What Is NAT? How Your Router Lies to the Internet

NAT (Network Address Translation) is the technology that allows multiple devices on a private network to share a single public IP address when accessing the internet. Your router performs NAT every single time any device in your house goes online. It rewrites the source address on outgoing packets (replacing your device’s private IP with the router’s public IP) and reverses the process for incoming responses. NAT is the reason a household with thirty connected devices doesn’t need thirty public IP addresses. It’s also, in a very real sense, the reason the internet hasn’t collapsed under the weight of IPv4 address exhaustion.

Why NAT Exists

The story is simple: we ran out of IP addresses. IPv4 provides roughly 4.3 billion addresses. With vastly more devices than that connected to the internet, something had to give. NAT was the workaround.

Before NAT (early 1990s), every device connecting to the internet needed its own globally unique IP address. When a university wanted to connect 1,000 computers, they needed 1,000 public IPs. The math was already getting uncomfortable, and this was before the web even took off.

RFC 1918 (published in 1996) formalized the concept of private address spaces, and NAT made them useful by allowing private addresses to reach the public internet through a single public IP.

NAT was supposed to be temporary. A bridge solution until IPv6 arrived and gave us effectively unlimited addresses. That was 1996. We’re still bridging. IPv6 deployment is somewhere around 45% globally, and full IPv4 retirement is probably another decade away at minimum. So NAT is pretty firmly a permanent fixture of the internet at this point.

How NAT Actually Works

Let’s trace what happens when your laptop visits a website:

Outbound Traffic

Your laptop (192.168.1.5) sends a request to 142.250.80.46 (Google), using source port 54321
The router intercepts the packet
Router rewrites the source address: 192.168.1.5:54321 becomes 98.51.100.27:12345 (your public IP with a new port)
Router writes this mapping in its NAT table: 192.168.1.5:54321 ↔ 98.51.100.27:12345
Packet goes out to the internet with the public IP as the source

Inbound Response

Google responds to 98.51.100.27:12345
Router receives the packet and checks its NAT table
Finds the mapping: port 12345 belongs to 192.168.1.5:54321
Rewrites the destination address back to 192.168.1.5:54321
Forwards the packet to your laptop

This happens for every single connection. When you’re browsing the web, your router might be managing hundreds or thousands of simultaneous NAT mappings across all your devices. Loading a single modern web page can involve 100+ separate connections. Your router handles all of this without breaking a sweat.

Types of NAT

Source NAT (SNAT) / Masquerading

The most common type. This is what home routers do: many private IPs masquerading behind one public IP. Also called “IP masquerading” in Linux firewall terminology.

Destination NAT (DNAT) / Port Forwarding

The reverse: incoming connections to your public IP on a specific port get forwarded to a specific device on your private network. This is port forwarding. If you’re running a game server on your PC, you’d configure DNAT to forward traffic on the game’s port to your PC’s private IP.

Carrier-Grade NAT (CGNAT)

NAT but even more aggressive. Your ISP puts multiple customers behind a single public IP using NAT at their end, before your traffic even reaches your own router. This means you’re behind two layers of NAT. CGNAT is becoming increasingly common as IPv4 addresses become scarce.

CGNAT is identified by the 100.64.0.0/10 address range (RFC 6598). If your router’s WAN IP is in this range, you’re behind CGNAT. You can verify by comparing your router’s WAN IP with your public IP at whatismyip.technology. If they’re different, CGNAT is in play.

NAT Hairpinning (NAT Loopback)

When a device on your network tries to access a service on the same network using the public IP. For example, your phone trying to reach your home server using the external domain name. The traffic goes out to the router, realizes the destination is actually internal, and “hairpins” back to the local network. Not all routers support this gracefully.

NAT Traversal: Getting Around the Limitations

NAT creates a fundamental problem: it breaks the end-to-end connectivity model of the internet. Two devices behind different NATs can’t directly connect to each other because neither side can receive unsolicited inbound connections.

This is a major pain point for:

Online gaming (peer-to-peer matchmaking)
VoIP and video calling
BitTorrent and P2P file sharing
Remote desktop and screen sharing
IoT devices needing inbound connections

Several techniques exist to work around this:

UPnP (Universal Plug and Play): Applications automatically ask the router to create port forwarding rules. Convenient but has serious security implications because any malware on your network can also request port forwards. Many security experts recommend disabling UPnP.

STUN (Session Traversal Utilities for NAT): A protocol that helps devices discover their public IP and port mapping by communicating with an external STUN server. Works for most NAT types but fails with symmetric NAT.

TURN (Traversal Using Relays around NAT): When direct peer-to-peer connection is impossible, traffic is relayed through a TURN server. This always works but adds latency and requires the TURN server to handle all the traffic.

ICE (Interactive Connectivity Establishment): Combines STUN and TURN to find the best possible connection path. Used by WebRTC (video calls in your browser), Discord, Zoom, and most modern communication apps.

Port forwarding remains the manual but reliable option. You configure your router to forward specific ports to specific devices. This is what gamers and server operators have been doing for decades. It’s tedious but predictable.

NAT and Security

NAT provides a kind of incidental security benefit. Because your router only forwards inbound traffic that matches an existing NAT table entry, random unsolicited connections from the internet are essentially blocked. An attacker on the internet can’t just connect to 192.168.1.5 because that address doesn’t exist on the public internet.

But don’t mistake this for real security:

NAT doesn’t inspect traffic content. Malware, viruses, and exploits in received data pass right through.
Any outbound connection creates a NAT entry that allows responses. If a device on your network contacts a malicious server, the response traffic is welcomed right in.
NAT doesn’t provide authentication. It doesn’t verify that incoming packets are from who they claim to be.
NAT can be confused by certain attack techniques that manipulate the translation table.

A proper stateful firewall with explicit ingress and egress rules provides real security. NAT is a side effect that happens to block some simple attack vectors. Relying on it as your security strategy is like locking your screen door and leaving the front door wide open.

NAT in the IPv6 World

IPv6 was specifically designed to eliminate the need for NAT. With enough addresses for every device to have a globally unique one, there’s no need for address translation.

However, some organizations still use NAT66 (NAT for IPv6, described in RFC 6296). Their reasons include:

Network topology hiding (prevent outsiders from seeing internal addressing structure)
Address independence (change ISPs without renumbering internal addresses)
Regulatory compliance (some industries require address obfuscation)

The IPv6 community generally discourages NAT66 because it reintroduces all the problems that IPv6 was supposed to solve. The recommended approach is to use proper firewall rules to control traffic while maintaining end-to-end addressability.

Test It Yourself

Check Your Public IP

See your public IP address and compare it with your router's WAN IP to check for CGNAT.

Open Tool →

Frequently Asked Questions

Kind of, but not really. NAT blocks unsolicited inbound connections as a side effect of how it works (there's no mapping in the translation table for random inbound traffic). But NAT wasn't designed for security and shouldn't be your only line of defense. A proper firewall with explicit rules is still necessary.

That's the idea. With IPv6, every device can have a globally unique address, removing the need for address translation. However, some organizations may still use IPv6 NAT (NAT66) for network topology hiding or policy reasons, even though it's generally discouraged by the networking community.

Applications that need incoming connections (gaming, VoIP, P2P, hosting servers) struggle with NAT because the router doesn't know where to forward unsolicited inbound packets. Port forwarding, UPnP, and NAT traversal techniques (STUN, TURN, ICE) exist specifically to work around these limitations.

Double NAT happens when you have two devices performing NAT in sequence, like a modem/router combo from your ISP plus your own router. Traffic gets translated twice, which can cause connectivity issues with gaming, VPN, and any application that relies on port forwarding. Fix it by putting one device in bridge mode.