What is NAT (and why CGNAT blocks you)?

The one-sentence definition

NAT — Network Address Translation — lets many devices on a private network share one public IP address, by having the router rewrite the addresses on packets as they pass through and remember the mapping so replies find their way back.

Why NAT exists

There are only about 4.3 billion IPv4 addresses, and we ran out of fresh ones years ago. NAT is the workaround that let the internet keep growing: instead of every device needing its own public address, a whole household or office sits behind a single public IP, using private addresses internally. Those private ranges are reserved by RFC 1918:

These addresses are not routable on the public internet — they only mean something inside your own network. (If CIDR notation like /8 is unfamiliar, that short reference explains it.)

How the translation actually works

The common home flavour is PAT (Port Address Translation, often just called "NAT" or "masquerade"). When a device inside sends a packet out, the router rewrites the packet's source from the private address to the router's public address, picks a spare source port, and records the mapping in a table:

flowchart LR
    A["Laptop<br/>192.168.1.50:51002"] -->|"outbound"| R["Router<br/>(NAT table)"]
    R -->|"rewritten as<br/>203.0.113.10:48211"| NET["Internet"]
    NET -->|"reply to<br/>203.0.113.10:48211"| R
    R -->|"looked up →<br/>192.168.1.50:51002"| A

The router rewrites outbound packets and remembers the mapping, so replies are translated back to the right internal device.

The crucial detail: that table is built from outbound connections. A reply to a connection your device started has a matching entry, so the router knows where to send it. But a packet arriving unsolicited from the internet has no entry — the router has no idea which of your dozen internal devices it is for, so it drops it. From outside, your devices are invisible. There is no address that points at them.

Why this blocks self-hosting

If you run a service at home and want the internet to reach it, NAT is working directly against you: inbound connections have nowhere to go. The classic workaround is port-forwarding — manually telling the router "anything on port 443, send to 192.168.1.50." That punches a permanent hole through NAT, but it also publishes your home IP and exposes a path into your LAN, which is why the Expose your homelab to the internet track argues against it and uses an outbound WireGuard tunnel instead — outbound is the direction NAT allows.

CGNAT: when you have no public IP at all

Carrier-grade NAT (CGNAT, RFC 6598) is NAT run a second time, by your ISP, across many customers. Instead of giving each household a real public IP, the ISP puts hundreds of customers behind a shared pool, using the dedicated range 100.64.0.0/10. It is increasingly common on mobile, fibre, and budget broadband because public IPv4 is scarce and expensive.

Under CGNAT the "public" IP your router sees is itself private — it belongs to the ISP's network, not the internet. You cannot port-forward to an address you do not control, and even a perfect router config cannot help: the ISP's CGNAT layer drops the inbound packet just as your own router would.

ℹ️ How to tell. If the IP your router reports on its WAN interface does not match what a "what is my IP" site shows, you are almost certainly behind CGNAT. An address in 100.64.0.0/10 is a strong tell. Some ISPs hand out a real public IP on request (sometimes for a fee); many will not.

The short version

NAT lets many devices share one public IP by translating addresses, but it only knows how to route replies to connections that started inside. Unsolicited inbound traffic has nowhere to go — and under CGNAT you do not even have a public IP to forward. That is the entire reason exposing a home service usually means reaching out to a VPS over a tunnel rather than opening a port at home.