What IP range does CGNAT use?

CGNAT uses the 100.64.0.0/10 address range, which covers IPs from 100.64.0.0 to 100.127.255.255. This range is defined by RFC 6598 as "shared address space" — it's not routable on the public internet, only within a carrier's internal network. You won't see 100.64.x.x as a public proxy IP; what you see is the carrier's public IP that the CGNAT translates your private address into.

Does every mobile proxy use CGNAT?

Every legitimate mobile proxy based on a real SIM card connected to a major carrier network will use CGNAT, because CGNAT is how modern mobile carriers handle IPv4 exhaustion. It's not optional or configurable — it's how the carrier network operates. Some providers marketing "mobile proxies" actually use virtual SIMs, MVNO operators with poor CGNAT implementations, or residential IPs misclassified as mobile. To be sure, verify the ASN and IP type classification as described above.

Can I check if my proxy is using CGNAT?

Yes. Connect through your proxy and run a traceroute to any public destination. If you see hops through 100.64.x.x addresses in the early part of the route (before reaching the public internet), your traffic is passing through a CGNAT layer. You can also check the public IP's classification at ipinfo.io — a CGNAT-protected IP will be classified as "mobile" with a major carrier ASN.

Why do some mobile proxies still get blocked?

CGNAT protects against IP-reputation-based blocking, but modern bot detection uses multiple layers. Browser fingerprinting (canvas, WebGL, fonts, screen resolution), behavioral analysis (mouse movements, typing speed, navigation patterns), and TLS fingerprinting can all detect automation regardless of IP quality. A mobile proxy is necessary but not always sufficient — you also need a realistic browser fingerprint and human-like behavioral patterns. For API-level scraping (no browser), CGNAT protection is typically all you need. For browser automation, pair mobile proxies with tools like Playwright stealth plugins or dedicated antidetect browsers.

What's the difference between CGNAT and a regular NAT?

Regular NAT (what your home router does) translates one private address range (192.168.x.x or 10.x.x.x) to a single public IP, affecting only your household — typically 5 to 20 devices. CGNAT operates at the carrier level, translating thousands of customer private addresses (100.64.x.x) to a shared pool of public IPs, affecting thousands of subscribers simultaneously. The scale difference is what makes CGNAT IPs impractical to block — the collateral damage is thousands of real users, not one household.

How does CGNAT affect sticky sessions?

CGNAT can complicate sticky sessions because multiple users share the same public IP. Some platforms use a combination of IP + cookies or IP + TLS session to identify users. If you need a sticky session (the same IP for the duration of a session), you need a proxy provider that assigns you a dedicated modem — so you are the only subscriber using that CGNAT public IP at a given time, ensuring IP consistency for the duration of your session. Shared proxy pools with rotating users can break sticky sessions. Dedicated modem plans solve this by giving you exclusive access to a single modem and its CGNAT IP.

Is a dedicated modem better than a P2P mobile proxy for CGNAT protection?

For CGNAT protection itself, both deliver genuine mobile carrier IPs. The difference lies in reliability, control, and session consistency. With a dedicated physical modem, you control the rotation timing, you get guaranteed uptime (no peer going offline), you have a predictable IP pool from a specific carrier, and you're not sharing the modem with other proxy customers. P2P mobile proxies (peer devices sharing bandwidth) can deliver genuine CGNAT IPs but with variable uptime and less control over which carrier or region you're in. For professional use cases — automation, account management, data collection — dedicated modems are the standard.

CGNAT Explained: Why Mobile Proxies Are Nearly Impossible to Block in 2026

Mobile proxies have a 99% success rate against modern anti-bot systems. Datacenter proxies get blocked 70–95% of the time. Residential proxies sit somewhere in between — and they're getting worse every year. The reason for this massive gap comes down to four letters: CGNAT.

CGNAT (Carrier-Grade NAT) is the network architecture that mobile carriers use to handle IPv4 address exhaustion, and it's the single most important reason why a mobile proxy IP is nearly impossible to block without causing catastrophic collateral damage. Understanding CGNAT explains why mobile proxies work when everything else fails — and what to look for when choosing a provider.

What Is CGNAT? (The Simple Explanation)

The internet was built on IPv4, which provides roughly 4.3 billion unique addresses. By the early 2000s, engineers realized that wasn't enough for a world where every phone, tablet, and IoT device would need connectivity. The long-term fix is IPv6 — but IPv6 adoption has been slow, and billions of devices still communicate primarily over IPv4.

Carriers solved this short-term problem with Network Address Translation (NAT). You already know consumer NAT: your home router gives every device on your Wi-Fi a private IP address (like 192.168.1.x), and the router itself has one public IP that the entire household shares. Your ISP only needs to assign one IP for your entire home.

Carrier-Grade NAT, standardized in RFC 6598, takes this concept one level higher. Instead of doing NAT once (at your home router), mobile carriers do it twice:

Your phone or modem gets a private IP in the 100.64.0.0/10 range (addresses 100.64.0.0 through 100.127.255.255) — this is the IANA-designated "shared address space" specifically for CGNAT.
The carrier's CGNAT infrastructure then translates thousands of those private addresses into a small pool of public IPv4 addresses.

The result: thousands of subscribers share a handful of public IPs simultaneously.

To put concrete numbers on it: at peak hour on a typical weekday in Warsaw, approximately 5,000 Orange Polska subscribers may be routed through just 3 public IP addresses. Every HTTP request from every one of those 5,000 people — checking Gmail, scrolling Instagram, booking a train ticket — appears on the public internet as originating from one of those 3 IPs.

This isn't a bug or a cost-cutting measure. It is the designed, standardized behavior of how mobile networks operate in the age of IPv4 scarcity.

Why Anti-Bot Systems Cannot Block CGNAT IPs

Anti-bot systems work by building reputation profiles for IP addresses. When an IP sends too many requests too quickly, scrapes structured data, or shows non-human behavior patterns, it gets flagged. The flagging propagates to shared reputation databases like MaxMind, IPHub, and IPQualityScore — which most bot-protection platforms query in real time.

This system works extremely well against datacenter and residential proxy IPs. But it breaks down almost completely against CGNAT mobile IPs, for one fundamental reason:

Blocking a CGNAT IP means blocking thousands of real, innocent people.

Consider the math. If someone using a mobile proxy for automation is sharing a CGNAT IP with 5,000 Orange Polska subscribers, and Facebook bans that IP, they ban all 5,000 of those subscribers — real people, paying customers of Orange, who have never touched a proxy in their lives. Their phone would suddenly be blocked from Facebook while connected to mobile data. They'd call Orange support. Orange would complain to Facebook. It would be a PR and legal disaster.

Platform operators know this. They have explicitly documented internal policies against blocking CGNAT ranges broadly. The risk-reward calculation simply doesn't work: block one bot user, block 5,000 real users. No rational business makes that tradeoff.

Contrast this with the alternatives:

Datacenter IPs: Owned by one company (DigitalOcean, AWS, Hetzner). Every IP in a datacenter ASN is associated with servers, not humans. There is zero collateral damage to blocking an entire datacenter subnet. Anti-bot systems block these instantly and aggressively.
Residential proxy IPs (P2P networks): These are real home IPs, shared across a proxy network's userbase. Because the same IP serves thousands of proxy network customers over time, abuse accumulates. The IP's history eventually includes enough suspicious requests that reputation databases flag it. Blocking a residential proxy IP has limited collateral damage because the IP serves one household — and if it's been used extensively for proxy traffic, the household's "real user" fraction is arguable.
Mobile CGNAT IPs: The previous user of this public IP, five seconds ago, was a real person checking their bank account on their phone. The IP has a clean reputation built from millions of legitimate requests from thousands of real subscribers. Flagging it would require concrete evidence of abuse from that specific IP at that specific moment — an extremely high bar that's almost never crossed before the IP rotates away to another subscriber anyway.

The Technical Stack Behind a Mobile Proxy

To understand why mobile proxies look so different to detection systems, you need to understand what a detection system actually sees when you connect through one.

Here is the full chain from modem to target website:

A physical 4G/5G modem with a real SIM card connects to the carrier network (e.g., Orange Polska, T-Mobile PL, Play).
The carrier's DHCP server assigns the modem a private IP address in the 100.64.0.0/10 CGNAT range.
The carrier's CGNAT infrastructure translates outbound traffic from that private IP to one of the carrier's public IPs.
The target website receives the request and sees: the carrier's public IP, the carrier's ASN, and all the network characteristics of mobile cellular traffic.

Modern bot-detection systems check a battery of signals on every incoming IP. Here is how mobile CGNAT compares to alternatives on every major signal:

Detection Signal	Mobile CGNAT	Residential (P2P)	Datacenter
IP type (ISP classification)	Mobile / Cellular ✅	Residential ✅	Datacenter / Hosting ❌
ASN	Major carrier (`AS5617` Orange PL, `AS21021` T-Mobile PL) ✅	Residential ISP ✅	Cloud provider (`AS14061` DigitalOcean) ❌
IP reputation score	Always clean (5,000+ clean users) ✅	Degrades over time with abuse ⚠️	Often pre-blacklisted ❌
Reverse DNS (rDNS)	Carrier mobile hostname ✅	ISP residential hostname ✅	No rDNS or suspicious hostname ❌
CGNAT range membership	Yes — `100.64.0.0/10` ✅	No ❌	No ❌
Connection type fingerprint	LTE/5G cellular ✅	DSL / fiber ✅	Hosted / dedicated ❌

Every single one of these signals points to "real mobile user" for a CGNAT proxy. For a datacenter proxy, every signal points to "server." That's why detection rates are <1% versus 70–95%.

IP Rotation and CGNAT — How Changing IPs Works

One of the most powerful features of physical modem-based mobile proxies is IP rotation. When the modem drops its connection to the carrier network and reconnects, the carrier's DHCP server assigns it a new private IP from the 100.64.0.0/10 pool — and the CGNAT layer routes it through a different public IP from the carrier's pool.

From the perspective of the target website, this looks identical to a different phone user picking up their device and visiting the site. The IP changes, the connection characteristics are fresh, and there is no session continuity to track.

The carrier's CGNAT pool for a given geographic area typically contains between 100 and 500 distinct public IPs. For Orange Polska in Warsaw, the CGNAT pool covers all LTE subscribers in a given radio zone. Each rotation cycles to one of those IPs — which is currently being shared by hundreds of other real subscribers.

The speed of this rotation is determined by how long a 4G modem takes to disconnect, re-register on the carrier network, and obtain a new IP assignment. On modern LTE networks, this cycle takes 1 to 3 seconds. This means you can get a fresh, clean, CGNAT-protected IP every 2 seconds — which is why 2-second IP rotation is a realistic and commonly advertised feature of physical modem proxy farms.

Compare this to residential P2P proxies, where "rotation" means switching to a different peer device — but that device's IP may have been used by the proxy network for months, accumulating reputation damage. The freshness guarantee of a CGNAT rotation is categorically different.

CGNAT vs Residential Proxies — The Critical Difference

The residential proxy industry has done an excellent job marketing "real IP addresses from real people" as a proxy quality metric. And in 2018, that was mostly true. In 2026, it's misleading.

The problem with P2P residential proxies is the business model: the provider installs software on real people's devices (often bundled with free apps or VPNs), then sells bandwidth from those devices to proxy customers. The same IP gets used for thousands of proxy sessions over months. Over time, that IP accumulates:

Abuse reports from sites that detected unusual activity
Entries in threat intelligence feeds
Fingerprints in bot-detection training datasets
CAPTCHA trigger associations in Cloudflare and Akamai data

The result: even though the IP is technically "residential," its reputation has been degraded by proxy use. Detection rates for quality residential proxy providers now run 5–15% on hardened targets — and for budget residential providers, 30–50% is common.

CGNAT mobile proxies don't have this problem. The IP that your session uses was also used, simultaneously, by thousands of clean phone users. The ratio of legitimate-to-proxy traffic on a CGNAT IP is so overwhelmingly in favor of legitimate that reputation databases cannot make a meaningful negative inference.

Feature	Mobile CGNAT	Residential (P2P)	Datacenter
IP type classification	Mobile / Cellular	Residential	Datacenter
CGNAT protection	✅ Yes	❌ No	❌ No
ASN	Major mobile carrier	Consumer ISP	Cloud / hosting provider
IP reputation	Always clean (carrier pool)	Degrades with proxy use over time	Often pre-blacklisted
Detection rate (hardened targets)	<1%	5–15%	70–95%
Physical device	Real modem with SIM card	Real phone / PC (peer)	Virtual server
IP freshness at rotation	Always fresh (1–3 sec rotation)	Varies (peer availability)	Static or slow rotation
Carrier ASN verified	✅ Major carrier	⚠️ Mix of ISPs	❌ Cloud provider

Platform-Specific CGNAT Behavior

Different platforms implement anti-bot detection at different levels of sophistication, and each has specific behaviors when encountering CGNAT mobile IPs.

Facebook and Instagram

Meta uses IP type as a primary signal in their trust scoring system. A request arriving from a mobile carrier ASN — especially one classified as CGNAT by their IP intelligence layer — receives a significantly higher baseline trust score than any other IP type. CGNAT mobile IPs from major carriers like Orange Polska (AS5617) or T-Mobile PL (AS21021) show no "VPN detected" or "suspicious activity" flags in Meta's systems under normal usage patterns. This is why mobile proxies remain the dominant tool for Instagram account management despite Meta's increasingly aggressive bot detection.

Google

Google's infrastructure classifies CGNAT IPs as mobile device traffic. This classification reduces CAPTCHA friction dramatically — Google's reCAPTCHA v3 and v2 systems assign much higher trust scores to mobile carrier IPs than to datacenter or residential proxy IPs. For SERP scraping, this means fewer CAPTCHAs and lower solve rates, directly improving scraping efficiency and reducing per-request cost.

E-Commerce (Shopify, Amazon)

Fraud scoring systems on e-commerce platforms use IP type as one of the most heavily weighted signals in purchase risk assessment. The reasoning is straightforward: a mobile IP suggests a real person on a real device. Mobile IPs consistently score as lower-risk in fraud models, which translates to fewer 3DS challenges, fewer order holds, and lower false-positive rates on legitimate automation tasks like price monitoring or stock checking.

Cloudflare

Cloudflare's Bot Management system maintains internal IP categorization that identifies CGNAT ranges from major carriers. These ranges are in a "known-good mobile" category that bypasses many of the behavioral heuristics applied to other IP types. While Cloudflare still performs JavaScript fingerprinting and behavioral analysis, a CGNAT mobile IP enters those checks with a significant trust advantage. In practice, CGNAT mobile IPs bypass most Cloudflare bot challenges without triggering the full JS challenge page — even on sites using Cloudflare's most aggressive settings.

Practical Implications for Proxy Buyers

Understanding CGNAT gives you concrete criteria for evaluating mobile proxy providers. Not all providers marketing "mobile proxies" actually deliver CGNAT-protected IPs. Here's what to verify:

1. Check the ASN

Your proxy IP should resolve to a major mobile carrier ASN, not a hosting company or virtual operator. Use a tool like ipinfo.io or bgp.he.net to look up the ASN of your proxy IP. For Polish proxies, valid carrier ASNs are:

AS5617 — Orange Polska
AS21021 — T-Mobile Polska
AS205011 — P4 (Play)
AS5588 — T-Mobile (legacy Polkomtel)

If the ASN belongs to a VPS provider, cloud host, or unknown ISP, you are not getting a genuine mobile CGNAT IP.

2. Verify IP Type Classification

Navigate to browserleaks.com while connected through your proxy. Check the "ISP" field — it should show the carrier name. Check "Connection type" — it should show "Mobile" or "Cellular." If it shows "Corporate," "Hosting," or "ISP (residential)," the IP is not a genuine mobile CGNAT IP.

3. Test IP Rotation Speed

A provider using real physical modems on actual carrier networks should be able to deliver a new IP in 1–5 seconds. If rotation takes 30+ seconds, the provider may be simulating rotation with a pool of static IPs rather than performing real modem reconnects.

4. Verify CGNAT Range Membership

After connecting, check your public IP. If the provider's infrastructure is exposing 100.64.x.x addresses to you (unlikely but possible with some configurations), those are CGNAT internal addresses — not routable on the public internet. More commonly, you'll see a public IP from the carrier's pool. You can verify it's a known CGNAT-associated range by looking up the IP in MaxMind GeoIP2 — it should classify as "mobile" with the carrier name.

Our proxy plans use physical 4G modems with Orange Polska, T-Mobile PL, and Play SIM cards installed in a dedicated server room in Warsaw. Every IP delivered is a genuine CGNAT-protected carrier IP with rotation times of 1–5 seconds.