# ============================================================================= # WUC Technologies — IPv4 Field Guide # CLI cheat sheet: CGNAT (Carrier-Grade NAT) — 100.64.0.0/10 # Source: https://www.wuctechnologies.com/resources/field-guides/ipv4-address-analyzer/ # License: CC0 1.0 Public Domain (https://creativecommons.org/publicdomain/zero/1.0/) # Released: 2026-05-22 # # 100.64.0.0/10 is reserved by RFC 6598 for shared address space between # carrier and subscriber, behind a carrier-level NAT. NOT private (RFC1918), # NOT publicly routable. # ============================================================================= # ----------------------------------------------------------------------------- # Diagnosis — is this customer behind CGNAT? # ----------------------------------------------------------------------------- # Compare the IP the host SEES vs the IP the public internet sees. If they # differ AND the host's IP is in 100.64.0.0/10, it is behind CGNAT. # What the host sees on its WAN interface: ip -4 addr show $(ip route get 1.1.1.1 | awk '/dev/ { print $5; exit }') # What the public internet sees coming from this host: curl -4 -s https://ifconfig.me # or curl -4 -s https://api.ipify.org # If the first command shows 100.x.y.z but the second shows a normal public # IP (e.g. 73.x.y.z), the customer is behind CGNAT. # ----------------------------------------------------------------------------- # Packet capture — scope to CGNAT space # ----------------------------------------------------------------------------- # All CGNAT-sourced or CGNAT-destined traffic: sudo tcpdump -i any -nn 'net 100.64.0.0/10' # Detect CGNAT addresses leaking out of the customer network (should never # happen — they should be NAT'd to the carrier's public IP first): sudo tcpdump -i eth_wan -nn 'src net 100.64.0.0/10' # ----------------------------------------------------------------------------- # Routing inspection # ----------------------------------------------------------------------------- # Show default route and the gateway chain: ip route show default traceroute -n 1.1.1.1 # Expect on CGNAT: # hop 1: customer's private LAN gateway (192.168.x.1) # hop 2: customer's NAT WAN-side address (100.x.y.z) # hop 3: carrier CGNAT exit # hop 4+: public internet # ----------------------------------------------------------------------------- # Anti-spoof — drop CGNAT-sourced packets arriving on a public interface # ----------------------------------------------------------------------------- # Datacenters and ISPs that don't operate CGNAT themselves should treat # 100.64.0.0/10 as bogon on their peering links: sudo iptables -A INPUT -i eth_wan -s 100.64.0.0/10 -j DROP sudo iptables -A FORWARD -i eth_wan -s 100.64.0.0/10 -j DROP # ----------------------------------------------------------------------------- # Inbound port forwarding limitation # ----------------------------------------------------------------------------- # Behind CGNAT, inbound port forwarding from the public internet to a # customer host is NOT possible from the customer side — the carrier NAT # has no per-customer port map. Confirm with: # # 1. Open a listener on a customer host: nc -l -p 12345 # 2. From an external host, try to reach it via the customer's apparent # public IP: curl -v http://:12345 # # If the connection is refused/timed out (and the customer firewall ALLOWS # port 12345), you are looking at CGNAT. # ----------------------------------------------------------------------------- # Customer remediation options # ----------------------------------------------------------------------------- # - Request a real public IPv4 from the ISP (often available as a paid add-on). # - Switch to a tunnel provider (Cloudflare Tunnel, Tailscale, ngrok) to # accept inbound connections without a publicly routable IP. # - Migrate the inbound service to IPv6 — most CGNAT'd ISPs deliver # end-to-end native IPv6 even when IPv4 is double-NATted. # - For VPN servers specifically, consider client-initiated connections # to a rendezvous server rather than expecting inbound to the home. # ----------------------------------------------------------------------------- # Address range reference # ----------------------------------------------------------------------------- # 100.64.0.0/10 = 100.64.0.0 through 100.127.255.255 # Total addresses: 4,194,304 Usable hosts: 4,194,302 # Subnet mask: 255.192.0.0 Wildcard mask: 0.63.255.255 # =============================================================================