I'm almost definitely in the minority on this, but I love my current ISP. After switching between the larger ones in Canada, I decided to try a smaller company that dealt specifically with condominiums, and they've been nothing short of fantastic, with my service never dropping, speeds were as advertised, and configuration options like port forwarding were easily configurable, even though everything was controlled through their proprietary web portal. Most importantly, for self-hosting purposes, they gave me a public IPv4, which isn't the norm in my area.
While I'm glad to be moving to a place with more space, my current ISP doesn't service my new address, so I'm stuck choosing between the telecommunications giants whose service is expensive and (in my experience) sub-par, or trying a smaller ISP again. I'm deciding to go with the latter, and I've unfortunately found out that they use CGNAT, or Carrier-Grade NAT. Instead of getting a public IP address assigned directly to my router, my ISP now assigns me an address that's shared across many customers. This is usually a hard roadblock for many self-hosters, but I have a couple of solutions that will help me to continue hosting exactly as I was before, and it involves using a VPS and Cloudflare Tunnels.
Tailscale replaced my VPN, port forwarding, and dynamic DNS in one install
It's now an indispensable part of my home lab
CGNAT is the bane of self-hosting
And it's because of IPv4's inherent limit
The reason why CGNAT is met with such vitriol from home lab enthusiasts who enjoy self-hosting is because it blocks inbound connections. Normally, if you want to expose something like a game server or website to the internet, you configure a port forward on your router, which will allow traffic that arrives at your public IP address to be sent to the right place, i.e. that self-hosted service. With CGNAT, that's no longer possible because of the NAT state tables implemented by your ISP. CGNAT only allows inbound packets if they match an existing outbound connection. This doesn't stop things like multiplayer gaming or streaming from working, but anything new attempting to reach your machine will likely be caught in a CGNAT web.
The primary reason why ISPs even implement this in the first place comes down to IPv4 and its limited addressing space. IPv4 supports around 4.3 billion addresses, which sounds like a lot, but once you factor in reserved address space, there simply isn't enough for everyone to use. NAT itself was invented to save on this address space by allowing multiple devices to sit behind one public IP. Because IPv4 address space is expensive (up to $40 per address in some instances), CGNAT just takes this a step further by putting multiple customers behind one IP.
CGNAT is the one thing worse than double NAT, and here's what you can do about it
The only person CGNAT loves is your ISP
Cloudflare Tunnels are the easiest workaround
And probably the most practical for services only you need access to
The simplest way to bypass CGNAT is with Cloudflare Tunnels. Cloudflare provides a small client called "cloudflared" that runs on your server. Instead of opening a port on your router, the software creates a persistent outbound connection to Cloudflare’s network, and once that connection is established, Cloudflare can route traffic from your domain back through the tunnel to your machine, bypassing any kind of CGNAT funny business.
From the outside, it looks like your service is hosted on the public internet, but in reality, your server is maintaining a secure outbound connection to Cloudflare, which handles the incoming traffic on your behalf. This approach requires zero port forwarding, integrates cleanly with Cloudflare's TLS and DNS features, and the setup process is easy. Unfortunately, it's only really useful for HTTP and web-based traffic. There are exceptions, but basically, anything that uses UDP is off the table. This is fine for my web based stuff, but for my other services, I need another solution.
Cloudflare Tunnels are the best way to get around CGNAT
Say goodbye to CGNAT woes and hello to seamless remote access.
Using a VPS is another way to get around CGNAT
It's just a few bucks a month
For services that need more flexibility, the more powerful option is routing traffic through a VPS with a public IP address. In this setup, the VPS becomes a gateway between the internet and your home network, and instead of exposing your home IP address directly, your server establishes a secure tunnel to the VPS. The VPS then forwards incoming traffic through that tunnel, and it's essentially the same as having your IP address public. It just moves the access point for clients outside of your network into the cloud.
This can be done with a WireGuard setup, which essentially will function the same way as the Cloudflare Tunnel, just allowing you to expose any service you want, not just HTTP. This is what I'll be using to host my TeamSpeak server, along with any other UDP-only services I might require.
5 reasons your home lab needs a cheap VPS (even if you don't realize it yet)
Your backups aren't the only thing that benefit by being off-site
It adds complexity, but you don't have a lot of choices
I'm really not looking forward to moving ISPs, especially with CGNAT now playing a role in how I self-host. It's not the end of the world, though. Cloudflare Tunnels and VPS routing my traffic can help keep my services up and running after my move. I'd still rather just port forward the traditional way, but I'm not left with many options.