Skip to content

Shortcomings of CGNAT and Potential Workarounds

This article will mostly focus on the cons of deploying CGNAT and how it ultimately affects the end-user and what are some of the methods that we can use to improve it.

A quick recap on CGNAT, CGNAT is just a fancy name for NAT whereby an ISP will NAT or map multiple internal IPs (RFC 1918) to a single external public IP, i.e., enabling a single public IP to be shared among n number of internal IPs, where each internal IP is assigned to an end-user. Methods used can vary from ISP to ISP, some would just use single source NATs, some would use deterministic NAT etc.


  1. Breaks P2P traffic
  2. Increases latency
  3. It leads to NAT-keep alive traffic (such as NAT punching, NAT traversal mechanisms etc) on end-users’ local network as well as on the CGNAT device itself
    1. Which in theory could affect battery life on end-user devices
    2. Increased link utilisation/CPU cycles on the CGNAT device
  4. Some end-user applications will simply refuse to work or fail miserably like Xbox Networking (P2P Gaming services), Torrent clients etc
  5. Lacks NAT traversal mechanisms/port forwarding (by default)

Now the IETF published RFC 7021 in 2013 which details how CGNAT affects networking performance and end-user experience, if you want technically backed data and testing methodologies please check that out.


There are two broad ways to workaround CGNAT cons

At ISP Level

  1. Make use of NAT traversal and very strict NAT rules like mentioned here
    • I’ve included port forwarding solution in the above without the need for PCP
  2. Deploy Port Control Protocol [PCP (RFC 6887)]
    • PCP would allow port forwarding to work for end-users behind a CGNAT and hence improve their experience and reduce the visibility of the shortcomings
    • Needs a Server/Client model, so a client would need to run on end-users router/CPE
      • Can use OpenWRT with minimalist-pcproxy to enable PCP client and PCP connectivity from end-users’ side for a cheap solution
    • Many vendors like MikroTik (most widely used as a CGNAT device among Indian ISPs) do not support PCP
    • Lack of awareness among ISPs and Network Engineers
    • You can also have a web dashboard for PCP to permit users to assign their own ports
  3. Do the obvious and deploy IPv6

At End User Level

  1. Get a public IP from your ISP (best and most optimal solution)
  2. VPN based solution where you route all traffic over the tunnel including multicast traffic (UPnP)
    • You could purchase from services like ZeroTier and tunnel your traffic over them
    • Set up your own VPN/VPS on a Cloud instance with public IP and then run a VPN client on your home router/client device
Published inNetworking


  1. Raajesh Raajesh

    Well written blog with so much detail. Thanks for the info man

  2. Rupam Rupam

    Informative ..and these form of resources are important for the end users

  3. Febrian Febrian

    Thank you for the info

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.