Carrier-Grade NAT (CGNAT), also known as Large Scale NAT (LSN), is a network technology used by Internet Service Providers (ISPs) to extend the usability of the limited IPv4 address space by sharing a small pool of public IPv4 addresses among many customers.
Why CGNAT Exists
- The IPv4 address space is limited to ~4.3 billion addresses, and the rapid growth of internet-connected devices has led to IPv4 Public Address exhaustion.
- While NAT/NPAT on the end user network has helped to multiplex private address space to public address space, it is not enough.
- Deploying IPv6 is the long-term solution, but not all networks and services fully support IPv6. So you have a dual stack situation where ISPs are supporting both IPv4 and IPv6 simultaneously.
- ISPs use CGNAT to provide continued IPv4 internet access without needing a unique public IP for each customer.
How CGNAT Works
- Customer Network (LAN NAT/NPAT)
- At home or in a business, your router assigns private IP addresses (e.g., 192.168.1.x).
- When your device accesses the Internet, your router performs NAT—translating the private IP to another intermediate IP in a special range (usually 100.64.0.0/10).
- ISP Core Network (CGNAT)
- The ISP receives traffic with these intermediate addresses.
- The CGNAT gateway maps these to a shared public IPv4 address with a unique port number.
- This is NAT44 (double NAT):
- Private IP → Intermediate (100.64.x.x) → Public IP with Port Mapping.
- Connection to the Internet
- From the outside, multiple customers appear to share the same public IP but are distinguished by different source port numbers.
- The CGNAT device keeps a translation table to track each flow.
- Response Handling
- Responses from external servers go back to the public IP and port.
- CGNAT uses its table to route the reply to the correct customer.
Technical Characteristics
- IP Range Used:
100.64.0.0/10(reserved for CGNAT per RFC 6598) - Translation Table: Maps internal addresses and ports to public IP and port combinations
- NAT Type: Often results in symmetric NAT, which limits some peer-to-peer applications
Challenges/Problems with CGNAT
- Inbound Connections Blocked: Hosting services (e.g., web or game servers) is difficult without special workarounds like port forwarding (which is not usually allowed in CGNAT).
- Breaks Some Applications: VoIP, P2P, VPNs, and gaming apps may fail or require NAT traversal techniques (e.g., STUN, TURN, UPnP).
- Logging Requirements: ISPs must log every NAT mapping for law enforcement traceability (often per connection and timestamp).
- Security Implications: Adds complexity to network monitoring and incident response.
Alternatives to CGNAT
So how does one avoid the issues with CGNAT? Answers:
- Full IPv6 deployment (preferred long-term solution)
- Public IPv4 address leasing (expensive and limited)
- Tunneling technologies (VPNs, IPv6-over-IPv4)
CGNAT Packet Capture – What You’ll See
You can capture CGNAT behavior in packet traces, but you’ll only see parts of the process depending on where you capture traffic.
Here’s what to expect and how to do it:
1. Inside the Customer LAN
- Source IP: Private (e.g.,
192.168.1.10) - Destination IP: Public Internet IP
- Seen in tools like Wireshark or tcpdump:
You’ll see traffic going out with private IPs before NAT:Src: 192.168.1.10 → Dst: 142.250.190.78 (e.g., google.com)
2. At the Router WAN Interface (Pre-CGNAT)
- Source IP: CGNAT-reserved (e.g.,
100.64.0.5) - Destination IP: Public Internet IP
This reflects NAT done by your home router before entering the ISP’s network.
3. At the CGNAT Gateway (ISP Level)
- Source IP: Public shared IP (e.g.,
95.100.25.8) - Destination IP: Public Internet IP
- Source Port Modified: Port number is changed (NAPT – Port Address Translation) Example packet
Src: 95.100.25.8:40000 → Dst: 142.250.190.78:443
How to Capture CGNAT Packet Behavior
| Location | Tool | What You’ll See |
|---|---|---|
| Client PC | Wireshark | Private IP src (e.g. 192.168.x.x) |
| Home Router | Packet capture at WAN port | CGNAT address (e.g. 100.64.x.x) |
| ISP Edge (not user-accessible) | ISP’s logs or NetFlow | Public IP with source port translation |
CGNAT Signature in a Packet Capture
You’ll not directly “see CGNAT” as a protocol—it’s not a header field. Instead, it’s inferred by:
- Multiple flows from
95.x.x.xwith different source ports - Mismatch between LAN address and public IP in outbound traffic
- Traceroute showing a
100.64.0.0/10address hop
I hope this helps you understand CGNAT.
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!