Configure CGNAT (Carrier-Grade NAT) IPs

Introduction

This document describes a high-level overview of Carrier-Grade NAT (CGNAT), a method ISPs use to extend IPv4 by sharing one public IP.

What is CGNAT?

Carrier-Grade NAT (CGN or CGNAT), also known as Large-Scale NAT (LSN), is a type of NAT used by Internet Service Providers (ISPs) to extend the lifespan of IPv4 by allowing a single public IP address to be shared. The standards and requirements for CGNAT are defined in RFC 6888.

In practice, ISPs assign private addresses from the range defined in RFC 6598 to the WAN interfaces of your router. This private range is not routable on the public Internet and is used internally by the ISP for NAT processes. Your router's WAN interface is assigned an IP address from this range.

Understanding CGNAT: Comparison with Traditional NAT

To better understand CGNAT, compare it to traditional NAT:

Traditional NAT:

• In a traditional NAT setup, the WAN interface of your router is assigned a routable public IPv4 address.
• NAT translates private IP addresses (for example, RFC 1918 ranges) to the public IP address, enabling multiple devices on the your private network to share a single public IP.

Example:

Customer A is assigned the public IP 203.0.113.1

Customer B is assigned the public IP 203.0.113.2

Both customers implement NAT locally on their routers.

CGNAT:

• In a CGNAT setup, the WAN interfaces of Customer A and Customer B are assigned IP addresses from the 192.0.2.0/10 range (CGNAT private address space).
• The ISP implements an additional layer of NAT (CGNAT) to translate traffic from the 192.0.2.0 range into a shared public IPv4 address.

Example:

Customer A is assigned 192.0.2.1 and Customer B is assigned 192.0.2.2

Both customers’ traffic is NATed by the ISP's CGNAT device to a shared public IP

This approach allows the ISP to use public IPv4 addresses by serving multiple customers with a single public IP.

CGNAT IPs cannot be registered as either static or dynamic networks in the Umbrella Dashboard

• Certain service provides, such as Starlink, assign CGNAT IP addresses to the WAN interfaces of their customers’ network devices.
• CGNAT IPs cannot be registered as either static or dynamic networks in the Umbrella Dashboard because they are shared among multiple subscribers.
• Registering a CGNAT egress IP would falsely claim ownership of an IP that is used by other customers as well.

• Networks registered with CGNAT IPs become subject to immediate de-registration.

• Repeated attempts to register CGNAT IPs violate Umbrella’s product terms and can result in further corrective actions.

Starlink does not provide static IPs as stated in their own documentation.

Public IPs from Starlink can not be registered either as they are dynamic and can be part of the CGNAT range. If you are using Starlink, consider non-network identity deployment methods like virtual appliances, roaming clients, or Umbrella integrated network devices.