Border0 has joined Tailscale!Read the announcement to see what it means for you. →

Troubleshoot CGNAT conflicts

Last validated:

Tailscale assigns each device in your tailnet a unique 100.x.y.z IP address. This is called the carrier grade NAT (CGNAT) address space, reserved by RFC6598, IANA-Reserved IPv4 Prefix for Shared Address Space. CGNAT conflicts can arise, for example, if your internet service provider (ISP), or other VPN, also uses the 100.64.0.0/10 subnet (from 100.64.0.0 to 100.127.255.255).

If you are experiencing CGNAT conflicts, you can disable IPv4 in your tailnet. This will cause Tailscale to use IPv6 only. Be aware that disabling IPv4 will prevent you from accessing IPv4-only resources on your network. For example, IPv4-only exit nodes will not be accessible.

Selectively disable IPv4

To selectively disable IPv4, apply the disable-ipv4 node attribute to the targets that require it in your tailnet's access control policies:

{
  "nodeAttrs": [
	{
	  "target": ["tag:lab-foo"],
	  "attr":   ["disable-ipv4"],
	},
  ]
}

You can use the visual policy editor to manage your tailnet policy file. Refer to the visual editor reference for guidance on using the visual editor.

Disable IPv4 tailnet-wide

To disable IPv4 tailnet-wide, apply the disable-ipv4 node attribute to all targets in your tailnet's access control policies:

{
  "nodeAttrs": [
	{
	  "target": ["*"],
	  "attr":   ["disable-ipv4"],
	},
  ]
}

You can use the visual policy editor to manage your tailnet policy file. Refer to the visual editor reference for guidance on using the visual editor.