What is CGNAT?
CGNAT stands for Carrier-Grade NAT (also called CGN or Large-Scale NAT). It is a technique ISPs use to share a single public IPv4 address among multiple customers.
Normally, your home router gets a public IP address from your ISP. That public IP is yours alone. Anyone on the internet can reach it, and your router uses NAT (Network Address Translation) to forward incoming traffic to the right device on your local network. This is what makes port forwarding work.
With CGNAT, your router no longer gets a public IP. Instead, it gets a private IP address assigned by the ISP — and the ISP's own equipment performs an additional layer of NAT before traffic reaches the internet. Your home network is effectively behind two NAT layers: your router's NAT, and your ISP's NAT.
Public IP: 82.35.x.x
Public IP shared among hundreds of customers
Private IP: 100.64.x.x
The consequence is straightforward: no one on the internet can initiate a connection to your home network. Port forwarding, dynamic DNS, UPnP — none of them help because the bottleneck is not your router. It is a piece of ISP infrastructure you have no control over.
Why do ISPs use CGNAT?
The reason is simple: IPv4 addresses have run out. There are roughly 4.3 billion IPv4 addresses in existence, and they were all allocated years ago. ISPs adding new customers — or expanding mobile and fibre networks — literally do not have enough public IPs to give one to every household.
CGNAT solves this by letting hundreds or even thousands of customers share a single public IP. From the ISP's perspective, it is an elegant solution: outbound internet access works perfectly for browsing, streaming, and downloading. Most customers never notice.
The people who notice are those trying to run anything that requires inbound connections: self-hosted services, game servers, security cameras, remote access to Home Assistant, NAS access, or any other scenario where something outside your network needs to connect in.
As IPv4 exhaustion gets worse and ISPs expand fibre and 5G home internet, CGNAT deployment is increasing worldwide. Many newer ISPs use CGNAT by default. If you have recently switched to a fibre or 5G home internet provider, there is a strong chance you are behind CGNAT.
How to detect if you are behind CGNAT
There are several reliable ways to check. You do not need to be technical to do any of them.
Method 1: Compare your router's WAN IP with your public IP
This is the most reliable test:
- Log in to your router's admin panel (usually
192.168.1.1or192.168.0.1) and find the WAN / Internet IP address it reports. - Go to a site like whatismyipaddress.com and note the IP it shows.
- If the two IPs match, you have a public IP — no CGNAT.
- If the two IPs are different, your ISP is placing something between you and the internet. That is almost certainly CGNAT.
Method 2: Check your WAN IP range
If your router's WAN IP falls in one of these ranges, you are behind CGNAT:
100.64.0.0 – 100.127.255.255 (RFC 6598 — the official CGNAT range)
10.0.0.0 – 10.255.255.255 (RFC 1918 — sometimes used by ISPs for CGNAT)
172.16.0.0 – 172.31.255.255 (RFC 1918 — less common for CGNAT but possible)The 100.64.x.x range is a dead giveaway — it was specifically reserved for carrier-grade NAT and has no other use.
Method 3: Traceroute
Run a traceroute to any external server. On macOS or Linux, open a terminal and run:
traceroute -n 1.1.1.1On Windows:
tracert 1.1.1.1If the first few hops show private IP addresses (especially in the 100.64.x.x range) before reaching a public IP, you are behind CGNAT. Without CGNAT, the first hop is your router and the second hop is typically your ISP's public-facing equipment.
Your options if you are behind CGNAT
Once you have confirmed CGNAT, you have several options. They range from "ask nicely" to "work around it entirely."
Option 1: Ask your ISP for a public IP
Some ISPs will assign you a dedicated public IPv4 address if you ask. This may be free, or it may cost a small monthly fee (typically €2–5/month). It is worth trying — a simple phone call or support ticket can solve the problem entirely.
However: many ISPs, especially mobile/5G home internet providers and budget fibre operators, simply do not offer this option. They may not have spare IPv4 addresses to give out, or it may not be part of their infrastructure.
Option 2: Upgrade to a business plan
Business-tier internet plans almost always include a static public IP. This solves CGNAT but comes with a significantly higher price tag — often 2–3× the cost of a residential plan for similar speeds.
Option 3: Use IPv6
If your ISP supports IPv6 (many now do), your devices may already have globally reachable IPv6 addresses. CGNAT only affects IPv4. The problem is that not all clients connecting to your services will have IPv6, so this is not a complete solution for most people.
Option 4: Use a tunnel service
This is the most reliable and widely applicable solution. A tunnel service establishes an outbound connection from your device to a relay server — which works perfectly even behind CGNAT, because outbound connections are never blocked. External clients then connect to the relay server, which forwards traffic through the tunnel to your device.
Because the tunnel is initiated from inside your network, CGNAT is irrelevant. Your device reached out to the relay — and the relay can now send traffic back through that established connection.
(from anywhere)
your-name.pluggie.net
Outbound tunnel (works through CGNAT)
There are several tunnel services available. They differ in their privacy models, pricing, and ease of setup:
| Service | Bypasses CGNAT | No Port Forwarding | End-to-End Encrypted | Web Access (no client app) | Free Tier |
|---|---|---|---|---|---|
| Pluggie | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloudflare Tunnel | ✓ | ✓ | ✗ (TLS terminated at edge) | ✓ | ✓ |
| Nabu Casa | ✓ | ✓ | ✓ | ✓ | ✗ (31-day trial only) |
| Tailscale | ✓ | ✓ | ✓ | ✗ (requires client app) | ✓ |
| Homeway | ✓ | ✓ | ✗ (no E2E encryption) | ✓ | ✓ (data-limited) |
Option 5: Self-host a VPN on a VPS
You can rent a cheap VPS (from providers like Hetzner, Oracle Cloud, or DigitalOcean), install WireGuard on it, and create a tunnel from your home device to the VPS. Then point your domain at the VPS. This gives you full control but requires significant networking knowledge and ongoing maintenance.
What does NOT work behind CGNAT
A few approaches that people commonly try — and that will not help:
- Port forwarding on your router — Your router can forward ports all day, but the traffic never reaches your router in the first place. The ISP's NAT drops it.
- Dynamic DNS (DDNS) — DDNS keeps your domain pointed at your current IP. But with CGNAT, your "IP" is shared with hundreds of other customers. Pointing a domain at it does nothing useful.
- UPnP / NAT-PMP — These protocols let devices on your network automatically configure port forwarding on your router. Same problem: port forwarding on your router is useless when CGNAT sits in front of it.
- DMZ mode — Putting a device in your router's DMZ exposes it to all traffic that reaches your router. But with CGNAT, no external traffic reaches your router.
"I set up port forwarding and DDNS, but it still doesn't work." — If you are behind CGNAT, no amount of router configuration will solve the problem. The block is upstream, at the ISP level. You need to either get a public IP or use a tunnel that establishes outbound connections.
CGNAT and IPv6: the long-term picture
IPv6 is the real solution to the address exhaustion that created CGNAT in the first place. With IPv6, there are enough addresses to give a unique one to every grain of sand on Earth — address scarcity simply does not exist.
The problem is that IPv6 adoption is incomplete. As of 2026, roughly 45–50% of internet traffic globally is over IPv6, but the number varies wildly by country and ISP. Until IPv6 is universal, you cannot rely on it for services that need to be reachable by everyone.
In the meantime, CGNAT is the reality for a growing number of households, and tunnel services are the most practical workaround.
How Pluggie solves this
Pluggie was built specifically for people in this situation. You install the Pluggie app on your Home Assistant, or run the Pluggie Docker container alongside any web-enabled service. The app establishes an outbound connection to Pluggie's relay infrastructure — which works regardless of CGNAT or double NAT.
Once the tunnel is up, your service is accessible at your assigned pluggie.net subdomain from any browser, anywhere in the world. No port forwarding. No router configuration. No VPN clients on remote devices.
TLS certificates are generated on your device, so Pluggie's relay servers never see your unencrypted traffic. You get both the convenience of bypassing CGNAT and the privacy of end-to-end encryption.
Pluggie's outbound tunnel architecture means it works in typical home and mobile network configurations — including 5G home internet and ISPs with strict CGNAT. Pluggie requires outbound HTTPS access on port 443. Some restrictive networks (hotel Wi-Fi, corporate, healthcare, and government networks) may block or filter this traffic — improved connectivity through restrictive firewalls is planned for a future update.
The free tier includes one tunnel with a randomly generated pluggie.net subdomain, so you can test whether it solves your CGNAT problem without paying anything — no email or credit card required. Setup takes under five minutes.
If you are unsure whether CGNAT is causing your remote access issues, or if you want help setting up Pluggie, reach out at support@pluggie.net. We are happy to help diagnose your setup.
