Carrier-grade NAT (CGNAT) is one of the most painful problems for anyone running a home lab, remote CCTV, or small business services from home. When your ISP hides you behind CGNAT, normal port forwarding on your router stops working, and remote access breaks. This guide shows you how to solve this problem using RouterOS and different remote access patterns, focusing on MikroTik CGNAT remote access.

Why Port Forwarding Fails Behind CGNAT

On a normal connection, your home router receives a public IPv4 address, and you can create a port forwarding rule (dst-nat) to expose internal services. With CGNAT, your router only receives a private address, usually from 10.x.x.x or 100.64.x.x ranges, and the ISP does NAT on its side.

• You do not control the real public IP; the ISP does.
• Incoming traffic never reaches your router, so dst-nat and port forwarding rules on MikroTik do nothing.
• Even a perfect firewall and NAT configuration on RouterOS cannot fix this, because the problem is upstream in the ISP network.

This is the core reason MikroTik CGNAT remote access must use a different pattern. You need to connect out from your home network to a server on the internet that you control, and then use that server to reach back into your home network.

Note: If you’re not behind CGNAT and just need classic port forwarding, follow this MikroTik Port Forwarding Tutorial.

How to Detect If You Are Behind CGNAT

Before building a solution, you must confirm if you are behind CGNAT. To do this, follow the steps below:

1. Log in to your MikroTik and check your WAN IP on the interface connected to your ISP, for example, ether1-WAN.

2. Then, visit an external IP check site from a device on your LAN and compare the two IP addresses.

If the WAN IP address is in a private range, such as:

10.0.0.0/8
100.64.0.0/10
172.16.0.0/12
192.168.0.0/16

And it does not match your public IP; you are behind CGNAT. In this case, normal port forwarding is impossible, so you need one of the MikroTik CGNAT remote access strategies described below.

Common Strategies to Bypass CGNAT

There are four main MikroTik-friendly strategies, including:

• Use a VPS with WireGuard or another VPN and route traffic through it.
• Use MikroTik Back To Home (BTH) in RouterOS v7.
• Use reverse SSH tunnels or similar TCP tunnels.
• Use Dynamic DNS (DDNS) only when the ISP gives a real public IP.

Each option has different costs, complexities, and levels of reliability. These are the real-world methods for achieving MikroTik CGNAT remote access.

Use a MikroTik VPS as Public Endpoint (Recommended)

The strongest solution is to rent a VPS with a public IPv4 and use it as your anchor point on the internet. Your MikroTik at home connects out to this VPS using WireGuard or another VPN. Then you connect to the VPS and get routed back into your home network.

This pattern completely bypasses CGNAT because:

• The VPS has a routable public IP, no CGNAT.
• All inbound traffic lands on the VPS, where you control the firewall and forwarding.
• Your home router only needs an outbound connection, which always works through CGNAT.

For readers who want a ready environment, a dedicated MikroTik VPS pre-tuned for RouterOS can save a lot of time.

Step-by-Step Set up WireGuard from MikroTik to VPS

In this section, you create a secure tunnel from your home MikroTik router to a VPS with a real public IP. This is the core of a stable MikroTik CGNAT remote access setup. Your MikroTik makes an outbound WireGuard connection to the VPS, and then all remote access goes through that tunnel.

At a high level, the design looks like this:

• Your VPS has a public IPv4 address on the internet.
• WireGuard runs on both the VPS and your MikroTik router.
• The MikroTik connects out to the VPS, which always works even behind CGNAT.
• The VPS routes traffic back to your home LAN through the WireGuard tunnel.

You can follow this step-by-step WireGuard guide for MikroTik and VPS for a full setup.

Once you are done with the setup, your MikroTik will have a working WireGuard tunnel to your VPS. At that point, you only need to:

• Add a route on the VPS for your home LAN subnet via the MikroTik WireGuard IP.
• Allow forwarding and input from the WireGuard interface in your MikroTik firewall.
• Optionally, connect your laptop or other devices to the VPS as WireGuard clients, so they can reach your home LAN over the tunnel.

With this in place, your VPS becomes the public entry point for your network, and your MikroTik CGNAT remote access works reliably without needing any port forwarding from your ISP.

Use MikroTik Back To Home (BTH)

RouterOS v7 includes Back To Home, a feature designed exactly for remote access in CGNAT-style situations. BTH lets your MikroTik connect to a MikroTik cloud endpoint and then gives you a secure path back to your network.

Key points for MikroTik CGNAT remote access using BTH:

• It is simpler than running your own VPS, because MikroTik Cloud handles the central endpoint.
• It is best for remote management of the router itself, like Winbox, WebFig, and SSH, not for heavy traffic or multiple services.
• You still need to enable the feature and allow access in your firewall.

BTH is a good option for small environments and non-technical users, but for long-term and high-control usage, a dedicated VPS endpoint is usually better.

Reverse SSH Tunnel and Other TCP Tunnels

If you only need to expose a few TCP services, for example, one SSH port or a small web UI, a reverse SSH tunnel or other TCP tunnel can work. This method uses the same basic idea as MikroTik CGNAT remote access via VPS; you initiate an outbound connection from home and keep it open.

Here’s how it works:

• A small Linux inside your home network runs an SSH client.
• It connects out to a VPS with SSH reverse port forwarding.
• The VPS then exposes that port to the internet, and traffic goes back over the SSH tunnel.

This method is cheap with one VPS or maybe a small VM, simple for one or two services. It is not very MikroTik-centric, since the tunnel lives on a host behind the router

If your main focus is router-based MikroTik CGNAT remote access, WireGuard on the router itself gives more control than a reverse SSH from a host.

DDNS and Why It Is Not Enough Behind CGNAT

Dynamic DNS (DDNS) gives you a fixed hostname that always points to your current public IP, even when the IP changes. This is perfect for normal home connections where your router really has a public IP, but it does not solve the main problem with CGNAT; the IP on the internet does not belong to your router, it belongs to the ISP’s NAT device.

So, for MikroTik CGNAT remote access, DDNS behaves like this:

• If your WAN IP is truly public, no CGNAT, DDNS with port forwarding works fine for VPN, cameras, and router access.
• If your WAN IP is private (CGNAT), DDNS can still update, but it points to an address that the outside world cannot reach directly, so remote access still fails.
• In other words, DDNS is a naming tool, not a CGNAT bypass method; you still need a public endpoint like a VPS or a tunnel service.

If your ISP gives you a real public IP, even a dynamic one, DDNS is very useful. In that case, you can follow this guide to keep your MikroTik reachable without paying for a static IP:

Best MikroTik DDNS Without Static IP for Home Networks.

You can combine that DDNS setup with VPN or port forwarding when you are not behind CGNAT. But when CGNAT is active, you still need a tunnel to a public server on the internet, as explained in the previous sections.

Choosing the Right Method for Your Budget and Skill Level

Now you can use this practical view to pick your MikroTik CGNAT remote access strategy:

Scenario	Budget	Skill level	Best option	Notes
Home lab, stable long-term access	Low to medium	Intermediate	VPS + WireGuard	Most flexible, works with any service. forum.
Simple router admin only	Free/low	Beginner to intermediate	Back To Home (BTH)	Good for RouterOS management sessions.
One or two TCP services, small project	Low	Intermediate Linux	Reverse SSH tunnel	Light, but not ideal for many services.
ISP offers a real public IP	Medium (monthly fee)	Any	Ask the ISP for the public IP	Then normal port forwarding + DDNS.

For readers who want a ready-made VPS tuned for MikroTik CGNAT remote access, a MikroTik-focused VPS is ideal.

To compare VPN options such as WireGuard, IPsec, and OpenVPN in more detail, you can check this guide on MikroTik VPN protocol comparison.

Security Best Practices for MikroTik Remote Access

You must make security your main priority when you set up MikroTik CGNAT remote access.

• Always use encrypted tunnels like WireGuard, IPsec, SSTP, etc., never expose raw services unprotected.
• Limit who can connect by using firewall rules, allowed IPs in WireGuard, and strong keys.
• Do not open management services like Winbox, WebFig, and SSH directly to the whole internet; restrict via VPN first.

This keeps your home lab and SMB network safe while still bypassing CGNAT limitations.

Conclusion

CGNAT breaks normal port forwarding because your router does not have a public IP. To restore remote access, you must create an outbound tunnel from your MikroTik to a public endpoint you control, then route traffic back through that tunnel. In practice, the most flexible and stable method is a VPS with WireGuard, especially for users who want long-term MikroTik CGNAT remote access for home labs or small business services.

If you want to avoid fighting your ISP and get a public endpoint dedicated to your RouterOS setup, consider using a hosted MikroTik VPS as your external anchor. This lets you bypass ISP limits and keep your network secure at the same time.

You can bypass ISP limits with a public endpoint on a PerLod MikroTik VPS for secure inbound access to your home or office network.

We hope you enjoy this guide.

FAQs