CGNAT Killed Your Static IP—Get Back Online with a 10-Minute Cloudflare Tunnel

Posted on

How to Host Your Website Behind CGNAT Using Cloudflare Tunnel

So your ISP quietly replaced your static IP with CGNAT and your once-public server vanished from the Internet.
Luckily you can restore full access—in minutes and for free—by letting Cloudflare handle the public edge while your server simply dials out. This article explains what CGNAT is, why it breaks self-hosting, and the exact steps to bring your site back online with Cloudflare Tunnel.

What Is CGNAT?

Carrier-Grade Network Address Translation (CGNAT or LSN) moves the NAT function from your home router up into the provider’s core network. Every subscriber receives a private IPv4 address (usually 100.64.0.0/10), while thousands share a single public IP.

  • Outbound connections still work—the CGNAT appliance tracks them.
  • Inbound connections fail—there is no way for outsiders to reach your private address because you can’t configure port-forwarding on the carrier’s hardware.

Why Self-Hosting Breaks Under CGNAT

Anything that relied on your old static IP—websites, VPNs, CCTV, game servers—no longer receives unsolicited traffic. Dynamic DNS can update the shared IP in DNS, but packets still stop at the carrier’s firewall with no forwarding rule.

Two Cloudflare Models: Which One Works?

1 • Standard (Orange-cloud) Proxy

  • Cloudflare’s edge must open a TCP connection back to your origin on ports 80/443.
  • Requires your origin to have a routable public IP ➜ Fails behind CGNAT.

2 • Cloudflare Tunnel (Zero Trust / Argo)

  • Your server makes outbound HTTPS+WebSocket connections to Cloudflare.
  • Visitors hit Cloudflare; traffic is forwarded down the tunnel to you.
  • No public IP needed ➜ Works perfectly behind CGNAT.

Step-by-Step: Bring Your Site Online with Cloudflare Tunnel

  1. Create a free Cloudflare account and add your domain (or transfer its DNS).
  2. Install cloudflared on the web-server (packages for Windows, Linux, macOS, Docker, etc.).
  3. Authenticate & create the tunnel:
# Log in (opens browser for token)
cloudflared tunnel login


Create a persistent tunnel called "mysite"


cloudflared tunnel create mysite


Route a DNS record to it


cloudflared tunnel route dns mysite example.com


Run the tunnel (start-up foreground—Ctrl+C to stop)


cloudflared tunnel run mysite

  1. Run as a service or add to Docker Compose so it restarts automatically.
  2. Harden access with Cloudflare Zero Trust policies (optional but recommended).

Firewall Note

Ensure outbound TCP and UDP on port 443 is allowed; the tunnel uses both for latency reasons.

Extra Tips & Tricks

  • TLS done for you ✔—the free Universal SSL cert secures visitors immediately.
  • IPv6 support ✔—Cloudflare speaks IPv6 to clients even if you only run IPv4.
  • Multi-service tunnels—expose SSH, RDP, MQTT, or custom ports via Cloudflare Access (free) or Spectrum (paid).
  • Performance—latency usually equals the distance to the nearest Cloudflare POP (often lower than a direct residential route).

Alternatives If Tunnel Isn’t for You

  • Business Static IP – pay the ISP for a dedicated address.
  • Native IPv6 – serve your site over IPv6; use Cloudflare or NAT64 for IPv4-only visitors.
  • Rent a VPS as reverse proxy – set up WireGuard or an SSH reverse tunnel.
  • Move hosting off-premise – VPS or managed web-hosting if local access is no longer needed.

Wrap-Up

CGNAT removes your ability to receive inbound traffic, but it doesn’t mean you have to give up self-hosting. With Cloudflare Tunnel your server dials out, bypassing the carrier’s NAT while Cloudflare handles security, TLS, and global delivery. Ten minutes of setup and you’re back online—no static IP required.

Have questions or hit a snag? Drop them in the comments and I’ll help you get your site reachable again!