What does "CGNAT port forwarding" mean?

It describes a setup where your router forwarding rules are correct, but ISP-level carrier NAT still blocks inbound internet traffic.

Does CGNAT block port forwarding?

Usually yes. CGNAT adds ISP-level NAT that prevents inbound connections unless you have a true public IP setup.

Why does carrier-grade NAT prevent inbound connections?

Carrier-grade NAT places an ISP translation layer before your router. Your router can only forward packets it receives, so inbound traffic stops at the ISP unless you have public IPv4, IPv6 reachability, or a tunnel/relay.

How can I check if I am behind CGNAT?

Compare your router WAN IP with your public IP. If they differ, or WAN is in 100.64.0.0/10, CGNAT is likely.

What are alternatives if ISP will not provide a public IPv4?

Use IPv6 where available, request static/public IP plans, or use secure tunneling approaches for remote access.

Why is carrier-grade NAT preventing inbound connections for customers?

Carrier-grade NAT places an ISP-side translation layer in front of every subscriber. Because the public IPv4 edge belongs to the ISP, not the home router, customer-side port forwarding rules never see the incoming packet. This is normal ISP design under IPv4 exhaustion and applies equally to home, mobile, and fiber subscribers behind CGNAT.

Does Singtel or Simba broadband use CGNAT in Singapore?

Yes. Both Singtel mobile and Simba (TPG) home broadband commonly issue CGNAT addresses in the 100.64.0.0/10 range, which is why port forwarding fails for customers even after correct router rules. To confirm, compare the router WAN IP with the public IP shown by an IP checker; if they differ, you are behind CGNAT and need to ask the ISP for public IPv4 or use a reverse tunnel.

How do I get around CGNAT for self-hosting?

Three options work without ISP cooperation: (1) Cloudflare Tunnel publishes a local service through Cloudflare's edge with no inbound ports; (2) Tailscale Funnel or a WireGuard relay creates an outbound tunnel from the host that listeners use as a reachable address; (3) native IPv6 publishing if your ISP and target clients support it.

Why does port forwarding typically fail under carrier-grade NAT?

It fails because the inbound packet stops at the ISP translation layer before it ever reaches your router. The router can only forward what it receives, and CGNAT does not forward arbitrary inbound ports to individual subscribers. Without a real public IPv4, a special ISP forwarding feature, or IPv6, classic home port forwarding is not possible.

Can I fix CGNAT just by changing my router or modem?

No. CGNAT is an ISP-side translation, not a local router setting. Changing routers, enabling bridge mode, or buying a higher-end modem will not remove the upstream NAT. The fix has to come from the ISP (public IPv4 or IPv6) or by bypassing the inbound path with a reverse tunnel.

CGNAT Port Forwarding Not Working? Fix It in 2026

This guide covers: CGNAT Port Forwarding Not Working? Fix It in 2026.

CGNAT port forwarding is not working because your ISP, not your router, controls the public IPv4 edge. Carrier-grade NAT breaks inbound reachability before traffic ever reaches your local forwarding rule, so the router rule is correct but the packet never arrives. The four working fixes are: ask the ISP for a public IPv4 address, switch the service to native IPv6, use a reverse tunnel like Cloudflare Tunnel or Tailscale, or move to a different ISP plan that does not use CGNAT. This guide shows how to confirm CGNAT in under a minute, then pick the right fix for your use case.

Isometric diagram of CGNAT blocking inbound port forwarding at the ISP gateway, with a tunnel bypass reaching a home server

Confirm it first: the interactive CGNAT Test auto-detects your public IP and ASN, then classifies your router WAN IP so you know whether CGNAT is actually the reason port forwarding fails.

Fast answer: why CGNAT prevents inbound connections

Carrier-grade NAT prevents inbound connections because the ISP, not your home router, controls the public IPv4 edge. Your router port forwarding rule can only forward traffic that reaches the router. Under CGNAT, the incoming packet stops at the ISP translation layer first, so normal customer-side port forwarding is not possible unless the ISP gives you a public IPv4 address, native IPv6 reachability, or a special inbound forwarding service.

Why port forwarding fails under CGNAT

Normal home port forwarding assumes your router controls the public internet-facing address for the connection. An outside client reaches that public IP, the router receives the packet, and your forwarding rule sends it to the correct internal device and port. CGNAT breaks that model because the ISP adds another NAT layer upstream of your router.

In other words, the internet is not talking directly to your router's public address because your router may not have one in the usual sense. The ISP is translating many subscribers behind a shared address pool. Your local rule still exists, but the traffic never arrives there from the outside world unless the ISP also forwards it, which consumer CGNAT normally does not.

How to tell whether CGNAT is the problem

Check the router's WAN or internet-facing IP in the admin interface.
Compare it with the public IP shown on the homepage lookup.
If they do not match, there is an upstream translation layer between your router and the public internet.
If the WAN IP is inside 100.64.0.0/10, CGNAT is strongly indicated.

That single comparison answers a huge amount. If the router thinks its WAN IP is 100.72.x.x but the public checker shows a totally different address, then your router is not the public edge. Any inbound forwarding expectation needs to account for that.

Useful commands while troubleshooting

On a local machine, these checks help separate routing from service issues:

ipconfig
netstat -ano
tracert 1.1.1.1

ipconfig helps confirm the internal destination IP and gateway. netstat -ano helps verify whether your service is actually listening on the expected port. Traceroute is not a direct CGNAT detector, but it helps you understand whether the path is behaving strangely or going through additional layers.

The key point is this: before blaming CGNAT alone, confirm the local service is running and listening on the intended port and protocol. A closed local port and a CGNAT problem can look similar from the outside.

Other reasons port forwarding can fail even without CGNAT

Double NAT. An ISP modem/router and your own router may both be translating traffic.
Wrong destination IP. DHCP may have changed the local device address since you created the rule.
Host firewall blocks the traffic. The router can forward correctly while the server itself still rejects the connection.
Wrong protocol. Forwarding TCP when the app expects UDP, or vice versa, is common.
ISP-level port filtering. Some providers block inbound traffic on specific ports regardless of your local rule.
The service is not bound to the right interface. Applications can listen only on localhost or the wrong internal IP.

Where this matters in practice

Game hosting. Friends cannot join a self-hosted game server even though the local firewall and router rule look correct.
Remote desktop and SSH. Home-lab access fails from outside because the line is not directly reachable.
Self-hosted dashboards and media servers. Services work internally but not from mobile data or another outside network.
Cameras and NVRs. Legacy "port forward to view remotely" advice often breaks completely under CGNAT.
Home automation. Webhooks or outside callbacks cannot reach the internal service directly.
Peer-to-peer applications. NAT traversal can degrade or fail when multiple translation layers exist.

Practical fixes that actually help

Ask the ISP for a real public IPv4 address. Some providers offer this on request or on a business/static-IP plan.
Use bridge mode if double NAT is also present. This will not solve CGNAT by itself, but it removes one local complication.
Use native IPv6 if the service and clients support it. IPv6 often avoids the same inbound IPv4 constraints.
Use an overlay VPN or reverse tunnel. For remote access, this is often more practical than fighting ISP policy.
Use a cloud relay or public edge service. Some apps are better published through a managed reverse proxy than through raw home forwarding.

Testing from inside the house can give a false sense of success

One of the most common debugging mistakes is testing the forwarded service from the same LAN and assuming that result reflects the public internet. Some routers support NAT loopback or hairpin NAT, which lets internal clients reach the service using the public address even though the outside world still cannot. Other routers fail that exact test even when the public path works, which is the opposite kind of confusion.

The reliable test is from a truly external network such as mobile data, a different household connection, or a trusted outside monitoring path. That is the only way to know whether the internet can actually reach the forwarded service.

How to talk to ISP support without wasting time

Support calls go better when you bring specific facts. The useful evidence is: the router WAN IP, the public IP seen on the web, the fact that they differ, and whether the WAN IP is in the CGNAT range. Also note whether you need inbound TCP, UDP, or both.

That moves the conversation away from "my router is broken" and toward the real question: does this line have a customer-usable public IP or not? Once support confirms the connection sits behind CGNAT, you can ask whether the provider offers public IPv4, static IP, bridge mode, business plans, or IPv6 alternatives.

Reverse tunnels and overlay VPNs are often the practical answer

If the ISP will not provide a public IPv4 address, the best solution is often to stop thinking in terms of classic home port forwarding. Overlay VPNs, reverse tunnels, and cloud-published edges let the internal device initiate the outbound connection first and then maintain a reachable path through that established session.

This is why many modern self-hosting guides recommend Tailscale, Cloudflare Tunnel, WireGuard-based relays, or managed reverse proxies instead of telling users to fight consumer CGNAT indefinitely. The goal is reachability, not loyalty to one old troubleshooting model.

Why CGNAT and double NAT are easy to confuse

Both create reachability problems, but they are not the same. Double NAT means you have two local translation layers you may still control or partly control, such as an ISP gateway plus your own router. CGNAT means the ISP is performing translation upstream in infrastructure you do not control. You can often fix double NAT locally; you usually cannot remove CGNAT without ISP help or a different connectivity model.

Which ISPs use CGNAT (real examples by region)

CGNAT deployment varies by ISP, plan tier, and country. The pattern below is what subscribers actually report, but check your own router WAN IP before assuming it applies to your line.

Singapore: Singtel mobile and Simba (TPG) home broadband both commonly issue CGNAT addresses in the 100.64.0.0/10 range. StarHub residential plans usually give a public IPv4 by default.
United States:T-Mobile Home Internet, Verizon 5G Home, and most mobile carrier plans use CGNAT. Comcast/Xfinity and AT&T fiber residential plans typically give public IPv4. Cox and Spectrum vary by market.
United Kingdom: Three UK mobile and BT mobile use CGNAT. Sky Broadband, Virgin Media, and BT fixed-line broadband generally provide public IPv4 on request or by default.
India: Reliance Jio and Airtel mobile broadband almost always use CGNAT. ACT Fibernet and Excitel fixed-line plans usually give public IPv4.
Europe: Vodafone Italy mobile, Orange mobile in most EU countries, and many fixed-wireless ISPs use CGNAT. Most incumbent fibre operators (Deutsche Telekom, Telefónica, KPN, Orange fibre) provide public IPv4 by default.
Mobile broadband globally: If your connection is delivered over 4G/5G with a USB modem, MiFi, or phone tether, assume CGNAT unless the carrier explicitly sells a static-IP add-on.

How CGNAT translates port numbers

CGNAT does not give every subscriber the entire 65,535-port range of the shared public IPv4 address. Instead, the ISP allocates a port pool per subscriber, typically 256 to 4,096 ports out of the public-side IPv4 address. Outbound connections work because the subscriber initiates them and the ISP records the source-port mapping for the return traffic.

Inbound port forwarding fails because there is no static rule that says "port 25565 on the public IP belongs to subscriber X". Even if the ISP wanted to expose port 25565 to your line, dozens of other subscribers behind the same public IPv4 also want port 25565 for their own Minecraft servers. The conflict cannot be resolved with a single shared address, which is why CGNAT operators do not offer port-mapping on a per-subscriber basis at consumer scale.

A small minority of ISPs run "port-restricted CGNAT" deployments where each subscriber is given a fixed, advertised port range that the customer can use for inbound traffic on a specific port. This is rare and only useful for self-hosted services that can bind to a non-standard port.

Reverse tunnel comparison: Cloudflare Tunnel vs Tailscale vs WireGuard relay

The three most common ways to bypass CGNAT for self-hosting all share the same model — the internal device opens an outbound connection that the outside world rides on the way back in — but they trade off differently:

Cloudflare Tunnel (cloudflared):publishes a local HTTP/HTTPS service through Cloudflare's edge with a public hostname. Free for personal use. Best for web apps, dashboards, and APIs. Not designed for arbitrary TCP/UDP (game servers, RDP, SSH require additional Cloudflare Access setup).
Tailscale (or Tailscale Funnel): mesh VPN that lets your trusted devices reach the CGNAT-bound machine over a private overlay. Tailscale Funnel exposes a service publicly. Free for personal use up to 3 users / 100 devices. Best for SSH, file shares, RDP, and home-lab access where the user controls both endpoints.
WireGuard reverse tunnel via a $5 VPS: rent a cheap VPS with a public IP, install WireGuard on the VPS and the home device, and forward inbound traffic from the VPS to the home device through the tunnel. Maximum control, no third-party dependency, works for arbitrary TCP/UDP. Requires manual setup and the VPS subscription.

For most users behind CGNAT, Cloudflare Tunnel for web services and Tailscale for personal-device access cover the majority of cases. The WireGuard-on-VPS path is the right choice when you need protocol flexibility or vendor independence.

Gaming behind CGNAT: strict NAT and what you can fix

CGNAT shows up as "Strict NAT" (Xbox), "Type 3" (PlayStation), or "Moderate"/"Strict" in most game-console diagnostics. The visible symptoms: cannot host games, cannot join friends who are also behind strict NAT, voice chat breaks in party calls, and matchmaking takes longer because the platform falls back to a relay server instead of a direct peer-to-peer connection.

UPnP and NAT-PMP cannot fix CGNAT. Those protocols only negotiate port mappings with the local router; they have no influence on the upstream ISP translation layer. Console troubleshooting guides that recommend "enable UPnP on your router" assume your router is the public edge, which is not true under CGNAT.

Realistic fixes for gamers behind CGNAT: ask the ISP for public IPv4 (often offered as a static-IP add-on for a few dollars per month), switch to an ISP plan tier that does not use CGNAT, or use a gaming-focused VPN that handles NAT translation on its exit node (paid VPNs like NordVPN, ExpressVPN, and Surfshark advertise this explicitly). For Xbox specifically, the Xbox Live relay (Teredo on Windows, equivalent on console) can sometimes upgrade Strict NAT to Moderate, but it is not reliable.

Common mistakes and edge cases

Testing from inside the same LAN. Hairpin NAT and local loopback behavior can make a failing external setup seem to work internally.
Using the wrong internal host IP. The device changed address after a reboot or DHCP renewal.
Forgetting protocol differences. A game may need UDP, but the test was done only with TCP.
Assuming every ISP supports public inbound IPv4 equally. Many consumer and mobile plans intentionally do not.
Ignoring IPv6. Some users fight broken IPv4 exposure when the cleaner solution is publishing the service over IPv6 with proper firewall rules.
Blaming CGNAT before checking the service listener. If nothing is listening locally, fixing upstream reachability will not help.

Useful IP Trackers tools for CGNAT diagnosis

IP Address Lookup gives the public address seen by the outside world.
ASN Lookup identifies the network operator behind the public-facing address.
ISP Directory helps you compare provider context and likely access models.
WHOIS / RDAP Lookup adds ownership context if the visible public address is unfamiliar.
Reverse DNS Lookup can provide provider or infrastructure naming hints around the public-facing IP.

Frequently asked questions

Can port forwarding work behind CGNAT? Not in the usual direct way unless the ISP gives you a real public IP or provides a special forwarding feature.

How do I know if I am behind CGNAT?Compare the router's WAN IP with the public IP shown on the web, and watch for the100.64.0.0/10 range on the WAN side.

Is double NAT the same as CGNAT? No. Double NAT is a local multi-router problem; CGNAT is an ISP-side shared translation layer.

Will bridge mode solve CGNAT?Not by itself. It can fix local double NAT, but it does not remove the ISP's upstream CGNAT.

Is IPv6 a workaround? Often yes, if your ISP and client side support native IPv6 and you configure firewall rules properly.

What if I only need remote access, not a public game server? A VPN overlay, reverse tunnel, or managed relay service is often the simplest answer.

By Theodore Uzun

Founder and Senior Software Engineer, IP Trackers

Published June 3, 2026Editorially reviewed

Keep exploring

DNS Lookup Tool Reverse DNS (PTR) Lookup IP & DNS Glossary