Skip to content

NAT Explained

Last updated:

Network Address Translation rewrites packet addresses in flight — the duct tape that let IPv4 outlive its address space.

FlavorMappingTypical use
Static NATone private ↔ one publicPublishing an internal server
Dynamic NATpool ↔ pool, first-comeRare today
PAT / NAT overloadmany private → one public, disambiguated by portEvery home router and office edge
Port forwardingpublic:port → private:portPoking one service through PAT

PAT is what people usually mean by "NAT": thousands of inside hosts share one public IP, and the router's translation table keys on (inside IP, inside port) ↔ (public IP, translated port).

What NAT breaks

  • Inbound connections — nobody outside can initiate to an inside host without a forwarding rule (this is a side effect, not real security).
  • Protocols that embed IPs in payloads — classic offenders: active-mode FTP and SIP/VoIP. Fixups: ALGs (often buggy — SIP ALG is routinely disabled on purpose) or STUN/TURN/ICE for VoIP and WebRTC.
  • End-to-end visibility — many clients behind one IP complicates logging, rate-limiting, and abuse handling (see CGNAT).
CGNAT — NAT on NAT

ISPs short on IPv4 run Carrier-Grade NAT using 100.64.0.0/10 (RFC 6598) between your router and the internet. You're double-NATed: port forwarding at home stops working, and one abusive customer can get a shared public IP blocklisted for everyone on it.