CGNAT Checker: How to Test if You Are Behind Carrier-Grade NAT
Use a practical CGNAT test workflow: compare public IPv4 and router WAN IP, check shared address ranges, and rule out double NAT.
Carrier-Grade NAT, usually shortened to CGNAT, is one of the most common reasons port forwarding appears to do nothing. Your router may let you create a forwarding rule, your game server may be running, and your local firewall may look correct, but people outside your home still cannot connect. The missing piece is often simple: your home router may not actually own a public IPv4 address.
This guide shows a practical way to check CGNAT without guessing. The goal is not to label every strict NAT result as CGNAT. NAT type tests describe connection behavior. CGNAT is an upstream address-sharing design used by an ISP. To identify it, compare your public IPv4 address with your router WAN address, check the address range, and then rule out ordinary double NAT inside your home.
CGNAT Checker Workflow
No browser tool can automatically read every router WAN address, so a reliable CGNAT checker is a short comparison workflow. Use the outside public IPv4, the router WAN IPv4, and the WAN address range together.
1Record your public IPv4
Run the NAT check on this site or any public IP checker from the same network. This is the address remote services see.
2Compare it with router WAN IP
Log in to the router and find WAN IP, Internet IP, or IPv4 address. If it matches the public IPv4, you probably are not behind CGNAT.
3Check for shared or private ranges
A WAN IP in 100.64.0.0/10 is a strong CGNAT signal. A WAN IP in 10/8, 172.16/12, or 192.168/16 means there is another NAT layer upstream.
4Treat closed ports as supporting evidence
A closed port alone does not prove CGNAT. First confirm the service is running, the firewall allows it, and the forwarding rule points to the right device.
Quick Answer
If your router WAN IPv4 address is the same as the public IPv4 address shown by an outside checker, you probably have a real public IPv4 on the router.
If your router WAN address is in 100.64.0.0/10, that is a strong CGNAT signal. RFC 6598 reserves this shared address space for service provider NAT deployments.
If your router WAN address is in 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, there is an upstream NAT. It may be your ISP gateway, your modem/router, or another home router.
If the WAN address and the public address are different, something upstream is translating traffic. Check your home topology before calling it CGNAT.
Why NAT Type Alone Cannot Prove CGNAT
A NAT type test observes how your current network behaves when a connection is made. It can show open internet, full cone, restricted, port restricted, symmetric, timeout, or blocked behavior depending on the test method. That is useful for gaming and peer-to-peer applications, but it does not reveal who owns the public IPv4 address. A symmetric NAT result may happen on a router with public IPv4, and a home with CGNAT may still allow some outbound sessions to work normally.
CGNAT is different. It means the ISP places many subscribers behind a shared NAT layer so multiple customers can use a smaller pool of public IPv4 addresses. RFC 6888 describes CGN as a multi-subscriber NAT. RFC 6269 explains why address sharing can break assumptions made by applications, logging, abuse handling, and inbound connectivity. The practical symptom for home users is that unsolicited inbound traffic cannot reach your router, even when your local port forwarding rule is correct.
How to Check for CGNAT
1Find your public IPv4 address
Run a public IP checker from a device on the same network, or run the NAT test on this site and copy the IPv4 value. This is the address that websites and remote services see. Write it down exactly, because you will compare it with the router WAN address in the next step.
2Find the WAN or Internet IPv4 address on your router
Log in to your router admin page and look for a field named WAN IP, Internet IP, IPv4 address, or gateway status. Do not use your phone or PC local address such as 192.168.1.23. You need the address assigned to the router's internet-facing interface.
3Check the WAN address range
If the router WAN address is 100.64.0.0 through 100.127.255.255, it is in the shared address space defined by RFC 6598 and listed by IANA as not globally reachable. If it is 10.x.x.x, 172.16-31.x.x, or 192.168.x.x, it is private address space. Either case means the router is not directly holding a normal globally reachable IPv4 address.
4Rule out double NAT at home
Many homes have two routing devices: an ISP modem/router and a separate Wi-Fi router. If both are routing, your own router receives a private WAN address even though the ISP line may still have a public IPv4 on the first device. Put the ISP device in bridge mode or set your own router to access point mode, then check again.
5Use port forwarding as supporting evidence
Port forwarding failure is not enough to prove CGNAT, but it is useful after you verify that a service is listening and the firewall is open. If the WAN address is shared or private and outside port checks always fail, CGNAT or another upstream NAT is likely blocking inbound access.
6Use traceroute only as an advanced signal
Cloudflare describes a technique that looks for 100.64.0.0/10 hops between the client network and the observed public address. This can help technical users confirm a CGN path, but it is not the first step for most people because ISP routing and filtering can hide or change hop visibility.
Address Ranges That Matter
| Range | What it means |
|---|---|
| 100.64.0.0/10 | Shared Address Space for service provider NAT. A router WAN address here is a strong CGNAT indicator. |
| 10/8, 172.16/12, 192.168/16 | Private-use address space. Your router is behind another NAT device, which may be your ISP gateway or another local router. |
| Other normal IPv4 ranges | If the router WAN address matches your public IPv4 checker result, port forwarding can usually work if the local service and firewall are configured correctly. |
CGNAT vs Double NAT
CGNAT and double NAT look similar because both place your device behind more than one translation layer. The difference is control. You can often fix double NAT by changing your own equipment mode. You usually cannot remove ISP CGNAT from your home router settings.
CGNAT
The ISP shares public IPv4 addresses across many subscribers. Your router receives a shared or private upstream address, so unsolicited inbound IPv4 traffic stops before it reaches your router.
Double NAT
Two devices in your home are both routing, often an ISP gateway plus your own router. Bridge mode, access point mode, or removing one routing layer can usually fix it.
Common False Signals
Do not diagnose CGNAT from a closed port result alone. A closed port only says the outside check did not reach an accepting service. Several local problems can produce the same result.
- The operating system firewall or router firewall blocks the port even though the forwarding rule exists.
- The game server, camera, NAS, or remote desktop service is not actually listening on that port.
- The forwarding rule uses TCP when the application needs UDP, or the outside checker tests the wrong protocol.
- A VPN, security suite, or proxy changes the observed public IP address and makes comparison results misleading.
What You Can Do
Fix local double NAT first
If you control both routing devices, bridge the ISP gateway or set the second router to access point mode. Then compare WAN IP and public IP again.
Ask your ISP for public IPv4
Some providers offer a public IPv4 address, a static IPv4 add-on, or a plan without CGNAT. The name and price vary by region.
Use IPv6 when the remote side supports it
IPv6 can avoid IPv4 CGNAT, but your router firewall still controls inbound reachability. Test IPv6 availability and external reachability separately.
Use a relay, VPS, tunnel, or hosted server
If the ISP will not provide public IPv4, use a relay-based game mode, a VPS tunnel, a reverse proxy, or a hosted server that has a reachable public address.
Check Your NAT Behavior First
Run the NAT test on the same network before changing router settings. The result helps separate NAT behavior from ISP address sharing and local firewall problems.
Check NAT Type Now →Sources
- RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
- IANA IPv4 Special-Purpose Address Registry
- RFC 6888: Common Requirements for Carrier-Grade NATs
- RFC 6269: Issues with IP Address Sharing
- Cloudflare: Detecting Carrier-Grade NAT
- TP-Link: Port forwarding troubleshooting
- TP-Link: DDNS and private WAN IP troubleshooting
- Cisco: Carrier-Grade NAT overview