My IP Help

NAT

Also known as: Network Address Translation

Network Address Translation — a technique that lets many devices on a private network share a single public IP address by rewriting source addresses and ports on outbound traffic.

Last updated:

What is NAT?

NAT (Network Address Translation) is a technique performed by routers that lets many devices on a private network share a single public IP address. Without NAT, each device would need its own globally routable IP, which IPv4 simply cannot provide — the 4.3 billion IPv4 addresses were exhausted in the 2010s. NAT is the reason your laptop, phone, smart TV, and every IoT device on your home Wi-Fi can reach the internet while the outside world sees just one public address.

How NAT works

When a device on the private network (e.g. 192.168.1.50) opens a connection to an external server, the NAT router:

  1. Rewrites the source IP on the outgoing packet from 192.168.1.50 to the router's public IP
  2. Rewrites the source port to a unique port on the router (e.g. 52341)
  3. Records the mapping in its NAT table: 192.168.1.50:random_port ↔ public_ip:52341
  4. Reverses the rewrite on reply packets, so the response reaches the correct internal device

This specific variant — translating both address and port — is called PAT (Port Address Translation) or NAPT (Network Address Port Translation), and it's what virtually every home and office router uses.

Consequences of NAT

NAT works well for client-initiated traffic but complicates protocols that need inbound connections:

  • Hosting a server from behind NAT requires port forwarding rules
  • Peer-to-peer protocols (VoIP, gaming, WebRTC) need NAT traversal techniques like STUN, TURN, and ICE
  • End-to-end encryption and connection identity become harder — many clients behind the same NAT look like one client from outside
  • Logging and abuse reporting are muddied — a public IP doesn't uniquely identify a user when shared across hundreds of customers (CGNAT makes this much worse)

IPv6 was designed to eliminate the need for NAT by providing enough addresses for every device to have its own, but IPv4 plus NAT will remain the dominant deployment for years to come.

Frequently Asked Questions

Strictly, NAT translates only the IP address; PAT (Port Address Translation, also called NAPT) translates both the IP address and the port. In casual usage "NAT" almost always means PAT — the single-public-IP-shared-by-many-devices setup that every home router runs. Pure address-only NAT exists only in older or specialized configurations; the rest of the time the port is being rewritten too.
Double NAT is when traffic passes through two NAT routers — for example, an ISP-provided modem-router with NAT, behind which sits a separate Wi-Fi router that also runs NAT. It usually still works for normal browsing but breaks port forwarding, makes peer-to-peer protocols (gaming, VoIP, WebRTC) fail more often, and complicates remote access. The fix is to put one router into bridge mode so only one NAT layer is active.
CGNAT is when an ISP runs NAT at its own scale, sharing one public IPv4 address among hundreds of customers. ISPs use it because IPv4 addresses are scarce and expensive. CGNAT breaks inbound services for affected customers (no port forwarding, no self-hosted servers), makes IP-based abuse logging useless (one IP = many users), and is one of the strongest pressures pushing IPv6 deployment.
Generally no. IPv6 was designed with enough address space (2^128 addresses) for every device on earth to have its own globally routable address, eliminating the original reason for NAT. Most IPv6 deployments give every device a public address and rely on a stateful firewall instead of NAT for inbound filtering. NAT66 (IPv6-to-IPv6 NAT) exists for niche cases like multi-homing without BGP, but it is rare and discouraged by IETF guidance.
Both rely on inbound or peer-to-peer connections that NAT does not naturally allow. Modern games and VoIP apps work around this with NAT traversal techniques — STUN to discover the public IP/port, TURN to relay traffic through a third-party server when STUN fails, and ICE to combine the two. When you see "moderate" or "strict" NAT in a console's network test, the device has measured how cleanly its NAT lets peer connections through.
Back to glossary