IPv6 Behind CGNAT: Challenges and Solutions

Table of Contents

• Understanding CGNAT: What It Is and Why It Exists
• The IPv4 Exhaustion Crisis
• How CGNAT Works: Architecture and Implementation
• Limitations of CGNAT: The User Impact
• IPv6 as the Solution to CGNAT Problems
• Transition Mechanisms for CGNAT Environments
• DS-Lite: Dual-Stack Lite
• MAP-E: Mapping with Encapsulation
• MAP-T: Mapping with Translation
• 464XLAT: Mobile Network Solution
• Real-World ISP Implementations
• Gaming and Hosting Challenges with CGNAT
• Workarounds for CGNAT Limitations
• Testing Your CGNAT and IPv6 Configuration
• The Path Forward: IPv6-Only Networks

---

Understanding CGNAT: What It Is and Why It Exists

Carrier-Grade NAT (CGNAT), also known as Large-Scale NAT (LSN) or CGN, is a network address translation technology deployed by Internet Service Providers to extend the usability of their limited IPv4 address pools. Unlike traditional home router NAT, CGNAT operates at the ISP level, creating an additional layer of address translation between subscribers and the public Internet.

What Makes CGNAT Different

Traditional NAT (Home Router):

Private Device → Home Router NAT → Public Internet
192.168.1.10  → 203.0.113.5     → Internet Server

CGNAT Architecture (Double NAT):

Private Device → Home Router → CGNAT → Public Internet
192.168.1.10  → 100.64.0.5   → 203.0.113.5 → Internet Server
              (Private)      (Shared Public)

The key difference: with CGNAT, your home router doesn't receive a unique public IPv4 address. Instead, it receives an address from the shared address space (typically 100.64.0.0/10, defined in RFC 6598), and the ISP's CGNAT device translates this to a public IPv4 address shared among 50-200 other subscribers.

Why ISPs Deploy CGNAT

Primary reason: IPv4 address exhaustion forces ISPs to conserve scarce IPv4 addresses by sharing them among multiple customers.

Economic factors:

• IPv4 addresses cost $30-60 per address on the transfer market (as of 2025)
• Acquiring enough IPv4 addresses for all subscribers is economically prohibitive
• For a 10,000-subscriber ISP, traditional allocation would cost $300,000-$600,000
• With CGNAT (50:1 sharing ratio), cost drops to $6,000-$12,000 (98% savings)

Operational benefits for ISPs:

• Extends IPv4 service availability despite address exhaustion
• Enables growth without acquiring expensive IPv4 addresses
• Provides bridge solution during IPv6 transition
• Reduces infrastructure complexity compared to dual-stack

---

The IPv4 Exhaustion Crisis

IPv4 address exhaustion is not a future threat—it's the current reality driving CGNAT adoption worldwide.

Global IPv4 Depletion Timeline

2011: IANA (Internet Assigned Numbers Authority) allocated its last IPv4 blocks to Regional Internet Registries (RIRs)

Regional exhaustion dates:

• APNIC (Asia-Pacific): April 2011
• RIPE NCC (Europe/Middle East): September 2012
• LACNIC (Latin America): June 2014
• ARIN (North America): September 2015
• AFRINIC (Africa): Approaching depletion (2025)

The IPv4 Address Space Problem

IPv4 provides approximately 4.3 billion addresses (2^32), but:

• Global Internet-connected devices exceed 20 billion (2025)
• Growing IoT deployments require billions more addresses
• Multiple devices per person (smartphones, tablets, computers, smart home devices)
• Cloud services, virtual machines, and containers demand vast address pools

Mathematical reality: No amount of NAT optimization can solve the fundamental constraint of limited IPv4 address space. Only routed networks, particularly with IPv6, can scale effectively.

CGNAT as Temporary Mitigation

CGNAT allows ISPs to delay full IPv6 deployment while maintaining IPv4 service availability. However, it's explicitly recognized as a transitional technology—not a permanent solution. The network is not expected to become fully IPv6-based for several more years, and until then, CGNAT technology helps ISPs provide IP connectivity to their subscribers despite IPv4 scarcity.

---

How CGNAT Works: Architecture and Implementation

CGNAT performs Network Address and Port Translation (NAPT) at carrier scale, sharing public IPv4 addresses across many subscribers using port multiplexing.

Address Sharing via Port Multiplexing

A single public IPv4 address has 65,535 available ports. CGNAT divides these ports among multiple subscribers:

Port allocation example:

Public IP: 203.0.113.5

Subscriber A: ports 1024-5000   (3,977 ports)
Subscriber B: ports 5001-9000   (4,000 ports)
Subscriber C: ports 9001-13000  (4,000 ports)
...
Subscriber N: ports 61001-65535 (4,535 ports)

Typical sharing ratios:

• Residential broadband: 50-100 subscribers per public IPv4
• Mobile networks: 100-200 subscribers per public IPv4
• Conservative deployments: 20-50 subscribers per public IPv4

CGNAT Translation Process

Outbound connection (Client to Internet):

Step 1: User device initiates connection
  Source: 192.168.1.100:54321
  Destination: 93.184.216.34:80 (example.com)

Step 2: Home router NAT
  Source: 100.64.0.25:12345 (from ISP CGNAT range)
  Destination: 93.184.216.34:80

Step 3: CGNAT translation
  Source: 203.0.113.5:15678 (shared public IP:allocated port)
  Destination: 93.184.216.34:80

Step 4: Reaches Internet server
  Server sees: 203.0.113.5:15678
  (Same public IP as 50+ other subscribers)

Inbound response (Internet to Client):

Step 1: Server responds to 203.0.113.5:15678
Step 2: CGNAT looks up port mapping table
  Port 15678 → 100.64.0.25:12345
Step 3: ISP network routes to customer router
Step 4: Home router NAT translates to 192.168.1.100:54321
Step 5: Response reaches user device

The Shared Address Space: 100.64.0.0/10

RFC 6598 reserves 100.64.0.0/10 specifically for CGNAT deployments:

• Range: 100.64.0.0 to 100.127.255.255
• Total addresses: 4,194,304 addresses
• Purpose: Private addressing between customer equipment and CGNAT
• Not routable: on the public Internet (like RFC 1918 addresses)

Detecting CGNAT: If your router's WAN IP address falls in 100.64.0.0/10, you're definitely behind CGNAT.

Logging Requirements and Privacy Implications

Many jurisdictions require ISPs to log CGNAT translations for law enforcement purposes.

Required logging information:

• Source subscriber IP and port (100.64.x.x:port)
• Public IP and port assigned (203.0.113.x:port)
• Timestamp of translation creation
• Destination IP and port (for some jurisdictions)
• Session duration

Data volume challenges:

• Large ISPs generate millions of NAT translations per second
• Storage requirements: terabytes of logs per day
• Retention periods: 6-24 months depending on jurisdiction
• Privacy concerns: detailed connection records maintained by ISP

---

Limitations of CGNAT: The User Impact

CGNAT introduces significant limitations that degrade user experience and break critical network functionality.

1. Port Forwarding Impossible

Problem: Inbound connections from the Internet cannot reach devices behind CGNAT.

Why it fails: Multiple subscribers share the same public IP address. The ISP's CGNAT cannot route incoming traffic to a specific customer without pre-configured port mappings—and ISPs typically don't provide this for residential CGNAT deployments.

Affected use cases:

• Hosting web servers or game servers at home
• Remote access via SSH, RDP, or VNC
• Self-hosted applications (home automation, Plex, NAS)
• IoT devices requiring cloud connectivity
• Peer-to-peer file sharing
• Video surveillance systems with remote viewing

Example failure scenario:

User wants to host Minecraft server on port 25565

Without CGNAT:
  Internet → Public IP:25565 → Router port forward → Local server
  ✓ Works perfectly

With CGNAT:
  Internet → Public IP:25565 → CGNAT (which customer?) → ✗ FAILS
  Port forwarding on home router has no effect—the public IP is shared!

2. Gaming Problems: Strict NAT Type

Online gaming relies heavily on peer-to-peer connections and NAT traversal. CGNAT creates "Strict NAT" or "NAT Type 3" conditions that severely limit multiplayer functionality.

NAT types in gaming:

• Open NAT (Type 1): No NAT, full connectivity
• Moderate NAT (Type 2): Single router NAT, good connectivity
• Strict NAT (Type 3): Double NAT (CGNAT), limited connectivity

Impact on gaming:

• Cannot host multiplayer game sessions
• Difficulty joining games (can only connect to Open NAT hosts)
• Voice chat issues (party chat failures)
• Increased latency and packet loss
• Connection errors with certain players
• Degraded matchmaking performance

Affected games and platforms:

• PlayStation Network: NAT Type 3 warnings
• Xbox Live: Strict NAT limitations
• Nintendo Switch: NAT Type D/F problems
• PC games using P2P: CoD, Destiny, GTA Online, Minecraft

3. VPN and Remote Access Complications

Certain VPN protocols struggle or fail entirely through CGNAT due to protocol-specific NAT traversal requirements.

IPsec VPN issues:

• ESP (Protocol 50) doesn't include port information
• Multiple users behind same CGNAT IP can't establish simultaneous IPsec VPNs
• NAT-T (NAT Traversal) may fail with nested NAT

Remote desktop problems:

• RDP, VNC, SSH require port forwarding (impossible with CGNAT)
• Commercial remote access tools (TeamViewer, AnyDesk) work via relay servers (added latency)

4. Application Compatibility Issues

Protocols broken by CGNAT:

• SIP/VoIP: Signaling includes IP addresses in payload, NAT ALG required
• FTP active mode: Server initiates connection back to client (fails through CGNAT)
• Some gaming protocols: Use non-standard NAT traversal
• Peer-to-peer apps: BitTorrent, Direct Connect struggle with connectivity

Applications with degraded performance:

• Video conferencing (WebRTC NAT traversal overhead)
• P2P file sharing (cannot accept incoming connections, leech-only mode)
• Cloud storage sync (some use direct connections)

5. Multiple Devices Sharing Port Space

CGNAT port allocation algorithms may cause port exhaustion during heavy usage.

Port exhaustion scenarios:

• Many concurrent connections from single household
• P2P applications opening thousands of connections
• Multiple family members streaming, gaming simultaneously
• IoT devices maintaining persistent connections

Symptoms of port exhaustion:

• Intermittent connection failures
• "Cannot establish connection" errors
• Slow or stalling downloads
• Timeouts on new connection attempts

---

IPv6 as the Solution to CGNAT Problems

IPv6 fundamentally eliminates the address scarcity that necessitates CGNAT, providing every device with globally routable addresses and restoring end-to-end connectivity. See benefits-ipv6-over-ipv4.md for more details on why IPv6 is superior.

Massive Address Space Eliminates Sharing

IPv6 provides 340 undecillion addresses (2^128):

• IPv4: 4.3 billion addresses (exhausted)
• IPv6: 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses

Practical allocation:

• Typical home: /64 subnet = 18.4 quintillion addresses
• Enterprise: /48 prefix = 65,536 subnets of 18.4 quintillion addresses each
• Mobile device: Full /64 or even /56 prefix

For understanding address structure and types better, see ipv6-address-types.md. No address sharing required—every device gets globally unique addressing.

End-to-End Connectivity Restored

With IPv6, devices receive public, globally routable addresses by default:

IPv6 architecture (No CGNAT):

Device (2001:db8:1234::5678) → Internet
  Direct connection, no address translation
  Inbound connections work naturally (subject to firewall rules)

Benefits restored:

• Port forwarding works (configure firewall instead of NAT)
• Hosting servers from home viable again
• P2P applications function optimally
• Gaming achieves Open NAT equivalent
• VPN protocols work without NAT traversal hacks

Simplified Network Architecture

IPv6 networks eliminate CGNAT complexity:

With CGNAT (IPv4):

Device → Home NAT → ISP CGNAT → Internet
  - Double NAT complications
  - Port exhaustion risks
  - Logging requirements
  - State table maintenance

With IPv6:

Device → Internet (via firewall)
  - No address translation
  - Stateless routing
  - Simplified troubleshooting
  - Better performance

Firewall Protection Without NAT

Common misconception: "NAT provides security."

Reality: NAT provides obscurity, not security. Firewalls provide actual protection.

IPv6 routers include stateful firewalls that:

• Block unsolicited inbound connections by default
• Provide equivalent protection to NAT
• Allow explicit port forwarding when needed
• Maintain connection state without address translation

See configure-ipv6-firewall.md for detailed firewall configuration guidance. Security advantage: IPv6 firewalls make security policy explicit rather than relying on the side effects of address translation.

---

Transition Mechanisms for CGNAT Environments

ISPs deploying IPv6 in CGNAT environments use several standardized transition mechanisms to provide both IPv4 and IPv6 connectivity efficiently. These technologies enable IPv6-native infrastructure with dual-stack capability while maintaining IPv4 service availability.

Why Transition Mechanisms Matter

ISP objectives:

1. Deploy IPv6 infrastructure (future-proof network)
2. Conserve scarce IPv4 addresses (reduce costs)
3. Maintain IPv4 service (backward compatibility)
4. Simplify network operations (single protocol stack preferred)

Transition mechanisms achieve these goals by running IPv6-native networks with efficient IPv4 service layered on top.

---

DS-Lite: Dual-Stack Lite

DS-Lite (RFC 6333) enables ISPs to operate IPv6-only core networks while delivering IPv4 services through IPv4-in-IPv6 tunneling combined with centralized CGNAT. See ds-lite-explained.md for comprehensive DS-Lite information including detection methods and deployment details.

DS-Lite Architecture

Components:

1. B4 Element (Basic Bridging BroadBand): Customer equipment (CPE)

   • Receives IPv6-only WAN connectivity from ISP
   • Tunnels IPv4 traffic over IPv6 to AFTR
   • No public IPv4 address on WAN interface

2. AFTR (Address Family Transition Router): ISP network core

   • Terminates IPv4-in-IPv6 tunnels from thousands of B4 elements
   • Performs CGNAT (NAT44) for IPv4 Internet access
   • Provides shared public IPv4 addresses

Packet flow:

Customer Device (192.168.1.100)
  ↓ IPv4 packet
B4 Element (CPE)
  - Encapsulates IPv4 packet in IPv6
  - Source: [B4 IPv6 address]
  - Destination: [AFTR IPv6 address]
  ↓ IPv4-in-IPv6 tunnel
IPv6-Only ISP Network
  ↓
AFTR (ISP Core)
  - Decapsulates IPv6, extracts IPv4 packet
  - Performs CGNAT (192.168.1.100 → 203.0.113.5:port)
  ↓ IPv4 packet
IPv4 Internet

DS-Lite Advantages

For ISPs:

• IPv6-only access and core network (reduced complexity)
• 98-99% reduction in IPv4 addresses needed
• Centralized IPv4 management at AFTR
• Clear path to IPv6-only future

For users:

• Transparent to applications
• Native IPv6 performance
• Better than NAT444 (single NAT layer instead of double NAT)

DS-Lite Limitations

User impact:

• Port forwarding impossible (CGNAT limitations)
• B4-capable CPE required (firmware upgrade or new router)
• Gaming: Strict NAT type
• Hosting: Not possible without workarounds

Technical considerations:

• MTU reduction (IPv6 header adds 20 bytes overhead)
• AFTR becomes critical single point of failure
• Added latency from tunneling and CGNAT processing (5-20ms)

Real-World DS-Lite Deployments

Major ISP implementations:

• Free (France): One of first large-scale DS-Lite deployments (2010-2012), millions of subscribers
• Deutsche Telekom (Germany): DSL customers on DS-Lite by default
• Multiple European fiber ISPs: Greenfield FTTH deployments using IPv6-only with DS-Lite

---

MAP-E: Mapping with Encapsulation

MAP-E (Mapping of Address and Port with Encapsulation, RFC 7597) is an IPv6 transition mechanism that uses stateless IPv4-in-IPv6 encapsulation with deterministic port allocation, eliminating the need for carrier-grade NAT.

MAP-E Architecture

Key innovation: Pre-allocates specific port ranges to each subscriber using algorithmic mapping.

Components:

1. MAP-E CE (Customer Edge): CPE router

   • Receives IPv6 prefix and port-set allocation
   • Encapsulates IPv4 packets in IPv6
   • Uses only pre-assigned ports for IPv4 connections
   • Performs stateful NAT44 locally

2. MAP-E BR (Border Relay): ISP network edge

   • Stateless IPv4-in-IPv6 decapsulation
   • No session state maintained (scales infinitely)
   • Routes IPv4 traffic to/from Internet

Address and port mapping:

Customer receives:
  - IPv6 prefix: 2001:db8:1234:5600::/56
  - Shared IPv4: 203.0.113.5
  - Port range: 2048-4095 (2,048 ports)

All IPv4 connections must use ports 2048-4095

How MAP-E Works

Outbound connection:

Step 1: Device initiates connection (192.168.1.100:54321)
Step 2: MAP-E CE performs NAT44
  - Source: 203.0.113.5:2500 (from allocated port range)
  - Destination: 93.184.216.34:80
Step 3: MAP-E CE encapsulates in IPv6
  - IPv6 header: Source [CE IPv6], Dest [BR IPv6]
  - IPv4 payload: 203.0.113.5:2500 → 93.184.216.34:80
Step 4: IPv6-only network routes to MAP-E BR
Step 5: MAP-E BR decapsulates, forwards IPv4 packet to Internet

Inbound connection:

Step 1: Internet packet arrives at MAP-E BR
  Destination: 203.0.113.5:3000
Step 2: MAP-E BR uses algorithm to determine IPv6 destination
  Port 3000 in range 2048-4095 → maps to specific customer IPv6
Step 3: BR encapsulates in IPv6, routes to customer CE
Step 4: CE decapsulates, performs NAT44 to local device

MAP-E Advantages

Stateless operation:

• Border Relay maintains zero session state
• Unlimited scalability (no CGNAT state table)
• No logging required (deterministic port mapping)
• Simplified compliance with privacy regulations

Port forwarding possible:

• Within allocated port range, port forwarding works
• User can host services on ports 2048-4095 (in example)
• Gaming and hosting viable (with port restrictions)

Performance:

• Lower latency than stateful CGNAT
• No port exhaustion issues
• Predictable behavior

MAP-E Limitations

Reduced port availability:

• Typical allocation: 256-2048 ports per subscriber
• Port-intensive applications may struggle
• Cannot use well-known ports (80, 443, etc.) for hosting

CPE complexity:

• Requires MAP-E capable router
• More complex than DS-Lite configuration
• Firmware updates may not be available for older equipment

Port range restrictions:

• Hosting requires non-standard ports
• May complicate service configuration

MAP-E vs DS-Lite Comparison

Feature	DS-Lite	MAP-E
ISP infrastructure	Stateful AFTR (CGNAT)	Stateless BR
Scalability	Limited by AFTR capacity	Unlimited (stateless)
Port forwarding	Impossible	Possible (restricted ports)
Logging	Required (CGNAT state)	Minimal (deterministic)
Complexity	Moderate	Higher
Port availability	Full range (per session)	Fixed subset per subscriber

---

MAP-T: Mapping with Translation

MAP-T (Mapping of Address and Port with Translation, RFC 7599) uses double stateless NAT64/NAT46 translation instead of encapsulation, providing the same benefits as MAP-E with different technical implementation. See nat64-dns64-explained.md for detailed NAT64 information.

MAP-T vs MAP-E: Key Difference

MAP-E: IPv4-in-IPv6 encapsulation (original IPv4 packet wrapped in IPv6 header)

MAP-T: IPv4↔IPv6 translation (IPv4 header replaced with IPv6 header)

Translation process:

MAP-T CE: IPv4 → IPv6 (NAT46 - Stateless translation)
IPv6-only network transport
MAP-T BR: IPv6 → IPv4 (NAT64 - Stateless translation)

MAP-T Architecture

Components:

1. MAP-T CE (Customer Edge):

   • Translates IPv4 packets to IPv6 (SIIT - Stateless IP/ICMP Translation)
   • Uses algorithmic address mapping
   • Pre-assigned port range (like MAP-E)

2. MAP-T BR (Border Relay):

   • Translates IPv6 packets back to IPv4
   • Stateless operation (no session tracking)
   • Routes to IPv4 Internet

Address mapping:

Shared IPv4: 203.0.113.5, Port range: 4096-8191
IPv6 representation: 2001:db8:5:cb00:71:5000::/104
  └─ Encodes IPv4 address and port range in IPv6 bits

MAP-T vs MAP-E Trade-offs

MAP-T advantages:

• Native IPv6 translation (no encapsulation overhead)
• Slightly smaller packet size (no dual headers)
• May work better with some IPv6-aware middleboxes

MAP-T disadvantages:

• SIIT translation doesn't support IPv4 options or multicast
• Fragmentation handling more complex
• Some edge cases differ from native IPv4 behavior

MAP-E advantages:

• Preserves original IPv4 packet intact
• Better multicast support
• Simpler troubleshooting (original headers visible in trace)

MAP-E disadvantages:

• Encapsulation overhead (both IPv4 and IPv6 headers present)
• Larger packets may trigger fragmentation

Which to Choose?

MAP-E is more widely deployed due to:

• Better IPv4 protocol compatibility
• Simpler implementation
• Multicast support

MAP-T may be preferred when:

• Network middleboxes inspect IPv6 deeply
• Minimal packet overhead critical
• Pure translation architecture desired

Both achieve the same end result: stateless, scalable IPv4-over-IPv6 with port-restricted NAPT.

---

464XLAT: Mobile Network Solution

464XLAT (RFC 6877) is the dominant IPv6 transition mechanism for mobile networks, combining customer-side translation (CLAT) with provider-side NAT64 (PLAT) to enable IPv4 application compatibility on IPv6-only networks. See 464xlat-explained.md for comprehensive 464XLAT details.

Why Mobile Networks Chose 464XLAT

Mobile carriers faced unique challenges that made 464XLAT the ideal solution:

Problem 1: IPv4 literal addresses in applications

• Many mobile apps hardcode IPv4 addresses (e.g., 8.8.8.8)
• NAT64/DNS64 alone fails for non-DNS traffic
• Popular apps like Skype, WhatsApp used IPv4 literals

Problem 2: Device diversity

• Millions of existing smartphones in market
• Cannot force hardware replacement
• Need software-only solution

Solution: 464XLAT provides transparent IPv4 connectivity on IPv6-only networks without application modifications.

464XLAT Architecture

Two-stage translation:

1. CLAT (Customer-side transLATor) - On device/CPE:

   • Creates virtual IPv4 interface (typically 192.0.0.4)
   • Stateless translation: IPv4 → IPv6 (NAT46)
   • Applications bind to IPv4 normally
   • All IPv4 traffic translated to IPv6

2. PLAT (Provider-side transLATor) - In carrier network:

   • Stateful NAT64 (similar to standard NAT64/DNS64)
   • IPv6 → IPv4 translation with port multiplexing
   • Shared IPv4 addresses across many users
   • Routes to IPv4 Internet

Packet flow:

IPv4 App (8.8.8.8)
  ↓ IPv4 packet
CLAT (on device)
  - Translates to IPv6: 64:ff9b::808:808
  ↓ IPv6 packet
IPv6-Only Mobile Network
  ↓
PLAT (carrier NAT64)
  - Translates to IPv4: source CGNAT IP → dest 8.8.8.8
  ↓ IPv4 packet
IPv4 Internet

Platform Support

Android: Native support since Android 4.3 (July 2013)

• Automatically activates on IPv6-only APNs
• Zero configuration required
• Works with all applications

iOS: Support since iOS 9.2 (2015)

• Similar automatic activation
• Transparent to apps

Other platforms: Windows 11, Linux (via clatd daemon)

Major Mobile Carrier Deployments

T-Mobile US:

• First major deployment (2013)
• 93% IPv6 traffic by 2018
• 464XLAT enabled full app compatibility

Verizon Wireless:

• IPv6-only with 464XLAT
• 84% IPv6 adoption (2018)
• Reduced network complexity

Telstra (Australia):

• IPv6-only mobile launched February 2020
• Full 464XLAT deployment

Others: Deutsche Telekom, Orange Polska, SK Telecom, KDDI, China Mobile

464XLAT Advantages

Complete application compatibility:

• IPv4 literals work
• Direct socket binding works
• Non-DNS protocols work
• Zero app modifications needed

True IPv6-only network:

• No IPv4 addressing in mobile core
• Simplified routing
• Reduced operational complexity

Performance:

• Native IPv6 preferred when available
• IPv4 translation only when necessary
• Stateless at edge (CLAT) minimizes latency

464XLAT Limitations

Same CGNAT restrictions:

• Port forwarding not possible
• Hosting requires workarounds
• Gaming may show Strict NAT
• VPN protocols may require special handling

Device requirements:

• CLAT support needed (modern devices only)
• Older devices may need software updates

---

Real-World ISP Implementations

ISPs worldwide have deployed various combinations of CGNAT and IPv6 transition mechanisms based on their specific infrastructure and customer requirements.

Europe

Free (France) - DS-Lite Pioneer:

• Technology: DS-Lite
• Timeline: 2010-2012 deployment
• Scale: Millions of subscribers
• Strategy: IPv6-only infrastructure with DS-Lite for IPv4
• Customer impact: B4-capable Freebox routers provided

Deutsche Telekom (Germany) - Hybrid Approach:

• Technology: DS-Lite (default) with optional native dual-stack
• IPv4: Limited availability, request-based
• IPv6: Standard deployment
• Result: High IPv6 adoption driven by DS-Lite defaults

Stadtwerke Flensburg (Germany) - Modern Fiber:

• Technology: DS-Lite on FTTH
• Deployment: 2024 greenfield fiber builds
• Advantage: No legacy IPv4 infrastructure burden

Asia

Mobile carriers (Japan):

• NTT DoCoMo, KDDI: 464XLAT deployments
• Scale: Tens of millions of mobile subscribers
• IPv6 traffic: 70-80% of mobile traffic
• Result: World-leading IPv6 adoption rates

China Mobile, China Telecom:

• Technology: DS-Lite and 464XLAT testing
• Scale: Hundreds of millions of subscribers
• Challenge: Massive user base with limited IPv4
• Approach: Aggressive IPv6 rollout driven by necessity

North America

T-Mobile US - 464XLAT Success Story:

• Technology: 464XLAT on IPv6-only mobile network
• Timeline: 2013 launch
• Result: 93% IPv6 traffic by 2018
• Impact: Industry model for IPv6 transition

Verizon Wireless:

• Technology: 464XLAT
• Motivation: Simplify network (not just IPv4 scarcity)
• Achievement: 84% IPv6 adoption
• Benefit: Eliminated 70+ instances of overlapping private IPv4 space

Cable ISPs (Comcast, etc.):

• Technology: Dual-stack with CGNAT (NAT444 hybrid)
• Approach: Gradual IPv6 enablement
• IPv6 deployment: 70-85% (2025)

Key Success Factors

ISPs that succeeded with IPv6 transition:

1. Provided compatible equipment: Upgraded CPE or supplied new routers
2. Clear communication: Explained limitations to customers
3. Offered alternatives: Native IPv4 for users requiring full functionality
4. Gradual rollout: Tested thoroughly before mass deployment
5. Monitoring and support: Robust systems to detect and resolve issues

---

Gaming and Hosting Challenges with CGNAT

CGNAT severely impacts gaming, server hosting, and peer-to-peer applications due to inability to accept inbound connections.

Gaming: NAT Type Problems

NAT Type classification:

Open NAT (Type 1 / Type A):

• No NAT (public IP directly on console/PC)
• Can connect to all players
• Can host multiplayer sessions
• Best experience

Moderate NAT (Type 2 / Type B):

• Single NAT (home router only)
• Can connect to most players
• Can host sessions for some players
• Good experience

Strict NAT (Type 3 / Type C/D):

• Double NAT (CGNAT + home router)
• Can only connect to Open NAT players
• Cannot host sessions
• Limited matchmaking
• Poor experience

Specific Gaming Issues

Console gaming:

• PlayStation: NAT Type 3 warnings, limited party chat
• Xbox: Strict NAT notifications, multiplayer restrictions
• Nintendo Switch: NAT Type D/F, connection errors

PC gaming:

• Peer-to-peer games: Limited or broken (CoD, Destiny, GTA Online)
• Minecraft servers: Cannot host
• Steam Remote Play: Requires relay (added latency)
• Discord voice: Works but may use relay servers

Symptoms:

• "Cannot connect to other players"
• "Failed to join session"
• Frequent disconnections
• Longer matchmaking times
• Voice chat dropouts

Hosting Services at Home

Web servers: Cannot accept inbound HTTP/HTTPS (ports 80, 443 blocked)

Game servers: Minecraft, CS:GO, Valheim hosting impossible

File sharing: FTP, SFTP require port forwarding (unavailable)

Remote access: SSH, RDP from Internet blocked

Home automation: Cloud access for some smart home devices fails

Media servers: Plex, Jellyfin remote access broken (may work with relay)

Surveillance cameras: Direct remote viewing impossible

Peer-to-Peer Application Impact

BitTorrent:

• Can download (leech) from others
• Cannot accept incoming connections (seed effectively)
• Reduced swarm efficiency
• Lower download speeds

WebRTC (video conferencing):

• May require TURN relay servers
• Added latency
• Potential connection failures

Direct Connect, eDonkey: Severely degraded or broken

---

Workarounds for CGNAT Limitations

When native IPv6 isn't available or applications require IPv4 inbound connectivity, several workarounds can bypass CGNAT restrictions.

1. Request Native IPv6 or Dedicated IPv4 from ISP

IPv6 request:

• Ask ISP to enable native IPv6 (many ISPs provide it free)
• Configure router firewall to allow required inbound ports
• Use IPv6 for hosting (applications must support IPv6)

Dedicated IPv4 request:

• Some ISPs offer public IPv4 for additional fee ($5-20/month)
• Removes CGNAT limitations
• Typically called "static IP" or "business internet" upgrade

2. VPN with Port Forwarding Support

Commercial VPN providers offering port forwarding:

• PureVPN: Port forwarding add-on with dedicated IP
• AirVPN: Port forwarding included
• IVPN: Port forwarding available
• Mullvad: Previously offered, now discontinued (verify current status)

How it works:

Internet → VPN Provider Public IP:25565 → VPN Tunnel → Your Device
  Inbound traffic reaches VPN server
  VPN forwards to your device via tunnel
  You appear to have public IP

Use cases:

• Gaming: Achieve Open/Moderate NAT
• Hosting: Make services publicly accessible
• P2P: Improve connectivity

Limitations:

• Monthly subscription cost
• Added latency (VPN overhead)
• Bandwidth limits may apply
• Requires VPN running 24/7 for hosting

3. Cloud Tunnel Services

Cloudflare Tunnel (free):

• Creates secure tunnel to Cloudflare edge
• No inbound ports required
• Web traffic only (HTTP/HTTPS)
• Zero Trust security model

Setup:

cloudflared tunnel create myserver
cloudflared tunnel route dns myserver subdomain.example.com
cloudflared tunnel run myserver

Ngrok (free tier available):

• Instant public URLs for local services
• HTTP/HTTPS tunneling
• TCP tunneling (paid plans)

Setup:

ngrok http 80
# Provides: https://random-subdomain.ngrok.io → localhost:80

Use cases:

• Web server hosting
• Webhook testing
• Demo/development environments

Limitations:

• Web traffic only (unless paid plan)
• Custom domains require paid plans
• Performance depends on relay service

4. VPS with Reverse Tunnel

Setup your own relay server:

Step 1: Rent VPS with public IPv4 ($5-10/month)

• Providers: DigitalOcean, Linode, Vultr, Hetzner

Step 2: Configure reverse SSH tunnel

# From home server (behind CGNAT):
ssh -R 8080:localhost:80 user@vps-public-ip

# VPS now forwards port 8080 to your local port 80

Step 3: Configure VPS firewall/nginx to proxy traffic

Persistent solution: Use systemd service or autossh

Advantages:

• Full control over relay server
• Any protocol (not just HTTP)
• Fixed public IP
• Better performance than VPN

Disadvantages:

• Requires VPS maintenance
• Monthly cost
• Technical setup complexity

5. Mesh VPN for Device Access

ZeroTier (free for small networks):

• Creates virtual Layer 2 network
• All devices get addresses in ZeroTier subnet
• Direct peer-to-peer when possible, relay when necessary

Tailscale (free tier available):

• Built on WireGuard
• Zero-config VPN mesh
• NAT traversal via DERP relays

Use cases:

• Personal device access (not public hosting)
• Remote access to home network
• IoT device management
• Cross-site connectivity

How it works:

Device A (behind CGNAT) ←→ Tailscale Control ←→ Device B (anywhere)
  Direct P2P connection when possible
  Relay via Tailscale servers when NAT prevents P2P

Limitations:

• Only connected devices can access (not public Internet)
• Client software required on all devices
• Free tier limits (100 devices for Tailscale, 25 for ZeroTier free)

6. IPv6 as Primary Solution

When IPv6 is available:

• Configure services to listen on IPv6
• Use IPv6 address for hosting
• Enable IPv6 firewall rules

Challenges:

• Not all clients support IPv6 (estimated 40% global adoption, 2025)
• May need proxy for IPv4-only clients (Cloudflare, AWS CloudFront)

Hybrid approach:

• IPv6 for direct access (no CGNAT)
• Cloudflare as proxy for IPv4 users

---

Testing Your CGNAT and IPv6 Configuration

Understanding your current network setup is critical for troubleshooting and determining which workarounds to pursue.

Detect CGNAT

Method 1: Check router WAN IP address

Router shows:
  WAN IP: 100.64.25.100 → You are behind CGNAT (RFC 6598 address)
  WAN IP: 10.x.x.x or 192.168.x.x → Possible CGNAT (check Method 2)
  WAN IP: Public IP (not in private ranges) → Likely no CGNAT

Method 2: Compare router IP with public IP

# Check router's WAN IP (admin panel or CLI)
Router WAN IP: 100.64.25.100

# Check public IP from external service
curl ifconfig.me
# Returns: 203.0.113.5

# If different: You are behind CGNAT
# If same: No CGNAT (native public IP)

Method 3: Port forwarding test

• Configure port forward on router (e.g., port 8080 → local server)
• Check if port is accessible from external network
• If unreachable despite correct router config: CGNAT is blocking

Method 4: Traceroute analysis

traceroute 8.8.8.8

# Look for hops in 100.64.0.0/10 range early in path
# Indicates CGNAT infrastructure

Test IPv6 Connectivity

Comprehensive testing: Visit https://test-ipv6.run

The site performs:

• IPv4-only connectivity test
• IPv6-only connectivity test
• Dual-stack test (sites with both A and AAAA records)
• Latency comparison (IPv4 vs IPv6)
• Protocol preference detection
• IPv6 readiness score

What test-ipv6.run reveals:

Scenario 1: CGNAT without IPv6

• IPv4: Works (via CGNAT)
• IPv6: Fails
• Score: Low (0-3/10)
• Recommendation: Request IPv6 from ISP

Scenario 2: CGNAT with DS-Lite

• IPv4: Works (tunneled via DS-Lite)
• IPv6: Works (native)
• IPv4 latency: Slightly higher than IPv6
• Router WAN: IPv6 only
• Score: Good (7-9/10)

Scenario 3: CGNAT with 464XLAT (mobile)

• IPv4: Works (via CLAT/PLAT translation)
• IPv6: Works (native)
• IPv6 preferred for dual-stack
• Score: Good (7-9/10)

Scenario 4: Native Dual-Stack (no CGNAT)

• IPv4: Works (unique public IP)
• IPv6: Works (native)
• Similar latency for both
• Score: Excellent (10/10)

Manual IPv6 Testing

Check IPv6 address:

# Linux/macOS
ip -6 addr show  # Linux
ifconfig | grep inet6  # macOS

# Windows
ipv6config

# Look for global unicast address (2000::/3 range)
# Example: 2001:db8:1234:5678::1

Test IPv6 connectivity:

# Ping IPv6-only host
ping6 ipv6.google.com

# Test IPv6 web access
curl -6 ifconfig.me

# Returns your public IPv6 address if working

Check for DS-Lite:

# If router WAN shows only IPv6 (no IPv4):
# AND IPv4 Internet works:
# You are likely on DS-Lite

# Traceroute may show IPv6 hops even for IPv4 destinations
traceroute -4 8.8.8.8
# If you see IPv6 addresses in trace: DS-Lite indicator

Identify Your Configuration

Test Results	Likely Configuration
IPv4 works, IPv6 fails, WAN IP in 100.64.x.x	CGNAT without IPv6
IPv4 works, IPv6 works, WAN IP public IPv4 + IPv6	Native dual-stack (no CGNAT)
IPv4 works, IPv6 works, WAN IP only IPv6	DS-Lite or similar tunnel
IPv4 works, IPv6 works, Mobile network	Likely 464XLAT
IPv4 fails, IPv6 works	IPv6-only (need CLAT or DNS64/NAT64)

---

The Path Forward: IPv6-Only Networks

The ultimate solution to CGNAT's limitations is widespread IPv6 deployment, enabling true end-to-end connectivity without address translation. See setup-ipv6-only-networks.md for guidance on implementing IPv6-only network architectures.

Current Global IPv6 Adoption

As of 2025:

• Global adoption: ~40-45% of Internet users reach Google via IPv6
• Leading countries:
  • India: ~70% (mobile-driven)
  • USA: ~50%
  • Germany: ~60%
  • France: ~70%
• Major content providers: Google, Facebook, Netflix, Cloudflare >60% IPv6 traffic

Mobile networks: 70-90% IPv6 deployment (highest adoption segment)

Fixed broadband: 30-60% IPv6 deployment (varies by region)

Drivers of IPv6 Transition

Economic pressure:

• IPv4 address costs: $30-60 per address (rising)
• CGNAT operational costs: Hardware, logging, complexity
• IPv6 infrastructure: Simpler, more scalable

Technical benefits:

• End-to-end connectivity restored
• Simplified routing
• Better performance (no NAT overhead)
• Future-proof architecture

Industry momentum:

• Major cloud providers (AWS, Google Cloud, Azure) prioritizing IPv6
• Content delivery networks (Cloudflare, Akamai) >50% IPv6 traffic
• Government mandates (US federal networks required IPv6)

Challenges Remaining

Legacy systems:

• Old hardware/software IPv4-only
• Enterprise application dependencies
• Specialized industrial equipment

Knowledge gap:

• Network administrators trained on IPv4
• Limited IPv6 troubleshooting expertise
• Documentation still IPv4-centric in many areas

Chicken-and-egg problem:

• Content providers wait for user adoption
• ISPs wait for content availability
• Transition mechanisms (464XLAT, DS-Lite) bridge gap

Timeline Expectations

2025-2027:

• Continued CGNAT deployments (short-term necessity)
• Accelerating IPv6 adoption (driven by economics)
• Transition mechanisms mature (DS-Lite, 464XLAT, MAP-E standard)

2028-2035:

• IPv6 becomes dominant protocol
• IPv4 relegated to legacy support
• CGNAT capacity reduced as IPv6 traffic grows

2035+:

• Potential IPv6-only Internet for most users
• IPv4 as niche legacy protocol
• End of CGNAT necessity

What You Can Do

As a user:

1. Request IPv6 from your ISP if not available
2. Enable IPv6 on your router
3. Prefer IPv6-capable applications
4. Test your connectivity at test-ipv6.run

As a developer:

1. Ensure applications support IPv6
2. Test on IPv6-only networks
3. Avoid hardcoded IPv4 addresses
4. Use dual-stack APIs (getaddrinfo, not gethostbyname)

As a network administrator:

1. Deploy dual-stack (IPv4 + IPv6) networks
2. Monitor IPv6 traffic growth
3. Plan IPv4 sunset timeline
4. Train staff on IPv6 operations

---

Conclusion

CGNAT emerged as a necessary response to IPv4 address exhaustion, enabling ISPs to extend IPv4 service availability by sharing scarce addresses across multiple subscribers. However, CGNAT introduces significant limitations—broken port forwarding, strict NAT types in gaming, and hosting impossibilities—that fundamentally degrade the Internet's end-to-end connectivity model.

IPv6 eliminates the need for CGNAT by providing an effectively infinite address pool, restoring direct connectivity and enabling the Internet to function as originally designed. Transition mechanisms like DS-Lite, MAP-E, MAP-T, and 464XLAT enable ISPs to deploy IPv6-native infrastructure while maintaining IPv4 service compatibility, bridging the gap during this critical transition period.

Key takeaways:

• CGNAT is a symptom of IPv4 exhaustion, not a long-term solution
• IPv6 solves the root cause by eliminating address scarcity
• Transition mechanisms (DS-Lite, 464XLAT, MAP-E) enable practical IPv6 deployment today
• User impact ranges from inconvenient (gaming) to prohibitive (hosting)
• Workarounds exist (VPN, tunnels, IPv6) but IPv6 adoption is the ultimate fix

As the Internet continues its inevitable transition to IPv6, CGNAT will gradually fade into obsolescence—but until that day arrives, understanding CGNAT's limitations and available workarounds is critical for anyone navigating today's transitional Internet landscape.

Test your network's IPv6 readiness and check if you're behind CGNAT: Visit test-ipv6.run for comprehensive, browser-based testing of your IPv4 and IPv6 connectivity. The tool provides real-time results, latency measurements, and an IPv6 readiness score—helping you understand exactly how your connection works.

---

Additional Resources

• RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space - CGNAT address range specification
• RFC 6333: Dual-Stack Lite Broadband Deployments - DS-Lite standard
• RFC 7597: Mapping of Address and Port with Encapsulation (MAP-E) - MAP-E specification
• RFC 7599: Mapping of Address and Port using Translation (MAP-T) - MAP-T specification
• RFC 6877: 464XLAT: Combination of Stateful and Stateless Translation - 464XLAT standard
• RFC 9313: Pros and Cons of IPv6 Transition Technologies for IPv4aaS - Comprehensive comparison
• APNIC: About Carrier Grade NAT - ISP perspective
• Test your connectivity - IPv4/IPv6 testing and readiness scoring

---

Last updated: 2025-10-26