Carrier-Grade NAT (CGNAT) is the silent killer of remote access. If you've ever tried to set up a cloud hotspot controller only to find your router unreachable, CGNAT is likely the culprit. Here is how to solve it once and for all.
What is CGNAT?
Carrier-Grade NAT (CGNAT), also known as Large-Scale NAT (LSN), is a method ISPs use to share a single public IPv4 address among hundreds or thousands of customers.
Instead of your router getting a unique public IP (like `203.0.113.1`), it gets a private IP (usually in the `100.64.0.0/10` range). The ISP then translates your traffic to a shared public IP before it hits the internet.
How to tell if you are behind CGNAT?
Check your router's WAN IP address. If it falls within this range, you are behind CGNAT:
100.64.0.0 - 100.127.255.255
Why CGNAT Breaks Hotspot Management
Traditional cloud hotspot systems (and even legacy RADIUS servers) rely on incoming connections.
- CoA (Change of Authorization): When you want to disconnect a user or change their speed, the server sends a packet to your router's port 3799.
- API Access: Managing the router requires access to port 8728 (API) or 80 (WebFig).
With CGNAT, you cannot open these ports. The ISP controls the public IP, and they will not forward ports for you. This makes your router "invisible" from the internet, breaking most cloud management software.
The YesSpot Solution: Tunneling Out
Since we can't come in, we must tunnel out.
YesSpot uses a smart tunnel architecture. Instead of the cloud server trying to reach your router, your router acts as the client and establishes a persistent tunnel to our cloud.
Once this tunnel is established, it acts like a virtual 2-way cable. We can send commands down the tunnel (disconnect users, update plans) and your router sends data up the tunnel (accounting requests, logs).
Why is this better than DDNS?
Many people try to use Dynamic DNS (DDNS) scripts to solve this. DDNS does not work with CGNAT. DDNS only updates a DNS record to point to your public IP. But if that IP is shared by 1,000 people, pointing to it is useless because the router doesn't know which specific customer the traffic is for.
Tunneling is the ONLY reliable solution for CGNAT.
Benefits for ISPs
Cost Savings
Stop buying static IPs from your upstream provider. This alone saves ISPs thousands of dollars annually.
Universal Deployment
Deploy hotspots on any internet connection—4G SIM cards, Starlink, residential fiber, or shared building wifi.
Security
No open ports on the public internet means your routers are invisible to port scanners and botnets.
Plug & Play
Send pre-configured routers to clients. They just plug in the WAN cable, and it connects instantly.
Start Solving CGNAT Today
Don't let CGNAT limit your business growth. YesSpot's cloud platform handles the technical complexity of tunneling for you.
Our script sets up the tunnel automatically. You don't need to understand VPN protocols or routing tables. Just copy, paste, and you're online.
Ready to bypass CGNAT?
Get your first hotspot online in 5 minutes with our free trial.
Get Started Free
