It makes it impossible, because your modem/router no longer has a public IP that you can connect to from the internet.

FYI my ISP (Aussie Broadband) will put you on a non-CGNAT subnet if you call and ask.

Tailscale is a better idea.

My ISP (USA, Metronet) will give you a static IP (instead of their CGNAT) for $10/mo which I happily pay.

Tailscale is great but direct is always better IMHO.

Not bad, impossible; it is NAT over which you have no control and thus cannot forward ports.

Other replies explained the why, though cgnat wouldn’t be a problem if you also had ipv6.

Luckily for me I have a regular ip4 address but if that ever changed I’d be out of luck unless my isp (quantum fibre) implemented a proper ipv6 solution.

I have Quantum Fiber in Colorado and enabled IPv6 on the old CenturyLink C4000XG modem following these directions: https://www.centurylink.com/home/help/internet/modems-and-ro...

That uses 6rd which is typically slow (since it basically proxies through an ipv4->6 bridge), and in my case it worked on their provided router but not with opnsense.

CGNAT isn't used with ipv6, right?

I’m not an expert on this but I can’t imagine why it would be deployed that way given the complexity it adds.