One of the roadblocks that many home lab enthusiasts hit when they start self hosting services is the specter of Carrier Grade Network Address Translation, or CGNAT. This wonderful solution to the depletion of public-facing IPv4 addresses instantly puts your computer behind a double NAT situation, making all but basic connectivity and browsing a pain.

If you've ever gotten the dreaded closed NAT message on your gaming console, or had issues with video calls to family and friends, chances are CGNAT was at least partially to blame. But it's part of the ecosystem for most ISPs, and shows no signs of disappearing. However, there are ways around it, whether you want to use tools designed for the purpose or simply paying your ISP for it not to be an issue anymore.

A quick primer on CGNAT

(And why you should hate it more)

Let's assume for a minute that your ISP doesn't use CGNAT. In this situation, your router still has to handle Network Address Translation (NAT) because of the depletion of public IP addresses. This essentially lets everything on your network use a single public IP, then the router gets packets to the individual devices that request them. One level of NAT isn't great, but it's workable.

Now imagine that your ISP has grouped a hundred houses near you into a virtual LAN, putting them behind an external IP address on the ISP's router. Now you're in a double NAT situation, as the ISP has one router, and you have one router. As the routers won't talk to each other, the hardware doesn't know where to route the packets of data at one point of the route.

CGNAT was one solution to the IPv4 depletion

Every time your home network sends traffic out to the wider internet, it has to travel through three different addressing domains:

Your private network ↔ your ISP's private network ↔ the shared public IP address

It's less of an issue when traffic comes back to your network from the internet, because the routers and firewalls along the way remember that you sent those initial packets out, so they let the information you requested back in. That's why it doesn't really affect basic web browsing, or streaming media from your subscribed services.

But not every app or service you use works that way. Video calls, messaging apps, and peer-to-peer matchmaking in multiplayer games need both sides of the connection to be able to 'see' the other computer at either end of the route.

It also breaks self-hosting, because there's no direct route back to the server when outside your network. That means no individual public IP for your apps to use, no port forwarding because the carrier's routers don't know where to send things, and an impossible barrier to hosting an email server.

Wait, but that's terrible

CGNAT was a supposedly temporary hack job to fill in the gap between IPv4 and the adoption of IPv6. Well, one of them at least, because various translation tools between IPv4 and IPv6 were also designed. Decades of network engineers, ISPs, and other business stakeholders insisting CGNAT is the way to future-proof the internet has made it very difficult to separate from the physical transport layer used to connect everything together.

These various forces also limited the ability to fix Layer 4 in future internet revisions, by limiting it to only TCP and UDP, and not leaving space for other Layer 4 protocols to fix what was wrong so that everyone could adopt IPv6. With IPv6, you don't need NAT in any way, shape, or form, because the available IP address space is huge. And let's not forget that CGNAT still uses ports when addressing the shared IP space, and that's not an infinite resource.

Ways to bypass CGNAT

People smarter than me figured out how to sidestep the mess

So, we have one problem (IPv4 exhaustion), solved by creating another problem (CGNAT), which becomes another thing to solve. Coders and network admins have spent tens of thousands of hours solving this in multiple ways, from relays (TURN), discovery (STUN), and NAT punching tools, and even manipulating packet headers in transit.

Some of these fixes do make it workable for the end user, even if they do nothing about the wider problem. IPv6 fixes it completely, but worldwide adoption is slowing down, and you can't reach large chunks of the internet without IPv4. Here's what you can do in the meantime:

• Start by using IPv6 (if possible)
• Tailscale is the most approachable next-gen VPN that gets around CGNAT
• Rent a VPS and set up a remote access system chained to a reverse proxy for services inside your home network
• Pony up for a static IP (but this is better done by renting a bare metal cloud server, so the IP isn't on your home equipment)

VPNs will fix the issue assuming your provider enables port forwarding capabilities. Or you can self-host NetBird, Pangolin, Tailscale, or others to use TURN and STUN to pass packets across the internet, but this can be significantly slower and with higher latency than a direct connection.

CGNAT makes it easy for your ISP but not for you

When it comes to networking, using routing is far better and easier than using NAT. The only way to fix things is to speed the adoption of IPv6 worldwide, so that every network, server, domain, and website uses it exclusively. That means no NAT being implemented, no translation layers between IPv4 and IPv6, just IPv6 from client all the way through to the internet resource and back again. And that might not happen in our lifetime, not at this rate.