What is CGNAT?
Carrier-Grade Network Address Translation (CGNAT) is increasingly used by ISPs to manage their IP address space. While economical, CGNAT prevents traditional port forwarding, making it difficult to access devices remotely from the public internet.
The Problem
Behind CGNAT, your public IP is shared with other customers. This means you cannot:
- Forward ports on your router
- Run public-facing services
- Access internal devices via their public IP
The Solutions
1. Cloudflare Tunnels
Cloudflare Tunnels (formerly Argo Tunnel) create a secure outbound-only connection from your network to Cloudflare's network.
sudo cloudflared tunnel create my-network
sudo cloudflared tunnel route dns my-network device.example.com
sudo cloudflared tunnel run my-networkAdvantages: Free tier available, DDoS protection, simple setup, no open ports needed.
2. WireGuard VPN
Set up a WireGuard server on a public VPS and create a VPN tunnel back to your network.
wg-quick up wg0
ip link set wg0 up
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPTAdvantages: Fast, lightweight, full control, ideal for site-to-site connectivity.
3. Hybrid Approach
Combine both solutions: use Cloudflare Tunnels for web services and WireGuard for management/SSH access.
Recommended Setup for MikroTik
For ModernISP/Mikrotik systems behind CGNAT:
- Deploy Cloudflare Tunnel for web dashboard access
- Use WireGuard for supervisor remote access
- Enable VPN auto-reconnect for reliability
- Monitor tunnel status from ModernISP admin panel
Conclusion
CGNAT doesn't have to limit your network capabilities. By combining Cloudflare Tunnels and WireGuard, you can achieve secure, reliable remote access without traditional port forwarding.
Have questions about CGNAT setup? Contact us for a free consultation.