CGNAT (Carrier-Grade NAT) places hundreds of subscribers behind a single public IP, creating a double-NAT that causes "Strict NAT" (Type 3). Port forwarding cannot bypass the ISP's CGNAT gateway — request a dedicated public IP from your ISP to resolve it.
CGNAT Explained for SA Fibre: Why You Have Strict NAT
You have the fastest fibre line in your street, a high-end gaming router, and a wired ethernet connection, yet every time you launch Call of Duty or Elden Ring, you are greeted by the same frustrating message: NAT Type: Strict. You’ve tried opening ports and enabling UPnP, but nothing changes. In the modern South African internet landscape, the culprit is rarely your hardware—it is a network-level configuration called CGNAT. Within the framework of Competitive Security, Edge Config & Continuity, understanding how CGNAT affects your "Edge Layer" is essential for any gamer looking to host lobbies or achieve a Moderate or Open NAT status.
As IPv4 addresses become increasingly scarce, more South African ISPs (Internet Service Providers) and FNOs (Fibre Network Operators) are turning to this technology to manage their limited resources. While it works perfectly for browsing the web or streaming Netflix, it presents a significant hurdle for the real-time, peer-to-peer demands of competitive gaming.
The Root Cause: IPv4 Address Exhaustion
To understand CGNAT, you first have to understand the "address shortage" of the internet. Every device on the web needs a unique Public IP address to send and receive data. The original system, IPv4, was designed with roughly 4.3 billion addresses. In the early days of the internet, this seemed like plenty, but with the explosion of smartphones, smart home devices, and always-on fibre connections, the world officially ran out of unallocated IPv4 addresses years ago.
How do ISPs handle the shortage of IP addresses? Instead of giving every customer their own unique public IP address, ISPs use Carrier-Grade Network Address Translation (CGNAT). This allows the provider to "bundle" hundreds or even thousands of customers behind a single public IP address. While your home router still thinks it has a public connection, it is actually sitting behind a massive "ISP-level" router that handles the final translation to the public internet.
Think of a standard connection like a standalone house with its own street address. Data knows exactly where to go. CGNAT is like a massive apartment building with one street address and 500 units. If someone sends mail to the building without a specific unit number, the mailman (the ISP router) doesn't know where to deliver it and often just discards it.
Why CGNAT Breaks Gaming (The NAT Type 3 Problem)
Online games—especially those using peer-to-peer (P2P) architecture—rely on "incoming" connections. When you try to host a lobby or join a friend’s party, their console or PC attempts to "talk" directly to yours.
Why does CGNAT cause Strict NAT in games? In a CGNAT environment, your router does not have a unique identity on the public web. When another player’s data arrives at the ISP’s shared public IP, the ISP-level router doesn't know which of its thousands of customers that data is meant for. Because it cannot "route" that incoming request to your specific home, it blocks the connection. This results in the "Strict NAT" (or Type 3) status that prevents you from hosting matches or hearing friends in voice chat.
This creates a "Double NAT" or even "NAT444" scenario, where your data is being translated once by your home router and a second time by the ISP's infrastructure. In this setup, traditional methods like Safe Port Forwarding will fail completely, because you only have control over the "first door" (your router), not the "second door" (the ISP's gateway).
How to Check if You Are Behind CGNAT
If you suspect you are being hindered by a shared IP, there is a simple technical test you can perform in under two minutes:
Find your Public IP: Visit a site like "WhatIsMyIP" and write down the number you see.
Check your WAN IP: Log into your router’s admin panel and look for the "WAN Status" or "Internet" section. Look for the IP address assigned by your ISP.
Compare the two: If the IP address in your router is different from the one on the website, you are likely behind CGNAT.
The CGNAT Range: If your router’s WAN IP starts with 100.64.x.x through 100.127.x.x, you are definitely on CGNAT. This specific range (RFC 6598) is reserved globally for large-scale NAT deployments.
The Three Solutions for Competitive Gamers
If you find yourself stuck behind a shared IP, you have three primary paths to achieving an Open or Moderate NAT status.
1. Request a Static Public IP (The Gold Standard)
Most gaming-first Providers allow you to opt-out of CGNAT by purchasing a Static IP. This assigns your home a dedicated, unique public IP address that bypasses the shared gateway entirely. Once you have a static IP, your NAT will typically shift to "Moderate" immediately, and you can use port forwarding to reach "Open" status. You can find more information on how to add this to your connection in our FAQ: Static IP. For a deeper look at the pros and cons, see Static IP vs. Dynamic IP.
2. Leverage IPv6 (The Future)
IPv6 was designed to solve the address shortage permanently by providing 340 undecillion addresses—enough for every device on Earth to have millions of its own. If your ISP and game support IPv6, NAT becomes obsolete because every device has its own globally unique address. While IPv6 adoption in South Africa is growing, not all FNOs support it natively yet.
3. Use a GPN or VPN (The Workaround)
If your ISP doesn't offer static IPs, a Gaming Private Network (GPN) like ExitLag or a high-performance VPN can sometimes act as a "tunnel" through the CGNAT. By connecting to a VPN node, you are effectively using their public IP instead of your shared one. This can often resolve NAT-related matchmaking errors in P2P titles. For a technical breakdown of how these services affect your routing, see Gaming VPNs (ExitLag, WTFast).
Shared Reputation: The Hidden Risk of CGNAT
Beyond NAT issues, CGNAT carries a hidden risk: IP Reputation. Because you share an IP with hundreds of others, if one person on that shared address is caught cheating in a game or sending spam, the entire IP address can be blacklisted by security services.
This can lead to:
Being "shadowbanned" in certain titles without reason.
Constantly being asked to solve CAPTCHAs on websites.
Inability to access certain mail or web servers that have blocked the shared IP.
Summary: Taking Control of Your Identity
CGNAT is a necessary tool for the modern internet to keep functioning despite IPv4 exhaustion, but for a competitive gamer, it is a significant bottleneck. It prevents the seamless, "Open" connectivity required for elite performance and leaves your digital reputation at the mercy of your neighbours.
If you are tired of matchmaking errors and "Type 3" NAT warnings, the most effective fix is moving to a dedicated public address. By securing your own "street address" on the internet, you ensure that your Firewall Settings for Gamers can finally do their job without being bypassed by ISP-level translations.
Take the time to test your connection today. If you're seeing that 100.64.x.x range in your router logs, it’s time to look at a static IP solution.