CGNAT conflicts with ISP or other VPN using 100.64.0.0/10
criticalConnection ManagementUpdated Jan 5, 2026(via Exa)
Technologies:
How to detect:
CGNAT conflicts occur when ISP or other VPN also uses the 100.64.0.0/10 subnet range (100.64.0.0 to 100.127.255.255), conflicting with Tailscale's 100.x.y.z addressing
Recommended action:
Disable IPv4 selectively using node attribute 'disable-ipv4' in ACL policy or tailnet-wide by applying to target '*'. Be aware this prevents accessing IPv4-only resources like IPv4-only exit nodes.