From Your Device → Router → ISP → Public Internet → Server
Most people imagine the internet as a single big network. In reality, it is a chain of multiple private and public networks, each owned by different organizations.
Your data travels through several layers of intranets and edge networks before it ever reaches Google, YouTube, or any website.
This article specifically covers the IPv4 CGNAT (Carrier-Grade NAT) scenario, which is common for:
- Mobile internet connections
- Many residential ISPs in Asia, parts of Europe, and developing regions
- ISPs facing IPv4 address exhaustion
This article does NOT cover:
- ✗ IPv6 connections (no NAT, direct public addressing)
- ✗ IPv4 connections with dedicated public IPs (business/premium plans)
- ✗ Dual-stack (IPv4 + IPv6) setups
- ✗ Direct fiber connections with public IPv4
Why CGNAT? Due to IPv4 address shortage, many ISPs use CGNAT to share one public IPv4 among thousands of users. If you have a dedicated public IPv4 or use IPv6, your connection flow is simpler and different.
To check your setup:
- Visit https://test-ipv6.com/
- Check if you have IPv6 connectivity
- See if your public IP matches your router’s WAN IP (if yes, no CGNAT)
1) Your Home Network (Your Intranet)
This is the only network that you truly own and control.
Example:
192.168.29.0/24Your devices:
Laptop → 192.168.29.170
Phone → 192.168.29.47
TV → 192.168.29.71Your router:
LAN IP → 192.168.29.1This network is called a LAN (Local Area Network) or home intranet.
It is:
- Private
- Isolated
- Not visible on the internet
- Managed by your router via DHCP (Dynamic Host Configuration Protocol)
All your devices send traffic to the router as their default gateway.
2) Your Router (The Boundary Device)
Your router is a network bridge between two different networks.
It always has at least two IP addresses:
Router LAN IP (your intranet side)
192.168.29.1Router WAN IP (ISP-side network)
100.72.34.19 (example CGNAT address)This WAN IP is not public. It exists only inside your ISP’s internal network.
Your router performs:
- NAT (Network Address Translation)
- Firewall filtering
- Routing
- DHCP ( Dynamic Host Configuration Protocol )forms:
Your router is not connected directly to the public internet.
3) ISP Access Network (ISP Intranet)
Your ISP runs a massive private network that connects millions of routers.
This network uses private address ranges such as:
100.64.0.0 – 100.127.255.255 (CGNAT range)
10.0.0.0/8
172.16.0.0/12Your router connects into this ISP intranet.
This is NOT the public internet yet.
4) ISP Edge Network (Where Public IP Exists)
At the edge of the ISP network sits a special router called:
CGNAT Gateway (Carrier Grade NAT)
This is where the public IP lives.
Example:
Public IPv4 → 49.37.243.134This IP:
- Is owned by the ISP
- Is shared by thousands of customers
- Exists only on ISP edge routers
- Is never assigned to your router
Your router never “has” a public IPv4 in CGNAT setups.
5) The Public Internet
Once traffic leaves the ISP edge, it enters the global internet.
This is not one network — it is a collection of thousands of independent networks:
- Netflix network
- Google network
- Cloudflare network
- Amazon AWS network
- Akamai network
- Microsoft network
All connected together using BGP routing.
6) CDN Network (Content Delivery Network)
Most big websites do not serve you directly from their main servers.
They use a CDN.
A CDN is a separate global network of cache servers.
Examples:
- Cloudflare
- Akamai
- Fastly
- AWS CloudFront
CDN servers are placed near ISPs for speed.
Your traffic usually goes:
ISP → CDN Edge Server → Origin ServerCDN IP addresses are owned by CDN companies, not ISPs.
7) Origin Server Network
Behind the CDN is the real application:
- Google datacenters
- YouTube infrastructure
- Netflix backend
- API servers
These run inside large private datacenter intranets.
8) NAT and Port Translation (Important)
Your traffic does NOT keep the same ports end-to-end.
Each NAT layer rewrites ports.
Example flow:
Your Device:
192.168.29.170:50063
Router NAT:
100.72.34.19:61245
ISP CGNAT:
49.37.243.134:40211
Server sees:
49.37.243.134:40211Ports change at:
- Router NAT
- ISP CGNAT
This is why inbound connections fail on IPv4.
9) How HTTP/HTTPS Port Translation Works
Common Question: If HTTP uses port 80 and HTTPS uses port 443, how does NAT handle ports?
Answer: NAT only changes the source port, never the destination port.
Example: Visiting https://google.com
Layer 4 TCP Segment Structure:
Source IP:Port → Destination IP:PortAt Each Stage:
- Your Device Sends:
192.168.29.170:54892 → 142.250.185.46:443- Source port: 54892 (random high port chosen by your OS)
- Destination port: 443 (HTTPS)
- After Router NAT:
100.72.34.19:61334 → 142.250.185.46:443- Source port: Changed to 61334 (router’s random port)
- Destination port: Still 443 ✓
- After ISP CGNAT:
49.37.243.134:40211 → 142.250.185.46:443- Source port: Changed to 40211 (CGNAT’s random port)
- Destination port: Still 443 ✓
Key Points:
- Destination port (80, 443, etc.) NEVER changes
- Source port changes at every NAT layer
- NAT maintains a translation table mapping internal to external source ports
- When the server replies, the destination port becomes your source port (reversed)
Return Traffic:
Server sends: 142.250.185.46:443 → 49.37.243.134:40211
After CGNAT: 142.250.185.46:443 → 100.72.34.19:61334
After Router: 142.250.185.46:443 → 192.168.29.170:54892Why This Matters:
- You can run local web servers on port 80/443
- Multiple devices can browse the same website simultaneously
- Each connection gets a unique source port for tracking
9) How Many Intranets Exist?
There is not just one intranet.
There are many.
Each is isolated and privately routed.
| Network | Owner |
| Home LAN | You |
| ISP Access Network | ISP |
| ISP Core Network | ISP |
| ISP CGNAT Network | ISP |
| CDN Network | CDN company |
| Cloud Provider Network | Cloud Company eg. google, AWS etc |
| Datacenter Network | Application owner |
The Correct End-to-End Diagram
Final Truth Summary (IPv4 CGNAT Scenario)
- Your router connects to two private networks
- Your ISP operates multiple private networks
- Public IPv4 exists only at ISP edge (CGNAT gateway)
- CDN is a separate network
- Source ports are rewritten at each NAT layer
- Destination ports (80, 443, etc.) remain unchanged
- The internet is a mesh of many intranets
⚠️ This flow differs significantly for:
- IPv6 connections (no NAT)
- Dedicated public IPv4 addresses
- Business/enterprise internet plans
One-Sentence Reality
Your router connects your home intranet to your ISP’s intranet, which then exits through the ISP’s edge into the public internet, reaches a internet, and finally enters the application’s private datacenter network.
One Response
I’m not that much of a internet reader to be honest but your blogs really nice, keep it up! I’ll go ahead and bookmark your site to come back later on. All the best