ZonoTools
Home/Device Tools/Am I Behind CGNAT

Am I Behind CGNAT

Carrier-grade NAT (CGNAT)

Checking…

Looks for 100.64.0.0/10 addresses in WebRTC and public IP data. Port forwarding from the internet may still fail on CGNAT.

How to use

  1. Open the page — Likely yes, Likely no, or Uncertain appears after IP and WebRTC scans.
  2. Read public IP, local WebRTC IPs, and the signal bullets in Details.
  3. Click Refresh on the network you want to test (home broadband vs mobile hotspot).

FAQ

Am I behind CGNAT?

You may be behind carrier-grade NAT if WebRTC reports a local address in 100.64.0.0/10 (RFC 6598 shared space) or your visible public IP sits in that range. Many home users see 192.168.x.x on LAN and a normal public IPv4 on the internet without CGNAT on the customer side.

What is CGNAT?

Carrier-Grade NAT lets an ISP share one public IPv4 among many customers by adding another NAT layer. Inbound connections from the internet to your home server often fail even with router port forwarding.

Why can’t I host a server at home?

CGNAT blocks unsolicited inbound traffic to your real public port mapping. You may need IPv6, a VPN tunnel, a relay service, or a business ISP plan with a dedicated public IP.

What is 100.64.0.0/10?

A reserved IPv4 range for shared address space between ISP equipment and customer routers — not routable on the public internet. Seeing it in WebRTC is a CGNAT clue.

How is this different from 192.168.x.x?

192.168.x.x is private LAN inside your home. 100.64.x.x often appears on the WAN side of your router when the ISP uses CGNAT before the true public IP.

Does this test need WebRTC?

WebRTC host candidates help expose LAN-side and CGNAT-range addresses browsers can see. If WebRTC is blocked, results may be Uncertain.

Introduction

Am I Behind CGNAT helps explain why port forwarding, self-hosting, P2P games, or remote access from the internet may fail even when your router is configured correctly. It looks for carrier-grade NAT clues — especially addresses in 100.64.0.0/10 — from WebRTC and your reported public IP.

IPv4 addresses are scarce. ISPs increasingly put residential customers behind an extra NAT layer instead of giving each home a routable public IPv4. Your router still gets “an IP,” but it is not globally unique — inbound connections from the internet never reach you the way you expect.

CGNAT in one diagram (conceptual)

Internet → ISP CGNAT (100.64.x.x shared) → your router (192.168.x.x) → your PC

Port forward on the router cannot help if the ISP does not map a public port to your CGNAT address.

What this tool looks for

Signal Meaning
WebRTC local 100.64.x.x Strong CGNAT indicator on WAN path
Public IP in 100.64.0.0/10 Unusual but definitive if shown as “public”
Only 192.168.x.x local Normal home LAN; does not rule out ISP CGNAT upstream
Uncertain WebRTC blocked or no local candidates

Common use cases

  • Home lab / NAS — explain why friends cannot reach your service from outside.
  • Gaming NAT type Strict — correlate with double NAT; may need IPv6 or VPN.
  • Remote desktop to home — choose relay or Tailscale instead of raw port forward.
  • Compare networks — test mobile hotspot vs fiber — CGNAT differs by carrier.

Best practices

  • Ask your ISP for a public IPv4 or IPv6 business tier if you need inbound hosting.
  • Use IPv6 or overlay VPNs (Tailscale, ZeroTier) when CGNAT blocks legacy IPv4 inbound.
  • Pair with what is my public IP and what is my local IP.
  • For VPN exit visibility, see am I using VPN.

Related Tools

What Browser Am I UsingWhat Version Of Chrome Am I UsingWhat Device Am I UsingWhat Operating System Am I UsingWhat CPU Architecture Am I UsingAm I On Mobile Or Desktop
Explore all Device Tools