Dynamic DNS behind CGNAT: why it fails, and the fix
More and more ISPs — especially LTE/5G, Starlink, and budget fiber — put customers behind Carrier-Grade NAT. Your router never gets a public IP, so DDNS and port forwarding can't make your home network reachable. Reverse tunnels can.
Am I behind CGNAT?
- Your router's WAN IP is in
100.64.0.0/10(100.64.x.x – 100.127.x.x), or is a private 10.x / 192.168.x address - Your router's WAN IP differs from what "what is my IP" websites show
- Port forwarding rules simply never work
Why DDNS alone can't help
Dynamic DNS points a hostname at your public IP. Behind CGNAT that IP is shared by hundreds of customers, and the ISP's NAT drops all unsolicited inbound traffic. There is nothing to forward a port to — the connection dies at the carrier.
The fix: reverse tunnels
A reverse tunnel flips the direction. A small client on your network makes an outbound connection to rslvd.net (outbound always works, even behind CGNAT). When someone visits yourname.rslvd.net, the traffic rides back through that established connection to your local service.
- Create a free account — the free plan includes 2 tunnels and 2 DDNS hosts
- Add a tunnel in the dashboard and copy its token
- Run the rslvd tunnel client on any machine inside your network
- Your service is live at
https://yourname.rslvd.netwith automatic HTTPS
TCP, UDP, and even DNS-based tunneling (for networks that block everything else) are supported. Step-by-step guides: Linux & Windows tutorials.
Common CGNAT escape uses
- Home Assistant, Nextcloud, Plex/Jellyfin remote access
- Game servers (Minecraft, Valheim) on LTE or Starlink
- SSH/RDP into a homelab with no public IP
- Security cameras and NVRs