Does CGNAT block port forwarding?

Usually yes. CGNAT adds ISP-level NAT that prevents inbound connections unless you have a true public IP setup.

How can I check if I am behind CGNAT?

Compare your router WAN IP with your public IP. If they differ, or WAN is in 100.64.0.0/10, CGNAT is likely.

What are alternatives if ISP will not provide a public IPv4?

Use IPv6 where available, request static/public IP plans, or use secure tunneling approaches for remote access.

Port Forwarding Not Working? CGNAT Checks and Fixes

If port forwarding is not working, CGNAT is one of the most common causes. You can configure your router perfectly and still fail inbound traffic if your ISP places your connection behind carrier-grade NAT.

The key issue is reachability from the internet. Port forwarding only works when inbound traffic can arrive at a public address that your router actually controls, and CGNAT breaks that assumption before the packets ever reach your network.

How to tell if CGNAT is blocking your port forwarding

Check your router WAN IP address.
Compare it with your public IP shown on the homepage lookup.
If they do not match, or WAN IP is in 100.64.0.0/10, CGNAT is likely.

Other reasons port forwarding fails

Even if CGNAT is not present, port forwarding can still fail because of local firewall rules, addressing mistakes, or multiple NAT layers. That is why you should confirm both the public-IP path and the service setup on the destination device.

Double NAT (ISP modem/router + your own router)
Wrong local destination IP (DHCP changed device address)
Host firewall blocking inbound connections
ISP policy blocks specific ports
Service not listening on expected port/protocol

Practical fixes

The right fix depends on whether you need permanent inbound access or just occasional remote connectivity. In some cases a public IP upgrade is the cleanest answer; in others, an overlay VPN or tunnel is more practical than fighting ISP network policy.

Ask ISP for a public IPv4 or static IP plan.
Use bridge mode to remove double NAT where possible.
Use IPv6 inbound rules if your ISP supports native IPv6.
For remote access, consider VPN/tunnel alternatives if public IP is unavailable.

What to check before opening support tickets

A short set of documented facts will make ISP support much more useful. If you can show WAN IP, public IP, timestamps, and protocol details, you are far more likely to get a clear answer on whether the line is behind CGNAT or subject to port restrictions.

Verify provider/ASN via ASN Lookup and ISP Directory.
Save WAN IP, public IP, and test timestamps.
Document whether issue is TCP, UDP, or both across test services.

Keep exploring

Reverse DNS (PTR) Lookup IP & DNS Glossary