What is Carrier Grade NAT (CGNAT)?

Carrier Grade NAT or CGNAT for short is a technique used by internet providers to conserve IPv4 addresses by allowing an ISP to assign multiple subscribers a shared public IP address. At its most simple, CGNAT could be described as a scaled up version of NAT.

While we covered carrier grade NAT in our NAT article briefly, this article will go more in depth about what CGNAT is, how it works, and how you can check if your ISP is running CGNAT.

What is CGNAT?

Carrier Grade Network Address Translation or CGNAT for short is a technique used by internet service providers (ISPs) to allow multiple customers to share a single public IPv4 address. It was created due to a shortage of IPv4 addresses — caused by IPv4 exhaustion on the one hand and the fact some countries have access to far fewer IPv4 ranges compared to countries that adopted the internet earlier on the other hand. No one could have predicted the meteoric rise of technology over the last twenty years, causing this drought of IPv4s. While IPv6 helps with the lack of IPv4s, it did not remove the need for IPv4.

CGNAT occurs at the ISP level rather than just within the home or business network. Carrier grade NAT is used for residential IP addresses in much of Eastern Europe, South America, the Middle East, and parts of Asia, and used in mobile networks worldwide. It’s more common in these areas because ISPs have relatively fewer IPs allocated to them.

Difference Between NAT and CGNAT

Our earlier description that “CGNAT is a larger-scale version of NAT” is an oversimplification. NAT and CGNAT are different, which becomes more apparent in the specific differences.

For starters, NAT is used at home or office routers to allow every device on that network to have a single, unique public-facing IP address. NAT is used on a smaller scale to support tens to hundreds of people.

By comparison, carrier grade NAT functions to assign thousands to millions of subscribers a public IP from the IP addresses the ISP has at its disposal, which leads us conveniently into our next topic.

How Does CGNAT Work?

CGNAT solutions are designed for far larger environments as it sustains throughput of hundreds of gigabytes per second and processes hundreds of thousands of new translations each second. There are three different architectures that exist for different network contexts and these are:

• NAT44: The most common architecture, mainly used for translating IPv4 to IPv4 at a carrier scale.
• NAT64: It enables IPv6-only clients to reach IPv4 servers by converting protocols and addresses.
• DS-Lite: Stands for Dual-Stack Lite, this architecture encapsulates IPv4 traffic over an IPv6 backbone before translating. This allows operators to migrate their cores to IPv6 while still supporting IPv4.

Let us illustrate how CGNAT works with an example. A group of three different customers whose ISP does CGNAT each operate their own IPv4 networks and have their own customer premises equipment (CPE) at home. If there were no CGNAT involved, their routers would assign them unique public IPs. In this case, their router instead assigns them with an IP address from private ranges or Shared Address Space that the ISP then maps to a shared pool of public IPs.

In the private network, each customer’s router is assigned a unique port number. This port assignment is how an ISP can distinguish between different users who share the same public IP, making sure traffic is routed to the correct subscriber.

Afterward, the router forwards the outgoing traffic to the ISP’s network which is where the carrier grade NAT server is. The ISP’s CGNAT in turn translates the private source IP and port of the outgoing traffic with a public IP and port from its own pool.

Carrier Grade NAT Pros and Cons

Carrier Grade NAT has a few more advantages than just handling IPv4’s limited capacity such as handling high volumes of traffic. However, CGNAT’s disadvantages often make people concerned about it being used. We will explore both sides in this section.

Advantages of CGNAT

One of its strongest advantages is that it gives millions of users access to the internet that would otherwise not be possible due to its preservation of IPv4. Carrier Grade NAT is optimized for handling high volumes of user traffic which provides scalability for larger networks. It offers higher throughput rates and is optimized for scale when compared to the standard NAT. CGNAT also offers load balancing features, traffic shaping, and quality of service.

For the ISP, CGNAT makes network management easier because it can handle the translation of customers’ private addresses to a smaller public IP pool. It centralizes managing address assignments and reduces any complexities in managing individual public IPs for each customer.

Having shared public IPs that change frequently also largely ended being able to precisely geotarget internet uses based on their IP.

Disadvantages of CNGAT

While carrier grade NAT has its upsides for the ISPs, it does have some disadvantages, unfortunately, for the customers.

Carrier Grade NAT can disrupt end-to-end communications. The shared environment aspect of CGNAT means that multiple users and devices use the same public IP for internet communications. This becomes especially apparent when trying to port forward or engage in other IP-based activities, like hosting a video game server on your own device.

Carrier Grade NAT restricts a customer’s ability to access their home network from external sources since it adds a new intermediary layer that affects any direct internet connections. Customers under CGNAT usually do not have the autonomy to perform tasks like port forwarding or peer-to-peer connections. Their CPE is a managed virtual router under the operator’s control. Without port forwarding and peer-to-peer, they will have difficulties setting up home-based servers like web hosting, online gaming, video streaming, and VoIP services.

How to Check If I Have CGNAT?

If you are unsure if your ISP is utilizing carrier grade NAT and want to find a reason as to why you might be facing problems with your gaming or web hosting, here are some things you can try to determine that.

If your router’s WAN IP is in the range of 100.64.0.0/10, then you are likely behind CGNAT. To check this, log into your home router’s interface by entering the router’s IP in your web browser. Once you have logged in, check around the router’s status page and find the WAN IP.

You can also use any of the free public IP lookup websites like Whatismyip to check your public IP. If the address is different from the one on your router’s WAN interface, then you are behind CGNAT. If it does match it, then your issue is not carrier grade NAT based.

If you want to triple check, you can run a traceroute to your public IP. The traceroute is a network utility tool built in all operating systems. It can be used to see the path that your traffic takes to reach its destination. If it shows two or more hops with repeated private IP to your public IP, then you are most likely behind CGNAT.

Carrier Grade NAT Workarounds

If, for one reason or another, you do not want to utilize carrier grade NAT, whether you are an ISP or a customer, here are a few things you can do. 

If you are an ISP and do not want to use CGNAT for your framework, stick to IPv6. There is no rule stating you must use IPv4 addresses. If you are able to, use only IPv6 addresses. This way, you will eliminate the need to use NAT and CGNAT entirely.

If you are a customer, you can use a static IP which will give you direct access to the internet but needs some configurations. You can also use a VPN which will encrypt and route traffic though a remote server, but make sure you use a reliable VPN provider. You shouldn’t use a free VPN.

Similarly, you can take advantage of a SOCKS5 proxy which is easy to set up and can be used for specific applications. If your main use case is for hosting services, then your best bet would be using a dynamic DNS which updates DNS records to reflect changing IPs and works around some of the limitations of carrier grade NAT.

Conclusion

Carrier Grade NAT works by having many users share a single public IPv4 address. Your router will get a private IP and when you go online, the ISPs CGNAT will know to correctly route your data which comes in from the public IP it has assigned to you from its pool to the internal private IP it has assigned you. This makes you appear as a part of a big group online, which helps with browsing but could cause complications when it comes to hosting servers that need direct incoming connections.

Key takeaways:

• CGNAT facilitates access to the internet for many millions of people worldwide.
• While similar on the surface, routers don’t perform NAT in the traditional sense if there is CGNAT present.
• Instead of assigning unique public IPs, CGNAT assigns subscribers a non-unique IP address from the ISP’s public IP pool.
• Carrier grade NAT disrupts the end-to-end communication, complicating some aspects of internet use like online gaming and video streaming.
• You check if you have CGNAT by seeing if your WAN IP matches your public IP or if your WAN IP is within the range of 100.64.0.0/10.

Because multiple subscribers will be assigned the same public IP, your ISP differentiates you by giving each connection an individual port number. For each session, the system will assign a dedicated port or a defined range of ports and record these associations in the NAT table. Since a single ISP can manage millions of data flows, the table can become large and must deliver high-speed lookups and continuous updates without delay.

Until IPv4 addresses are no longer needed for online interactions and connectivity and IPv6 officially takes over as the definitive internet protocol, more ISPs will begin adopting CGNAT.

---

Frequently Asked Questions