Donate
Donate
13 min read|January 17, 2026

CGNAT IP Range: 100.64.0.0/10 Explained (RFC 6598)

This guide covers: CGNAT IP Range: 100.64.0.0/10 Explained (RFC 6598).

The CGNAT IP address range is 100.64.0.0/10 (100.64.0.0 - 100.127.255.255), defined by RFC 6598 as shared address space for internet providers. CGNAT (Carrier-Grade NAT) uses this special IPv4 range to let many customers share a smaller pool of public IPv4 space. Knowing that block matters because it explains why some connections cannot port forward, why a router WAN IP does not match the internet IP shown by websites, and why a perfectly normal ISP setup can still feel confusing when you try to self-host or game online.

CGNAT network diagram showing a home device routing through a router with WAN IP 100.64.x.x, then through ISP carrier-grade NAT, to a shared public IP on the internet

TL;DR: CGNAT range, RFC 6598, and port forwarding

  • The CGNAT range is 100.64.0.0/10, also written as 100.64.0.0 - 100.127.255.255.
  • RFC 6598 defines this as shared address space for internet providers that need carrier-grade NAT.
  • Carrier-grade NAT lets an ISP place many customers behind shared public IPv4 exits while each customer router receives a non-public WAN address.
  • Port forwarding is usually not possible for customers behind CGNAT because inbound traffic stops at the ISP NAT layer before it reaches the home router.
  • To confirm CGNAT, compare your router WAN IP with the public IP shown by the IP address checker. If the router WAN IP is in 100.64.0.0/10 and the visible public IP is different, you are behind CGNAT.

Want a quick answer? Try the interactive CGNAT Test - it auto-detects your public IP and ASN, then classifies your router WAN IP to tell you whether you are behind carrier-grade NAT.

Fast answer: what is a CGNAT IP?

A CGNAT IP is the address your ISP gives your router inside the provider's shared translation network. If that router WAN address is in 100.64.0.0/10, it is in the dedicated carrier-grade NAT range. Websites still see a different public IP because the ISP translates many customers onto shared public exits.

What is the CGNAT IP address range?

The CGNAT range is defined in RFC 6598 and sits between private addresses and public internet space. It is not the same as RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Instead, it is a dedicated shared space reserved for ISPs to perform large-scale network address translation.

In other words, CGNAT is the provider version of the same address conservation idea your home router already uses internally. Your devices sit behind one NAT layer on the LAN, and the ISP adds another NAT layer before traffic reaches the public internet. RFC 6598 defines the block specifically for that shared provider-side role.

CGNAT address space (100.64.0.0/10)

The CGNAT address space spans 100.64.0.0 through 100.127.255.255. If your router WAN IP falls inside that range, your connection is almost certainly behind carrier NAT.

That block contains 4,194,304 IPv4 addresses, but the point is not to hand every customer a globally routable public address. The point is to let providers share scarce public IPv4 capacity while still delivering normal legacy internet access.

What does "CGNAT space" mean?

"CGNAT space" is simply shorthand for the same reserved shared range (100.64.0.0/10) used by internet providers for carrier-grade NAT. If you see someone say "my WAN is in CGNAT space," they usually mean the router got an address from that block rather than a true public IPv4.

Why ISPs use CGNAT

  • IPv4 addresses are limited and expensive
  • CGNAT lets an ISP share one public IP across many customers
  • It reduces costs while keeping legacy IPv4 services working

This is especially common on mobile networks, budget residential plans, and access providers serving large customer bases where giving every line a clean public IPv4 would be expensive or impossible. The result is operationally normal for the ISP even if it is inconvenient for power users.

How CGNAT works: two layers of NAT

With CGNAT, there are usually two NAT layers: your home router performs NAT for your devices, and the ISP performs NAT again before traffic reaches the public internet. That means your router's WAN IP is not globally reachable, and unsolicited inbound connections cannot reach you directly in the normal way.

  1. Your device uses a private LAN address such as 192.168.1.10.
  2. The router translates that traffic to its WAN address, which may be a CGNAT address like 100.73.5.22.
  3. The ISP translates many customer flows again onto one or more public IPv4 addresses.
  4. Websites see the ISP's public exit IP, not the router WAN IP and not your device's private LAN IP.

Simple diagram (CGNAT flow)

Device (192.168.1.10)
   -> NAT (home router)
Router WAN: 100.64.12.34
   -> NAT (ISP CGNAT)
Public IP: 203.0.113.55
   -> Internet

Real-world examples

  • Example 1: Router WAN IP = 100.73.5.22, public IP shown by websites = 84.54.12.9. This strongly indicates CGNAT.
  • Example 2: Router WAN IP = 192.168.100.2 because there is a second modem-router upstream. This is not CGNAT by itself. It is local double NAT.
  • Example 3: Router WAN IP = 10.15.2.8, public IP differs. This could still be carrier NAT, because some ISPs use RFC1918 space internally rather than the dedicated RFC 6598 block.

The last example is important because "not in 100.64.0.0/10" does not always mean "not carrier NAT." The dedicated CGNAT block is the cleanest indicator, but troubleshooting should still compare the router WAN IP with the public IP seen by external services.

Quick checklist: are you behind CGNAT?

  • Your router WAN IP is inside 100.64.0.0/10
  • Your public IP (what websites see) is different from the router WAN IP
  • Port forwarding does not work even with correct settings
  • Your ISP or mobile carrier says public IPv4 costs extra

How to tell if you are behind CGNAT

If your router's WAN or Internet IP is in 100.64.0.0/10, you are almost certainly behind carrier NAT. Your devices still use private IPs internally, but your router itself is also behind another NAT layer at the ISP.

A practical workflow looks like this:

  1. Open the router admin page and note the WAN or Internet IP.
  2. Check the externally visible IP with the IP Address Lookup.
  3. If the two values differ, your connection is being translated somewhere upstream.
  4. If the router WAN address falls inside 100.64.0.0/10, CGNAT is the most likely explanation.

Related terms: CGNAT, ASN, and NAT.

How to check if your ISP uses CGNAT

The reliable check is to compare the address on your router's WAN or Internet page with the public IP shown by an outside website. If the router WAN IP is private, shared, or different from the external public IP, the ISP is translating you upstream. If the router WAN IP is inside 100.64.0.0/10, the evidence is especially strong.

  1. Log in to your router and find the WAN, Internet, or IPv4 address.
  2. Open the IP address checker and record the public IP shown there.
  3. If the router WAN IP and public IP are identical, you probably have a public IPv4 address.
  4. If they differ, check whether the router WAN IP is in 100.64.0.0/10, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
  5. If port forwarding still fails after correct router rules, read the CGNAT port forwarding guide and ask the ISP whether public IPv4 is available.

Confirm CGNAT vs public IP with one workflow

The cleanest CGNAT check is not a speed test, traceroute, or geolocation lookup. It is a direct comparison between the router WAN address and the public address that websites see. A true public IPv4 setup usually has the same address in both places. A CGNAT setup usually shows a private or shared WAN address on the router and a different public exit address on the web.

Router WAN IPPublic IP checkerMost likely result
100.72.18.4203.0.113.88CGNAT, because WAN is inside 100.64.0.0/10
10.44.5.9198.51.100.20Carrier NAT or ISP private routing, even if not RFC 6598
198.51.100.20198.51.100.20Likely public IPv4, assuming no upstream firewall blocks it

After that comparison, use an ASN lookup to confirm the network operator behind the visible public route. Then use CIDR notation and the reserved IP ranges guide to understand whether the router address is public, private, or shared.

CGNAT vs public IP

The practical difference is inbound reachability. With a public IPv4, the address on your router is globally routable, so port forwarding can send incoming traffic to a device on your LAN. With CGNAT, your router is behind the ISP's translation layer, so unsolicited inbound traffic stops before it reaches your router.

  • Public IP: router WAN IP matches the external public IP, and inbound connections can work if firewall and port forwarding rules allow them.
  • CGNAT: router WAN IP is private/shared or differs from the external public IP, and ordinary router port forwarding cannot expose services directly.

CGNAT range vs RFC1918 private ranges

This distinction confuses many users because both look non-public. RFC1918 ranges are private address blocks used inside homes, offices, and private networks:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

CGNAT space is different. It is not meant for your LAN. It is reserved specifically for shared provider-side NAT between the customer edge and the public internet. That is why a router WAN address in 100.64.0.0/10 is such a strong hint that the ISP is translating upstream.

Where CGNAT matters in practice

  • Game hosting: inbound player connections often fail without a true public IPv4 or an alternate tunnel solution
  • Remote access: home-lab, CCTV, and NAS access become harder unless you use IPv6 or a relay/tunnel approach
  • Reputation-sensitive sites: other users on the same public exit can influence abuse scores and rate limits
  • Support confusion: users compare router and website IPs and assume something is broken when it is simply provider NAT
  • VPN testing: a CGNAT base path can complicate how public IP changes look across different checks

Common problems with CGNAT

  • Port forwarding often does not work
  • Self-hosted servers and game hosting can be blocked
  • Some services detect shared IPs as higher risk
  • IP reputation can be affected by other users

The biggest practical problem is inbound reachability. If you are trying to host a game server, expose a NAS, run a camera system, or receive direct unsolicited connections from the public internet, the ISP-side NAT layer breaks the simple "forward a port on the router" model. Your router is no longer the last translation point.

Does CGNAT affect geolocation or abuse reports?

It can. A shared public IP means multiple customers appear as the same address. Abuse, rate-limits, or geolocation decisions can be influenced by other users behind the same CGNAT gateway. This is one reason shared exits sometimes feel unfair in fraud and reputation systems.

ISP-specific CGNAT cases users often search for

CGNAT is not limited to one country or one access type. It is common on mobile networks, fixed wireless, budget fiber plans, and providers with large IPv4 pressure. The provider name in search results matters less than the same evidence pattern: a router WAN IP in shared/private space, a different public IP on the web, and inbound port forwarding that never reaches the customer router.

Singtel Singapore and Simba Singapore CGNAT checks

Searches for Singtel Singapore CGNAT, Simba Singapore CGNAT, or Simba port forwarding issues usually describe the same problem: the customer wants inbound access, but the access network may place the connection behind shared IPv4 infrastructure. Do not assume every plan behaves the same. Check the router WAN IP first, compare it with the public IP checker, and then ask support for a public IPv4, static IP, bridge-mode option, IPv6 availability, or a business plan if direct inbound access is required.

Comnet Uzbekistan and regional ISP CGNAT

Comnet Uzbekistan CGNAT searches often mention 100.64.0.0/10 because that block is the strongest visible sign of RFC 6598 shared address space. If a router WAN address lands in that range, the practical answer is the same: ordinary home router port forwarding cannot publish a server to the internet unless the provider gives the line a reachable public address or you use IPv6, a tunnel, or a relay.

China Mobile, China Unicom, and China Telecom shared exits

Large Chinese networks can surface confusing public IP and geolocation clues because traffic may leave through carrier gateways far from the subscriber. A public IP such as a China Mobile, China Unicom, or China Telecom gateway can identify the operator and approximate region, but it does not prove a customer-level endpoint. For CGNAT diagnosis, treat the public IP as the shared exit and focus on the router WAN IP, ASN, and whether inbound traffic can reach the customer router.

Reverse DNS and PTR clues for CGNAT ranges

Reverse DNS can help explain a suspicious public IP, but it does not prove CGNAT by itself. A PTR record may contain words like broadband, mobile, pool, dynamic, cgnat, nat, customer, or a city code. Those names are provider-controlled labels, not a guarantee. Some shared exits have clear PTR records; others have generic names or no reverse DNS at all.

Use the Reverse DNS Lookup on the visible public IP, not on the router's private or CGNAT WAN IP. Addresses inside 100.64.0.0/10 are not globally routed, so public reverse DNS for that internal address often tells you little. The public exit IP, ASN, WHOIS/RDAP owner, and router WAN comparison together form the useful evidence set.

If you want the deeper naming model, read the PTR record guide. PTR records are helpful for context, but the CGNAT decision still comes from address comparison and inbound reachability.

How to bypass CGNAT safely

You do not really "bypass" CGNAT from your router alone. You either get a reachable address, use IPv6, or place a relay/tunnel outside the ISP NAT layer. The right option depends on whether you need gaming NAT improvement, remote desktop, a self-hosted service, or a NAS reachable from outside the home.

  • Ask the ISP for a public IPv4, static IPv4, or business plan with public addressing.
  • Use IPv6 if your ISP and target service support it, then secure the firewall rules carefully.
  • Use a managed tunnel such as Cloudflare Tunnel, Tailscale, ZeroTier, or a VPS reverse tunnel for private remote access.
  • Use a VPN provider with port forwarding only when the use case fits and the provider supports it in your required region.

What can you do if you need a public IP?

  • Ask your ISP for a static public IPv4 (often paid)
  • Ask for a dynamic public IPv4 (sometimes available on request)
  • Use IPv6 if your ISP supports it
  • Use a VPN with port forwarding if allowed

IPv6 is often the cleanest technical answer if your service and router support it, but not every use case can rely on it yet. For gaming, home-lab access, or older software that assumes IPv4 inbound access, the practical answer may still be "request a public IPv4 from the ISP" or "use a tunnel or relay system designed for this job."

Common pitfalls and edge cases

  • Confusing CGNAT with double NAT at home. A second router can also cause mismatch and forwarding failures.
  • Assuming 100.64.0.0/10 is a normal LAN range. It is shared provider space, not a standard home subnet block.
  • Ignoring IPv6 availability. Some users have no clean public IPv4 but do have usable global IPv6.
  • Forgetting mobile carriers use CGNAT heavily. Mobile broadband often behaves this way by default.
  • Assuming every WAN mismatch means a bug. Often it is simply the normal design of the ISP network.

Useful IP Trackers tools for CGNAT checks

  • IP Address Lookup shows the public IP websites see from the outside.
  • IP Location helps you compare geolocation and provider context for the visible exit IP.
  • ASN Lookup shows which network operator is announcing the public route.
  • Reverse DNS can show PTR hostnames that hint at mobile, broadband, or hosted exits.
  • Port Forwarding Not Working explains the most common symptom in more detail.

Frequently asked questions

Is CGNAT the same as private IP ranges? No. CGNAT uses the special shared space 100.64.0.0/10. Private IP ranges are RFC1918 blocks such as 10.x, 172.16-31.x, and 192.168.x.

Can I host a game server behind CGNAT? Usually not in the normal direct way. You often need a public IP, IPv6, or a relay or tunnel solution.

Does CGNAT slow the internet? Not automatically. The biggest issues are inbound reachability and shared-exit side effects, not raw speed alone.

Is 100.64.x.x a public IP? No. It is reserved shared provider space and is not globally routable like a normal public IPv4.

Why does my router WAN IP differ from my public IP? Because the ISP is translating your traffic upstream before it reaches the wider internet.

Can CGNAT affect abuse or reputation? Yes. Multiple customers share the same public exit, so one user's behavior can affect the reputation of the visible IP.

Can reverse DNS prove CGNAT? Not alone. PTR records can hint at mobile, broadband, pool, dynamic, or NAT infrastructure, but the real CGNAT test is still the router WAN IP compared with the public IP seen from the internet.

Do Singtel, Simba, Comnet, or China Mobile always use CGNAT? Not necessarily on every plan. Large providers may use different access models by product, region, and account type. Check your router WAN IP, public IP, ASN, and ISP support options before assuming the answer.

IPv6 and CGNAT

CGNAT only exists because IPv4 addresses are scarce. If your ISP offers IPv6, you may get a globally routable address without NAT, which makes hosting and inbound access easier with the right firewall rules. It is not universal, but it is often a better long-term answer than fighting for one more public IPv4. For a full breakdown of how the two protocols differ, see IPv4 vs IPv6.

Conclusion

The CGNAT range (100.64.0.0/10) is normal for many ISPs today. It helps keep IPv4 running, but it can limit inbound connections and port forwarding. If you need a true public IP, talk to your ISP or use IPv6, a relay, or a VPN option that fits your setup.

Next: read ASN in networking explained, review reserved IP address blocks, or continue with why port forwarding fails under CGNAT.

Theodore Uzun
By
Founder and Senior Software Engineer, IP Trackers
Published Updated Editorially reviewed

Keep exploring

Reverse DNS (PTR) LookupDNS Lookup ToolIP & DNS Glossary
PreviousReserved IP Address Blocks ExplainedNextWhat Is a Proxy Server? Privacy, Security, and Use Cases

Related reading

Reserved IP Address Blocks Explained8 min read - June 3, 2026CGNAT Port Forwarding Not Working? Fix It in 20269 min read - June 3, 2026What Is a Metropolitan Area Network (MAN)?9 min read - April 4, 2026What Is a Computer Network? Types, Components, and How They Work12 min read - April 4, 2026What Is a Local Area Network (LAN)? How LANs Work10 min read - April 4, 2026What Is WiFi? How Wireless Networks Work Explained11 min read - April 4, 2026

Editorial standards: Editorial Policy and Methodology.