What IP Address Will My Router Get? (CGNAT Explained)

A very common question with cellular data plans is: "What IP address will my router get, and why can't I reach it from the internet?" The answer depends on how the plan is provisioned. This article covers the three kinds of addresses you might see on a Llama Networks cellular data plan and what each one means for you.

The three addressing modes

What your router's WAN shows What it actually is Reachable from the internet?
An address in 100.64.0.0/10 (or a private range like 10.x.x.x) Standard NAT/CGNAT private address No
An address that looks public, e.g. 21.x.x.x, 22.x.x.x, 25.x.x.x, 26.x.x.x, 30.x.x.x Carrier "squat" space: routable-but-not-routed IPs behind CGNAT. See Mode 2 below. No
A normal public IPv4 address A genuine public IP (selected/provisioned add-on) Yes (subject to your firewall)
192.0.0.2 464XLAT (See notes on IP6 below) No

Mode 1: Standard CGNAT

On many plans, the router's cellular WAN receives a private, carrier-managed address, commonly in the dedicated CGNAT range 100.64.0.0/10. CGNAT (Carrier-Grade NAT) lets the carrier share a limited pool of public IPv4 addresses across many customers. Your outbound traffic works normally; the address is not reachable from the internet. Starlink uses CGNAT by default for plans that do not carry a public IP:

 

Mode 2: "Publicly routable but not public" (DoD / squat space)

This one causes the most confusion. On T-Mobile-based plans (which power many wholesale and IoT SIMs), your router may be handed an address that looks like a public IP but isn't in any of the familiar private ranges. These commonly come from blocks allocated to the U.S. Department of Defense (and the UK Ministry of Defence), such as 21.0.0.0/8, 22.0.0.0/8, 25.0.0.0/8, and 26.0.0.0/8. For a full list of space commonly used, see this list.

Here's the key point: those blocks are officially allocated, but their owners do not announce them on the public internet. Because that space is never routed publicly, the carrier reuses it internally much like private space. So your router shows, say, a 25.x.x.x address, tools don't flag it as "private," yet it is still behind CGNAT and not reachable from the internet. You get all the limitations of CGNAT even though the address doesn't look like a typical CGNAT address. 

T-Mobile uses non-routable IP space for wholesale IoT / FWA plans:

While the space shown above is not DoD or UKMoD IP space, commonly used for squat space, it is still not owned by T-Mobile. We make no assertions that this space is technically squat space as T-Mobile may have an agreement with Prudential, the current listed owner of 48.0.0.0/8, but this space is commonly used as squat space.

Mode 3: A real public IP (when selected)

If your plan includes or adds a public IP option, the router receives a genuine, globally routable public IPv4 address. Inbound connections then work (subject to your own firewall rules), so you can port-forward, host services, or run site-to-site VPNs directly. Public/static IP availability depends on the plan and carrier and is typically a paid or provisioned add-on.

When the difference matters

Modes 1 and 2 behave identically in practice: outbound everything works (browsing, streaming, video calls, VPN clients, cloud services, InControl2), but unsolicited inbound connections are blocked. That means the following will not work on Mode 1 or Mode 2 addressing:

  • Port forwarding to a device behind the router.
  • Hosting a server, camera/NVR, or service that outsiders connect to.
  • Some site-to-site VPNs that expect a reachable public IP.
  • Reaching the router's admin page directly from the internet by IP.

A note on IPv6 and 464XLAT

T-Mobile's mobile network runs an IPv6-only core, and IPv6 addresses are globally routable (subject to firewall rules). If both ends of a connection support IPv6, that can provide reachability that IPv4 CGNAT/squat space blocks.

To keep IPv4-only apps and devices working over an IPv6-only network, T-Mobile uses 464XLAT. It has two parts: a CLAT on your device or router that translates IPv4 packets into IPv6 locally, and a PLAT (a NAT64 gateway) in T-Mobile's network that translates them back to IPv4 on the way out. This is why an IPv4-only application keeps working even though the transport underneath is entirely IPv6.

Because of 464XLAT, your device or router will typically show a local IPv4 address of 192.0.0.2. That address comes from the IETF-reserved 192.0.0.0/29 "IPv4 Service Continuity" block (RFC 7335) and is only the local translation address used by the CLAT. It is not a routable or reachable IPv4 address, and it is not your "real" WAN IP, so seeing 192.0.0.2 is normal and simply means 464XLAT is in use. Actual global reachability is over IPv6; for inbound IPv4 you still need SpeedFusion or a public IPv4.

Options for inbound access

  • SpeedFusion on Peplink: the most reliable fix. Your router builds a tunnel out to a hosted endpoint and exits from a reachable address, which works regardless of whether you're on CGNAT or DoD squat space. 
  • Cloud-reachable management overlays: tools where the device reaches out (InControl2 for Peplink, various VPN/mesh solutions) work fine on all three modes because nothing has to reach in.
  • A public IP add-on: switch the SIM/plan to Mode 3 if you truly need direct inbound reachability.

Public IP vs. static IP (and how we can help)

Worth clarifying, since the two are often confused: a public IP is reachable from the internet but can still change over time, while a static IP stays the same. Most cellular plans and Starlink do not hand out static IPs, and Starlink has no static option at all, so a public IP alone is not a guarantee of a fixed address.

If you need a fixed, reachable address (to allowlist on a firewall, point DNS at, or terminate a VPN), Llama Networks offers hosted services that deliver one or more static IP endpoints over cellular, Starlink, or SpeedFusion bonding. Your traffic exits from a stable address that we manage, regardless of what the carrier assigns underneath, and you can bond multiple links for resilience. Reach out to sales[at]llamanetworks[dot]com to set this up.

How to check what you have

  1. In the router's status/dashboard, look at the cellular WAN's IP address.
  2. If it's in 100.64.0.0/10 (or a 10.x/172.16.x/192.168.x range), you're on standard CGNAT (Mode 1).
  3. If it's something like 21.x, 22.x, 25.x, or 26.x, you're on carrier squat space (Mode 2), still behind CGNAT despite the public-looking address.
  4. If it's 192.0.0.2, you're on a 464XLAT connection (see the IPv6 section); real transport is over IPv6.
  5. From a device behind the router, run a "what is my IP" lookup and compare. If the public-facing IP differs from your WAN IP, you're behind CGNAT (Mode 1 or 2). If they match a normal public address, you likely have a public IP (Mode 3).

Questions about which plan gives you the addressing you need, or whether a public IP is available for your use case? Reach out to sales[at]llamanetworks[dot]com.

Sources and further reading



Have more questions? Submit a request