What Is CGNAT (Carrier-Grade NAT)?

CGNAT (Carrier-Grade NAT), also called large-scale NAT (LSN), is a technique ISPs use in IPv4 networks to share a small pool of public IPv4 addresses across hundreds of subscribers, extending the life of the IPv4 address space (Wikipedia (Carrier-grade NAT), 2025). One public IP can serve hundreds of customers at once. This pooling is invisible to end users but creates real consequences for any system that relies on IP addresses to identify, geolocate, or rate-limit individuals.

How CGNAT Works

IETF RFC 6598 reserved the 100.64.0.0/10 block (100.64.0.0 to 100.127.255.255) as dedicated Shared Address Space for the link between CGN devices and customer premises equipment, keeping it separate from RFC 1918 private ranges (IETF RFC 6598, 2012). When a subscriber sends a request, the carrier's CGN device rewrites the source address from the 100.64.x.x range to a shared public IP and logs the translation. Responses return through the same device and are reverse-translated to reach the correct subscriber.

This creates a double-NAT arrangement: one NAT inside the home router and a second at the carrier level. Port numbers distinguish sessions across the many users sharing the same public IP.

How CGNAT Affects IP-Based Systems

Because hundreds of users share one public IP, any system that blocks or scores by IP address treats all of them as one entity. A block aimed at one bad actor catches every other subscriber in the same pool. Geolocation accuracy also drops: the public IP maps to the carrier's infrastructure location, not the subscriber's actual city or neighborhood.

IP reputation works the same way. One spammer in a CGNAT pool can degrade scores for hundreds of unrelated users. Mobile operators are the heaviest CGNAT users, with most 4G and 5G networks placing handsets behind it. Real devices in residential and mobile proxy networks reflect this CGNAT behavior, which is why their traffic patterns differ from datacenter IPs that hold dedicated public addresses.

Use Cases

  • Mobile network analysis. CGNAT explains why mobile IP geolocation is approximate and why many sessions share a single public address.
  • Proxy and IP sourcing. Residential proxy networks like Massive source IPs from real consumer devices, many of which sit behind CGNAT. Their egress traffic closely matches normal subscriber behavior rather than datacenter egress.
  • Fraud and abuse detection. Security teams account for CGNAT before bulk-blocking a shared IP, reducing collateral impact on legitimate users in the same pool.
  • IPv6 planning. CGNAT is a stopgap while carriers deploy IPv6. IPv6 assigns each device a unique public address, removing the shared-IP problem entirely.

Frequently Asked Questions

CGNAT masks your private address behind a shared public IP, but it is not anonymity. Your ISP logs translation state and can tie any session back to your account. Many ISPs are legally required to retain those records.

External services see the carrier's public IP, not your device address. Geolocation databases map that IP to the carrier's infrastructure location, which may be far from where you actually are.

If one subscriber behind a CGNAT pool triggers abuse rules, the shared public IP gets flagged. Other users on that same IP inherit the poor reputation and may face false-positive blocks or CAPTCHAs.

A home router NATs between your local devices and your ISP-assigned address. CGNAT is a second layer at the carrier, translating your ISP-assigned 100.64.x.x address to a public IP. The result is two consecutive NAT translations before your traffic reaches its destination.