What Is NAT (Network Address Translation)?

Network Address Translation (NAT) is a technique that allows multiple devices on a private network to share a single public IP address when accessing the internet. It is implemented in virtually every home router and is the main reason IPv4 has not run out of addresses despite the internet growing far beyond the 4.3 billion addresses the protocol can theoretically support.

Types of NAT

Type	How It Works	Typical Use
Static NAT (one-to-one)	Maps one private IP permanently to one public IP	Web/mail servers needing a consistent public IP
Dynamic NAT (pool)	Maps private IPs to a pool of public IPs dynamically	ISPs with a block of public IPs to share
PAT / NAT Overload (many-to-one)	Maps many private IPs to one public IP using unique port numbers to distinguish sessions	Home routers - The most common form of NAT
Double NAT (CGNAT)	Carrier-grade NAT - ISP places its own NAT in front of the customer's router NAT	Mobile networks; cable ISPs managing IPv4 scarcity

How PAT (Home Router NAT) Works

Your router maintains a NAT translation table. When your laptop (192.168.1.10:54321) sends a request to a web server (93.184.216.34:443), the router rewrites the source address to its public IP (e.g. 203.0.113.5:62145) and records the mapping. When the server's response arrives at 203.0.113.5:62145, the router looks up the table, rewrites the destination back to 192.168.1.10:54321, and forwards the packet to your laptop. The web server only ever sees the router's public IP.

NAT vs IPv6

IPv6 was designed to eliminate the need for NAT by providing enough addresses (3.4 × 10^38) to give every device on earth a globally unique public address. In a pure IPv6 network, every device has its own routable public IPv6 address and NAT is not required. However, NAT is still widely used for IPv4 traffic and is present in dual-stack networks where both IPv4 and IPv6 are used side by side. See the IPv4 vs IPv6 comparison for more detail.

Key Facts About NAT

• NAT effectively acts as a firewall for inbound connections - Unsolicited inbound packets are dropped because there is no matching NAT entry.
• Double NAT (CGNAT) breaks some applications that require a direct inbound connection, such as hosting game servers, VoIP, or P2P applications.
• Port forwarding is a manual NAT rule that directs inbound connections on a specific port to a specific private IP device.
• UPnP allows applications to automatically create port forwarding rules in the router - Convenient but a security risk if left enabled.
• To check if you're behind CGNAT, compare the IP shown by your router's WAN interface with what whatsmyipnow.com shows - If they differ, you are behind double NAT.

What NAT Breaks - And the Workarounds Built Around It

NAT's design (standardised for traditional NAT in RFC 3022) assumes connections start from the inside. Whole categories of software had to invent workarounds for everything else.

The problem cases

Application	Why NAT Breaks It	The Workaround
Hosting a server at home	Inbound visitors have no NAT table entry to match	Port forwarding rules in the router
Online gaming / voice chat	Two players both behind NAT cannot reach each other directly	STUN/TURN servers and relay infrastructure - The source of "NAT type" errors on consoles
Peer-to-peer file transfer	Same two-sided reachability problem	Hole punching: both sides connect outward simultaneously
VPN protocols (IPsec)	Address rewriting invalidates packet integrity checks	NAT-Traversal encapsulation (UDP port 4500)
VoIP (SIP)	The protocol embeds IP addresses inside message bodies that NAT does not rewrite	Application-layer gateways and SBCs

Port forwarding in practice

A port forward is a permanent NAT table entry you create manually: "anything arriving on public port 25565 goes to 192.168.1.50:25565". The three ingredients are a fixed private IP for the target device (use a DHCP reservation), the rule in the router, and a reachable public address - The last being exactly what CGNAT takes away. After creating a rule, verify it from outside with a port scan of your public IP.

The Accidental Security Layer

NAT was never designed as a security feature, but dropping unsolicited inbound packets had the side effect of shielding billions of home devices from direct internet exposure - Arguably the largest accidental security deployment in history. The protection is real but shallow: it does nothing against outbound connections initiated by malware, against attacks riding on connections you opened, or against anything on the LAN side. Treat NAT as a moat, and keep an actual firewall plus updated devices behind it - Especially on IPv6, where there is no NAT and the firewall alone does the blocking.

What This Means for You

NAT explains three everyday observations. Every device in your home shows the same address to websites - So one family member's ban or rate-limit hits everyone. "It works on my phone's hotspot but not at home" often means a NAT-layer issue - Usually double NAT from an ISP combo box, fixed with bridge mode. And when a game or app demands "open NAT" or a port forward, what it really needs is an inbound path through the translation table; if your ISP uses CGNAT, no router setting can provide that, and your options are an ISP-provided public IPv4 address, native IPv6, or a VPN with port-forwarding support.

Frequently Asked Questions

Is NAT the same thing as a firewall?

No. NAT translates addresses; a firewall enforces rules about what may pass. NAT incidentally blocks unsolicited inbound traffic because unmatched packets have nowhere to go, but it never inspects content, never filters outbound connections, and offers nothing once a port is forwarded. Routers ship both functions together, which causes the confusion.

How do I know if I am behind CGNAT?

Log into your router and find its WAN address, then compare it with the public address a browser check shows. If they differ - Especially if the WAN address starts with 100.64 through 100.127 - Your ISP translates you a second time, and inbound connections cannot reach you without ISP help.

Does IPv6 still use NAT?

Essentially no. IPv6's address space removes the scarcity NAT was built to manage, so each device gets a globally routable address and the router's firewall handles inbound blocking. Translation appears only at protocol boundaries, such as NAT64, which lets IPv6-only networks reach IPv4-only servers.