Get Public IP LogoGet Public IP Logo
Guides Docs Sign Up

Self hosting behind carrier grade NAT

Introduction

Carrier-grade NAT (CGN or Large Scale NAT (LSN))) is a network address translation technique used by internet service providers to extend the life of IPv4 addresses by sharing a single public IP address among multiple customers. Unlike traditional NAT that operates at the customer premises, CGN operates at the ISP level, creating a double-NAT scenario where customer traffic is translated twice - once at their home router and again at the ISP's CGN equipment. Learn how NAT works and how CGNAT works

Self-hosting servers on a CGN connection

With carrier-grade NAT, you can't self-host servers because multiple customers share the same public IP address and the ISP's NAT equipment doesn't know which specific customer should receive incoming connection requests from the internet, making it impossible for external users to directly reach your server.

There are a few options available to self host servers at home:

Get a static IP address from your ISP – Most ISPs offer static IP addresses for an additional fee, but these residential IPs have poor email reputation and lack failover capabilities since they're tied to your physical connection.

Cloudflare Tunnels – Cloudflare Tunnels bypasses CGNAT but terminates SSL/TLS on their servers, exposing plain text traffic on their infrastructure. They do not support email hosting.

GetPublicIP – GetPublicIP routes traffic directly to your server through an encrypted VPN without terminating SSL/TLS, ensuring we never see your plaintext data. Unlike Cloudflare tunnels or static IPs, you can host email servers and any service without restrictions. Fail over is supported in case of ISP outage. Learn how GetPublicIP works

How does Network Address Translation (NAT) work?

Network Address Translation (NAT) is a fundamental networking technique that enables multiple devices on a private network to share a single public IP address when accessing the internet. This technology acts as an intermediary between your local network and the broader internet, translating private IP addresses (like 192.168.1.100) into public IP addresses that can be routed across the internet. NAT has become essential in modern networking due to the limited availability of IPv4 addresses and the need for network security. By implementing NAT, organizations and home users can conserve public IP addresses while maintaining connectivity for numerous devices simultaneously.

The primary function of NAT involves maintaining a translation table that maps internal private IP addresses and port numbers to external public IP addresses and ports. When a device on your private network initiates an outbound connection, the NAT device (typically a router or firewall) replaces the source IP address and port with its own public IP address and an available port number. This process ensures that return traffic can be properly routed back to the originating device. NAT operates at the network layer (Layer 3) of the OSI model and is transparent to end users, meaning devices on the internal network can communicate with external resources without requiring individual public IP addresses.

What happens when device A connects to website

  1. Device A sends packet (192.168.1.100:12345 → 203.0.113.10:80)
  2. The router translates the packet to (202.88.69.1:7771 → 203.0.113.10:80) and maintains a NAT table
  3. Web server receives packet from 202.88.69.1:7771

The reply flow from website to device A

  1. Website responds (203.0.113.10:80 → 202.88.69.1:7771)
  2. The router uses the NAT table to translate the packet (203.0.113.10:7771 → 192.168.1.100:12345)
  3. Device A receives response packet

How does carrier grade NAT (CGNAT) work?

Carrier grade NAT works the same way as your home or office NAT. The end result is 2 layers of NAT between your devices and the internet. It allows multiple ISP subscribers to use a single public IP address, this saves the number of public IP addresses that are needed for all the users on the internet and allows the internet to grow larger on a limited number of public IP addresses.

What happens when subscriber Bs, device B connects to website

  1. Device B sends packet (192.168.1.101:54321 → 203.0.113.10:80)
  2. The home / office router translates the packet (172.22.0.102:8881 → 172.22.0.1:8881) and maintains a NAT table
  3. Your ISP will then translate the packet again (202.88.69.1:6666 → 203.0.113.10:80) and maintains a NAT table
  4. Web server receives packet from 202.88.69.1:6666

The reply flow from the website

  1. Website responds (203.0.113.10:80 → 202.88.69.1:6666)
  2. The ISP router uses the NAT table to translate the packet (203.0.113.10:6666 → 172.22.0.102:8881)
  3. Your home / office router uses its NAT table to translate the packet (172.22.0.1:8881 → 192.168.1.101:54321)
  4. Subscriber B, Device B receives response packet

How does GetPublicIP work?

GetPublicIP delivers a public IP address over an encrypted VPN tunnel to your server in your home or office. This solution over comes carrier grade NAT and allows you to relocate your server to another location without needing to change your IP address unlike ISP static IP addresses.

How it works:

  • Your server connects to the GetPublicIP server, this outbound connection then sets all the NAT tables between your server and GetPublicIPs server and creates a path for communication.
  • When remote clients connect to your public IP address, the packets are then sent through the encrypted VPN tunnel to your server.
  • The SSL / TLS connection between the client and your server is end to end encrypted with your own SSL certificates. It starts at the client and ends at your server.

Check out our other guides

Find Your Public Ip Address
Self Hosting
About static & public IP addresses