Dynamic vs Static IP (+ CGNAT): Why Your IP Won’t Change and What to Do

Trying to change your IP address by restarting your router—only to find it stays the same? The answer usually comes down to dynamic vs static IP and something many people don’t realize exists: CGNAT (Carrier-Grade NAT). This guide explains what’s happening and what your real options are.

Dynamic IP vs static IP (the core difference)

• Dynamic IP: your ISP can change your public IP over time (common for home connections).
• Static IP: your ISP reserves a specific public IP for you (common for business plans or paid add-ons).

Why your IP sometimes changes (and sometimes doesn’t)

With a dynamic IP, your ISP assigns an address using a “lease.” Restarting your router might result in a new IP, but many ISPs will give you the same IP again unless the lease expires or the pool changes.

Common reasons you keep getting the same IP

• Your lease hasn’t expired, so the ISP reassigns the same IP.
• Your ISP uses sticky assignments tied to your modem/router identifier.
• You’re on CGNAT, so changes aren’t visible the way you expect.

What is CGNAT (Carrier-Grade NAT)?

CGNAT means your ISP puts many customers behind shared public IP addresses. Your home still has a private WAN address, and the ISP performs NAT at the carrier level. This is increasingly common due to IPv4 exhaustion.

How CGNAT affects you

• Port forwarding often won’t work for remote access (unless the ISP provides a workaround).
• Your “public IP” may appear shared or change behavior unexpectedly.
• Some services may rate-limit or flag shared IP ranges.

How to change your IP (realistic options)

Option A: Use a VPN (fastest)

A VPN replaces the public IP websites see with a VPN server IP. This is the quickest way to “change” your public IP for browsing and apps.

Option B: Ask your ISP for a real static IP

If you need inbound access (hosting, remote desktop, servers), a static IP is often the cleanest solution—especially if you are on CGNAT.

Option C: Wait longer than a quick reboot

Some ISPs require you to disconnect for longer (e.g., 30–60 minutes or more) before a lease changes. There’s no universal rule.

Option D: Change networks (temporary)

Using a mobile hotspot or a different Wi‑Fi network gives you a different public IP immediately.

When you should NOT chase an IP change

• If your goal is privacy: use a VPN instead of trying to “cycle” ISP IPs.
• If you’re trying to fix geo issues: read why IP location can be wrong.

How DHCP Works: Leases, Servers, and Why You Keep Getting the Same IP

DHCP (Dynamic Host Configuration Protocol) is the system that automatically assigns IP addresses to devices when they join a network. Without DHCP, every device would need manual IP configuration—impractical for modern networks with dozens of connected devices.

The DHCP process

When your device connects to a network, it broadcasts a DHCPDISCOVER message. The DHCP server (usually your router for home networks, or a dedicated server in corporate environments) responds with a DHCPOFFER containing an available IP address. Your device accepts with a DHCPREQUEST, and the server confirms with a DHCPACK. This four-step process is called the DORA handshake.

Lease time

Every DHCP assignment includes a lease time—how long the IP is reserved for that device. Home router defaults typically range from 24 hours to 7 days. When about 50% of the lease time passes, your device automatically tries to renew the same address. When the lease expires without renewal, the IP returns to the available pool.

Why you keep getting the same IP

DHCP servers track which MAC address last held each IP. When a device reconnects, the server checks its records—if the IP you previously held is still free and your lease record exists, the server re-offers the same address. Many routers (and ISP systems) use this "sticky" assignment behavior. The result: restarting your router for a "new" IP often just gives you the same IP because the lease is renewed, not expired. To force a new assignment, you need to either wait for the lease to expire, modify your device's MAC address, or ask the ISP to clear the lease server-side.

How to Detect CGNAT

The easiest way to know if you're behind CGNAT is to check your router's WAN IP address and compare it to your public IP.

Step 1: Find your router's WAN IP

Log into your router's admin panel (usually 192.168.1.1 or 192.168.0.1) and look for WAN Status, Internet Status, or Connection Info. The WAN IP is the address your ISP assigned to your router.

Step 2: Compare with your public IP

Check your public IP using our IP check tool. If the router's WAN IP matches the public IP shown, you have a normal connection. If they differ—or if the router's WAN IP falls in the 100.64.0.0/10 range (100.64.0.1 through 100.127.255.254)—you are behind CGNAT.

Business Use Cases for Static IP

A static IP isn't just for tech enthusiasts—it's a fundamental requirement for several common business applications:

Web hosting

If you host a website or application server at home or on business premises, you need a static IP so DNS A records can point to your server reliably. With a dynamic IP, your site goes offline every time your IP changes unless you use dynamic DNS (DDNS) services—which add latency and complexity.

SSL/TLS certificates

Domain-validated SSL certificates (Let's Encrypt, DigiCert, etc.) are tied to a domain name, not an IP—but the domain must resolve to your server's IP. With a dynamic IP and DDNS, certificate validation still works, but the propagation delay when your IP changes can cause brief outages. Static IPs eliminate this complexity. Use our SSL Checker to verify certificate status.

Email servers

Running your own mail server requires a static IP for several reasons: reverse DNS (PTR records) must match your sending IP, most email blacklists track IPs rather than domains, and major mail providers (Gmail, Microsoft 365) reject mail from IPs without valid reverse DNS or from dynamic IP ranges. Check your IP's email reputation with our IP Blacklist Checker.

Remote access and VPN servers

Corporate VPNs, remote desktop gateways, and SSH servers need a stable address that employees and scripts can connect to. A changing IP requires constant reconfiguration. Static IPs or DDNS (with static IP preferred) solve this.

VPNs and the Static vs Dynamic IP Question

A commercial VPN gives you an interesting middle ground: your home IP can remain dynamic and even CGNAT-obscured, but your internet traffic appears to originate from the VPN server's IP. From a functional standpoint, you effectively get a "static" outgoing IP—one of the VPN provider's pool of addresses that stays consistent as long as you connect to the same server.

Some VPN providers offer dedicated IP addresses—a static IP that's assigned only to you, not shared with other VPN users. These are useful for accessing services that block shared VPN IPs or for setting up firewall allowlists. Mullvad, ProtonVPN, NordVPN, and Private Internet Access all offer dedicated IP options at a premium.

The important distinction: a VPN with a dedicated IP gives you a predictable, static outgoing IP. It doesn't help with inbound connections (port forwarding) unless the VPN explicitly offers that feature—more on this below.

How to Change Your IP Legitimately

Beyond using a VPN, here are the practical methods to change your public IP at the ISP level:

MAC address cloning

ISPs often assign IPs based on the MAC address of the first device that connected to the modem. If you change (clone) your router's MAC address in the router's WAN settings, the ISP may treat it as a new customer device and issue a fresh IP. This works with some ISPs and fails silently with others—there's no harm in trying.

Long disconnect

Power off your modem (not just the router) for longer than your ISP's DHCP lease time—often 8–24 hours for residential connections. This is inconvenient but sometimes the only way to force a new assignment without hardware changes or ISP intervention.

Request from ISP

You can call your ISP and ask them to release and renew your IP lease. Support agents can often do this remotely in a few minutes. Some ISPs will also put a note to avoid re-assigning the same IP for a period. If you want a truly static IP, ask about their business tier or static IP add-on—prices vary from $5–$25/month depending on the provider.

New router or modem

If your IP is sticky to your modem's MAC address, connecting a different modem or router may trigger a new assignment. This is most effective after a full disconnect period so the old lease expires before the new device connects.

IPv6 and CGNAT: Does IPv6 Solve the Problem?

Theoretically, yes—and in practice, increasingly so. IPv6 was designed to eliminate the need for NAT entirely by giving every device its own globally routable address. If your ISP provides native IPv6, you can receive inbound IPv6 connections directly to your devices without any NAT traversal, UPnP, or port forwarding.

However, the practical reality in 2026 is mixed:

• Not all ISPs offer native IPv6, or offer it only on newer plans
• Many services and applications still don't support IPv6 connections from outside clients
• Firewall configuration for IPv6 requires more explicit rules (since there's no NAT providing implicit blocking)
• Mobile networks often use IPv6 for outbound but still use NAT64 for reaching IPv4-only services, and inbound IPv6 may be firewall-blocked

If you need inbound connectivity today, combining IPv6 with proper firewall rules is the cleanest solution where available. See our IPv4 vs IPv6 guide for more detail on how IPv6 addressing works.

Port Forwarding Under CGNAT: Why It Fails and Workarounds

Under standard CGNAT, your router's WAN IP is a private address inside the carrier's network. When you set up port forwarding on your router, you're telling it how to direct inbound traffic—but inbound traffic from the public internet never reaches your router's WAN IP because the ISP's CGNAT layer doesn't know about your forwarding rules. The packets stop at the carrier's NAT gateway.

Workaround 1: VPN with port forwarding support

Some VPN providers (AirVPN, Mullvad with port forwarding, PIA) allow you to request a port to be forwarded on their VPN server's public IP. When this port receives traffic, the VPN tunnel carries it to your device. This effectively gives you publicly reachable inbound connectivity even behind CGNAT. Verify the port is reachable with our Port Scanner.

Workaround 2: Reverse tunnel (SSH/ngrok/frp)

A reverse tunnel works by having your home machine initiate an outbound connection to a public-facing server, then having that server forward inbound requests back through the established tunnel. Tools like ngrok, frp, or a simple SSH reverse tunnel (ssh -R 8080:localhost:80 user@publicserver.com) achieve this. You need a small VPS or cloud instance with a public IP to act as the relay. This is the most flexible workaround but requires some technical setup.

Workaround 3: Cloudflare Tunnel

Cloudflare Tunnel (formerly Argo Tunnel) is a free service that creates an encrypted tunnel from your home machine to Cloudflare's edge network. Your services become accessible via a Cloudflare-assigned hostname without any inbound firewall rules or public IP. It's free for personal use, handles HTTPS termination automatically, and works behind even the strictest CGNAT. The limitation: all traffic routes through Cloudflare, so it's not suitable if you need direct peer-to-peer connectivity.

Frequently Asked Questions

Is CGNAT bad?

For most users, CGNAT is invisible and causes no problems—web browsing, streaming, video calls, and gaming all work fine because they initiate outbound connections. The issues arise specifically when you need inbound connections: hosting servers, port forwarding for games, remote desktop, P2P seeding, and self-hosting applications. If you don't need any of those, CGNAT has no practical downside.

How do I know if I'm behind CGNAT?

Check your router's WAN IP address in the admin panel. If it's in the 100.64.0.0/10 range (100.64.x.x through 100.127.x.x), you're behind CGNAT. Alternatively, check whether the IP shown on our IP tool matches your router's WAN IP—if they differ, there's a NAT layer between you and the internet.

Can I get a static IP for free?

Not from residential ISPs—static IPs are almost always a paid business add-on. However, you can achieve a functionally static outbound IP for free by using a VPN (with a consistent server selection) or by using a free dynamic DNS service combined with a long-lived DHCP assignment. For inbound access, Cloudflare Tunnel is genuinely free for personal use and provides a stable hostname backed by Cloudflare's infrastructure. If you specifically need a static public IP address rather than just a stable hostname, a VPS (virtual private server) from cloud providers typically costs $3–$6/month and gives you full control over a dedicated public IP.