.x, you are behind CGNAT.

3. The Solution: Bypassing CGNAT

A. IPv6 (The Native Way)

IPv6 has no NAT. Every device gets a global address. Enable IPv6 on your router.

B. Cloudflare Tunnel

Use cloudflared daemon to create an outbound connection to Cloudflare's edge.

cloudflared tunnel run my-server

C. Tailscale / ZeroTier

Create a mesh VPN overlay using UDP Hole Punching techniques.