NAT Explained
Last updated:
Network Address Translation rewrites packet addresses in flight — the duct tape that let IPv4 outlive its address space.
| Flavor | Mapping | Typical use |
|---|---|---|
| Static NAT | one private ↔ one public | Publishing an internal server |
| Dynamic NAT | pool ↔ pool, first-come | Rare today |
| PAT / NAT overload | many private → one public, disambiguated by port | Every home router and office edge |
| Port forwarding | public:port → private:port | Poking one service through PAT |
PAT is what people usually mean by "NAT": thousands of inside hosts share one public IP, and the router's translation table keys on (inside IP, inside port) ↔ (public IP, translated port).
What NAT breaks
- Inbound connections — nobody outside can initiate to an inside host without a forwarding rule (this is a side effect, not real security).
- Protocols that embed IPs in payloads — classic offenders: active-mode FTP and SIP/VoIP. Fixups: ALGs (often buggy — SIP ALG is routinely disabled on purpose) or STUN/TURN/ICE for VoIP and WebRTC.
- End-to-end visibility — many clients behind one IP complicates logging, rate-limiting, and abuse handling (see CGNAT).
CGNAT — NAT on NAT
ISPs short on IPv4 run Carrier-Grade NAT using 100.64.0.0/10 (RFC 6598) between your router and the internet. You're double-NATed: port forwarding at home stops working, and one abusive customer can get a shared public IP blocklisted for everyone on it.