Understanding CGNAT (Carrier-Grade NAT / NAT444)

-

Understanding CGNAT (Carrier-Grade NAT / NAT444)

Continuing from our discussion on why you shouldn’t use public IPs in DHCP networks , let’s dive deeper into what Internet Service Providers (ISPs) do when they run out of public IPv4 addresses. The answer lies in a system called Carrier-Grade NAT (CGNAT) — also known as NAT444.

🌐 Why CGNAT Exists

The Internet runs primarily on IPv4, which uses 32-bit addresses — a maximum of about 4.3 billion unique IPs. When the internet started, that number seemed huge. But as the number of devices, mobile users, and ISPs exploded, the available IPv4 pool began to dry up.

ISPs faced a dilemma: assign each customer a unique public IP and eventually run out, or find a way to share a smaller number of IPs among thousands of users. That’s where CGNAT comes in.

CGNAT allows multiple subscribers to share a single public IP address by performing network address translation at the ISP’s infrastructure level.

🔍 What is CGNAT?

CGNAT, short for Carrier-Grade Network Address Translation, is essentially a large-scale version of the NAT used in home routers. Instead of your router translating private addresses like 192.168.x.x to your ISP-assigned public IP, your ISP’s network itself also performs another layer of translation.

This means that both your home router and your ISP are doing NAT — hence the term NAT444 (three layers of IP networks):

  • First layer: Your local network (LAN) using 192.168.x.x or 10.x.x.x
  • Second layer: ISP’s private shared address space 100.64.0.0/10 (per RFC 6598)
  • Third layer: The global public internet

⚙️ How CGNAT Works

  1. Your device gets a private IP (for example, 192.168.1.2).
  2. Your router performs NAT to send traffic through your WAN IP (for example, 100.70.52.18).
  3. Your ISP’s CGNAT gateway translates that again to a public IP (for example, 203.160.210.80).
  4. From the internet’s perspective, thousands of users appear as if they are using the same public IP.

🔎 How to Check If You’re Behind CGNAT

  • 1. Compare your IPs: Log into your router’s admin page and check the WAN IP. Then visit whatismyipaddress.com. If the IPs don’t match, your ISP is performing NAT.
  • 2. Check the IP range: If your WAN IP falls within 100.64.0.0 to 100.127.255.255, that’s the shared CGNAT range defined by RFC 6598.
  • 3. Traceroute method: Run tracert 8.8.8.8 (Windows) or traceroute 8.8.8.8 (Linux/macOS). If early hops show private IPs (like 10.x.x.x or 100.64.x.x), you’re behind CGNAT.
  • 4. WHOIS test: Perform a WHOIS lookup on your router’s WAN IP. If the result doesn’t match your ISP’s registered block, it’s from their shared internal pool.
  • 5. Speedtest anomaly: Some users under CGNAT notice Speedtest selecting servers in different cities or countries, since the shared IP may be routed differently.

💡 Benefits for ISPs

  • It allows thousands of customers to share limited IPv4 resources.
  • It reduces the cost of acquiring scarce public IPs.
  • It simplifies address management and reduces misuse of public blocks.

⚠️ Drawbacks for Users

  • Port forwarding doesn’t work — remote access to your home network becomes impossible.
  • Hosting web servers, CCTV, or game servers fails without a public IP.
  • Peer-to-peer apps (e.g., BitTorrent, VoIP, multiplayer games) may perform poorly.
  • VPNs and DDNS setups may not connect correctly.
  • Some online services may detect your shared IP as “suspicious” due to multiple users.

🔧 What You Can Do

  • Request a public static IP from your ISP — many offer it as an add-on for a small monthly fee.
  • Use a VPN or tunnel service that gives you a public endpoint (e.g., Tailscale, Cloudflare Tunnel, or ZeroTier).
  • Switch to IPv6 if your ISP supports it — every device gets a unique public address, no NAT needed.

📘 References & RFC Standards

Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

Why upload comes first before download

-
Image
Before we dive into why upload comes first, let’s quickly define upload and download in data communication. Upload refers to sending data from your device to a remote server or another device. This happens when you send an email, upload a file to the cloud, or even just request a webpage. Download is the process of receiving data from a remote source to your device. This includes streaming videos, loading webpages, or saving files from the internet. Think of it like a conversation: when you ask someone a question (upload), they respond with an answer (download). The same applies to internet communication—before you can receive data, you must first send a request. Why Upload Comes First in Data Communication Now that we understand uploads and downloads, let’s put it in simple human terms. Imagine you’re having a conversation with a friend: You ask a question (Upload): Before your friend can give you an answer, you first need to say something—whether it’s a question, a request, or a ...
Read more

Suricata on Mikrotik(IDS+IPS) = Part 3 - Configuration of the IDS Part

-
Image
Configuration Disclaimer:  this one is only for ubuntu 18.04 and login as root user to be sure In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server> /tool sniffer set filter-ip-address=<an_example_filter_ip> tool sniffer print ; tool sniffer start ; tool snifer stop Lets Start ... 1.     Configure the correct time zone and NTP synchronization         systemctl start systemd-timesync           systemctl status systemd-timesyncd         dpkg-reconfigure tzdat a 2.     Add the suricata in the repository    add-apt-repository ppa:oisf/suricata-stable 3.     Update the package database:         ...
Read more