What is Carrier Grade NAT (CGNAT) ?

By Michael Spalter
March 2022

About the author

Michael Spalter

Michael Spalter


Michael Spalter has been a networking technician for over 30 years and has been the CEO of DrayTek in the UK since the company’s formation in 1997. He has written and lectured extensively on networking topics. If you’ve an idea for a blog or a topic you’d like explored, please get in touch with us.

The entire IPv4 address space of the Internet provides approximately 4 billions unique IP addresses. That was more than anyone ever conceived would be needed when the Internet started. Every device on the early Internet had its own unique public IP address. Some organisations were allocated a whole Class A subnet (that's 16 million addresses!) and other large blocks (around 300 million addresses) are reserved for special purposes so can't be used for public endpoints. Today, due to the scarcity, public IP subnets have become very valuable. A single address can cost $60, up from around $6 in 2014.

ISPs too were allocated their own blocks. Every one of the ISPs customers would be allocated one of those IP addresses, but as most homes and offices were using dialup internet, you only needed that IP address for the length of your call. After you hung up, that address could be used by another customer. Today, almost everyone uses an always-on connection so you require a permanent IP address.

In those early days, early adopters - home and office users using the Internet, would typically have a dialup modem connected to one PC. Even if there was a LAN in the office, it wouldn't carry the Internet to other PCs. Early office LANs commonly used protocols like NetBIOS or IPX and didn't use TCP/IP. Networking was not built into the OS (DoS, Windows etc.). When your PC connected to the Internet, you'd load a TCP/IP stack before your modem dialled out.

Every device on your LAN has its own IPv4 IP address (e.g. 192.168.1.55). Your router, most likely, uses NAT to share your single public IPv4 address on its WAN interface between all of the devices inside your network. This is known as a "one to many" NAT configuration. Without NAT you'd need as many public routable IP addresses as you have devices - there are tens of billions of IP devices in the world, so one-to-many NAT enables sharing. It's your router's job to translate between the single public address and multiple internal private addresses. Your router maintains a 'NAT table' to keep track of which device sends out requests to the WAN, in order that the replies are sent back to the right client (You can see an animation in my 2006 video here).

As time has gone on, and IPv4 addresses have become even more scarce as the number of Internet connections has also increased. IPv6 was introduced many years ago in order to solve the problem of IPv4 address shortage. IPv6 provides 340 trillion trillion trillion addresses* (2^128) so by now IPv6 should be universal and IPv4 history. That's what I optimistically predicted in my 2012 book, but IPv4 is still very much alive and in operation on almost every LAN and still being provided by every ISP - more on 'why' later.

*If I was any other writer, I'd now give you some silly comparative for that number - something about grains of sands on the beach, stars in our solar system, so many double decker buses, football pitches, olympic size swimming pool, how long it would take to count that high in relation to the age of the universe etc. but I'm not going to do that. You're my smart readers - you can read '340 trillion trillion trillion' or 2^128 without needing me to quantify it further or be given some patronising analogy.

Introducing Carrier Grade NAT (CGNAT)

Today there are more WAN connections than there are IPv4 addresses or, to put it another way - most ISPs have more customers than IP addresses, which is a problem given that every customer needs an IP address. What is this wizardry, you ask!

Although many ISPs will still issue your router's WAN interface with a routable public IP address (and most fixed line ISPs still do), it is increasingly common that the apparent 'public' IP address you're getting is actually running through Carrier Grade NAT (CGNAT). CGNAT is sometimes called Large Scale NAT (LSN).

Like the NAT you're used to on your own LAN, CGNAT does the same thing but one step further up the Internet chain. With regular NAT, a single public IP address is shared by multiple devices behind your router. With CGNAT, a single public IP address is shared between multiple customer's routers. The IP address that your router's WAN interface is allocated is taken from a reserved GCNAT IP range. When your data actually gets to the Internet, CGNAT replaces your CGNAT private IP address with a real routable IP address. Hundreds of other customers will be sharing that same public address. Your ISP's CGNAT routers maintain a table keeping track of every connection so that when data is received back, it can determine which customer the data is intended for and forward it appropriately.

As CGNAT is used by most mobile (cellular) networks, you're probably already using GCNAT. If your Internet connectivity has been fine on your mobile device, you can see that CGNAT can work well for many applications.

In regular NAT - which you use on your own LAN - there are reserved IP ranges for private networks. These are 192.168.0.0/16, 10.0.0.0/8 and 172.16.0.0/12. That first one is the most widely used and is why most routers have a default IP address of 192.168.1.1. If you want to be radical and cool, use one of other the other subnets. Just like setting your command prompt window to green text on black background, it shows that you're a proper IT pro.

Recognising GCNAT Address Ranges

CGNAT has its own reserved IP range between 100.64.0.0 and 100.127.255.255. If you check your phone's current IP address (if you're on mobile data and not WiFi) then if you have an address in that range, you're, most likely, using CGNAT. ISPs do sometimes do their own thing; as I write this, my own phone has an address from my mobile provider of 192.0.0.4. That is a reserved range and it will work, but its not a reserved range for CGNAT. I'd guess that means that either that their engineers don't understand best practice, don't care or there is some technical reason necessitating the deviation.

CGNAT Topology

The diagram below shows how an ISP will traditionally allocate IPv4 addresses.  This could be fixed wire or cellular.  You can see that each router - your router and your neighbour's gets its own routable public IP address.  In this case, yours is 200.100.5.1.  That is "your" unique IP address on the Internet for the duration of your connection.  Any other user or device on the Internet can reach you at that address:

Carrier Grade NAT

This next diagram shows the same scenario but this time, CGNAT has been applied by your ISP.  Now, the CGNAT device gets a WAN-side unique routable public IP address, but your own router, and your neighbour's router now gets a private CGNAT non-routable address. Yours is 100.64.1.3 - it exists only between your router's WAN (Internet side) interface and the CGNAT device and cannot be reached from elsewhere on the Internet.  Anyone elsewhere on the Interner cannot send to 100.64.1.3 - the packets will be dropped by their ISP (as a non-routable address).  On the Internet, your packets will appear to come from 200.100.5.1, as will your neighbour's (or other mobile devices in the area).  The CGNAT device figures out who incoming data is for, but only when it's a reply to an outgoing request:

Carrier Grade NAT

Problems with Carrier Grade NAT

CGNAT is most widely used on mobile phone networks. As mobile devices are generally used for a limited range of functions it has generally gone unnoticed and works well in most situations however, as CGNAT spreads into fixed connectivity (fibre, cable, DSL etc.) and as cellular connectivity is increasingly being used for a wider range of applications, the shortcomings (side effects) of CGNAT can become apparent:

  1. You no longer have a unique public IP address reachable from the Internet. The IP address that your traffic hits the Internet with is shared with hundreds of other customers of your ISP. This means if you want to host a service, for example accessing your office PC with remote desktop, connect to your office mailserver or do a site-to-site VPN, you can't. The remote end cannot connect to your office IP address because it's in the ISPs private address range and they can't connect to your public IP address because that's shared with many other clients - the ISP's CGNAT router would ignore any incoming connections as it wouldn't know which customer it's intended for.

  2. Dynamic DNS (DDNS) services won't help you. Even though the DDNS server will ascertain your public IP address, it still won't be reachable, for the same reason as above.

  3. You may have sometimes found yourself blocked from a particular web site because your current IP address has been reported as being a source of abuse. If another customer within the ISP's same CGNAT cluster misbehaves, they and every other customer on that cluster could be blocked.

  4. GCNAT breaks the end-to-end principle of Internet routing. Regular NAT did that too, but that was a necessary compromise and, if required, you can mitigate many issues with port forwarding or redirection rules on your router. With CGNAT, you cannot set up rules on your ISP's router.

  5. CGNAT breaks certain protocols, or at least prevents them from operating reliably, notably applications such as VoIP especially if you're running a server and also gaming servers.

There are technical solutions, of varying effectiveness to some of these problems, for example the use of UPnP, PCP (RFC6887) and STUN (RFC3489). Each of these introduce other issues, such as security concerns with uPnP or STUN requiring an intermediate server.

When choosing a new ISP or cellular/mobile provider, if you will be hosting services or running any applications which might be sensitive to CGN, or you just like to have a proper public IP address, ask before you sign - though I'm not optimistic that most sales people will have that information, or that it will be easy to find on their web site.

VPN Matcher

Another solution for being able to dial into a VPN host which is behind CGNAT is to use a service/facility such as VPN Matcher from DrayTek*. This is a service where each end of the VPN (a DrayTek VPN-capable router or computer with DrayTek's SmartVPN Client) connects to the VPN Matcher service. Both ends of the VPN connection log into the VPN Matcher server and the server determines their actual public IP addresses and port numbers and provides that to the other router (similarly to how a STUN server works).

The instigating end (calling router or teleworker) can then use that information to connect to the receiving (host) end because both routers have instigated a connection with matching ports, the ISP's CGNAT router will forward the incoming VPN connection to the right customer, because the intended recipient can be determined and recognised from the information exchanged by the VPN Matcher service.

As CGNAT is very commonly used for cellular connectivity, and cellular services (4G/5G) are increasingly being used either as backup to fixed lines or as complete replacement, being able to dial-in VPN connections is important. As cellular services are often used for IOT and remote monitoring of unmanned sites, being able to overcome CGNAT is important.

*As you'll know, although these blogs appear on the DrayTek web site, they are vendor agnostic and I don't promote any vendor-specific agenda - the information I provide should be relevant regardless of which vendor you are using. I've unusually mentioned DrayTek here but do so only because they do have a system which is particularly relevant to this topic. It may be that other vendors have an equivalent feature which is just as effective (and I'll be happy to add them if anyone lets me know).

Why do we still use IPv4?

Whilst IPv6 is now widely supported, many web sites, many LANs and their infrastructure still use IPv4 only; sometimes just because the owner hasn't enabled IPv6 - there are few ISPs, modern routers or PCs which don't support IPv6 now and all modern Operating Systems support it. However, as IPv6 is not universal yet, IPv4 is going to be needed for some time.

Nearly all cellular (mobile) carriers user IPv6 for their networks and in most countries, they provide an IPv6 native connection to all phones but IPv4 persists and is still provided so that people can access services and servers which are still IPv4 only.

There are other reasons that we still use IPv4, even where IPv6 is available:

  1. IPv4 is arguably "easier" to manage and many users have IPv4 in our muscle memory and are reluctant to learn something new when they can get away with the system they know inside out.

  2. With IPv4, addresses are short enough to enter by hand and short enough to remember. For example I know my NAS is on 192.168.1.254 and I can type that easily, whereas I'm never going to have the patience to type 2a00:24e1:645d:cd02:587d:7ebb:4cb0:1883 even if I could somehow remember it. Yes, you can use hostnames but that requires a local name server (or HOSTS files - remember those?).

  3. For site-to-site or teleworker VPNs, IPv4 is a easy to set up and everyone's used to it.  For routing between small private subnets, IPv6 would offer little advantage and many routers don't support VPN for IPv6 yet (in a somewhat chicken-and-egg situation).

  4. Many people use commercial VPN services, not for site-to-site or teleworker links but for place-shifting (geo-bypass) or supposedly increasing their online security and privacy, if you believe the hype (see my previous blog here ). These VPN services are all almost exclusively IPv4 only.

Other benefits of NAT

NAT doesn't just share a single public IP address amongst multiple LAN-side hosts, it provides address obfuscation. As data leaves your network, your device's local IP address is unknown to the outside world. The devices on your LAN cannot be addressed individually by users elsewhere on the Internet, because all of your LAN endpoints are sharing the same public IP address. An incoming packet to your router will be dropped, unless it's a reciprocal packet (reply) to an outgoing request. This provides some level of security. I say 'some level' just to pre-empt people who want to argue that NAT is not a security method but the stateful nature of NAT does provide some security.

If you do want an internal IPv4 device on your LAN to be reachable from users in the outside world, you can set up a 'port forward' - a rule on your router that routes any unsolicited incoming packets to that internal device, but services on specific ports only. Except for public web services, port forwarding is not recommended these days - VPNs should be used to keep servers and services accessible only to the right people.

NAT on IPv6

IPv6 purists baulk at the mere mention of applying any type of NAT to IPv6. "It defeats the whole purpose!!" they bemoan. NAT in IPv6 is called NAT66 but as there's no shortage of IPv6 addresses, there's rarely any need to use it unless you want to obfuscate your devices's IP identity. NAT66, like regular NAT adds processing overhead and latency. It is rarely used. The more useful equivalent of NAT in IPv6 is NPTv6 (Network Prefix Translation, RFC8296). An IPv6 address is 128 bits long. It's written as 8 groups of 16-bit hexadecimal numbers, separated by colons, e.g. 2a00:db8:1111:2222:3d3:4c44:5b55:6a66. Depending on the allocated subnet, the first 4 will be the prefix and subnet ID and the last 4 are the individual host addresses (I've simplified that somewhat). In NPT, your router replaces just the prefix. The host address stays the same so the router automatically knows which internal device an incoming packet is for - it doesn't have to keep and run a NAT table so there's no NAT processing overhead. With NPTv6, there's still end-to-end reachability and 1:1 address mapping.

The benefits of NPTv6

As you've hopefully seen above, we don't need NPTv6 on IPv6 to share IP addresses; there is no shortage of IPv6 addresses, but there are useful benefits of using NPTv6:

  1. Address Independence. You can retain the same internal numbering scheme for your LAN endpoints (devices) regardless of which WAN connection you're connecting via. This is important if you're load balancing multiple connections or have failover WAN connections as the router will make the routing decisions so it has to be able to communicate with the device on a single IP address.
    i.e. each WAN connection has its own prefix and subnet but the device (PC) won't know which IP address to use.

  2.  If your ISP changes your external prefix or you switch ISPs, your existing IPv6 network plan and configuration doesn't need changing.

  3. As you change location, which can happen often on ships, planes, trains and buses, your devices(s) can retain the same IP addresses.

  4. You can operate your LAN entirely on ULA** (Unique Local Addresses) - the equivalent of the private address ranges on IPv4.

Note that unlike IPv4 NAT (aka NAT44) and NAT66, with NPTv6, only the prefix changes - the Interface ID (the endpoint address) stays the same so it doesn't provide any device identity privacy.

**ULAs are not to be confused with IPv6 Link-Local addresses: Link Local addresses are never routed outside of the LAN and are what your LAN will use internally if there's no external (ISP) IPv6 connection providing a proper IPv6 subnet.


Tags

Carrier Grade NAT
CGNAT
IPv6
IPv4
Network Address Translation
NAT44
NAT66
VPN Matcher