Skip to content

What is NAT? Network address translation, explained

NAT is the reason your laptop, phone, and TV all share one public IP: your router rewrites every outbound packet to come from its own address, remembers who asked in a translation table, and routes the replies back — a bookkeeping trick that stretched IPv4 decades past its address supply. It's also the reason inbound connections mysteriously fail, games complain about "NAT type," and self-hosting needs port forwarding. One mechanism, all of those symptoms.

Maintained by the ipconfig.io team · Reviewed 1 July 2026

The mechanism in one pass

Your laptop (192.168.1.23a private address) asks for a webpage. At the router:

  1. The packet's source, 192.168.1.23:51000, is rewritten to the router's public identity, say 203.0.113.42:62001.
  2. The mapping 62001 ↔ 192.168.1.23:51000 lands in the translation table.
  3. The reply arrives at port 62001, matches the entry, and is rewritten back to the laptop.

Every device's traffic flows through the same choreography — which is why curl ipconfig.io returns the same answer from every machine in the house: the world only ever sees the router.

The consequences you actually notice

Unsolicited inbound dies. The table only contains what outbound traffic put there. A connection from the internet to your public IP matches no entry, so it's dropped — free stealth for ordinary users, and the wall self-hosters hit. Port forwarding is the fix: a permanent, manual table entry ("port 8080 → the Pi"), verified from outside with curl ipconfig.io/port/8080.

Peer-to-peer needs tricks. When both peers are behind NAT, neither can accept the first packet. Games and calling apps use traversal — STUN to discover the public mapping (the same machinery behind WebRTC leaks), coordinated hole-punching, relays as a fallback. Game "NAT type" labels (Open/Moderate/Strict) are just a report on how much of that succeeds against your router.

Sometimes it's NAT twice. ISPs short on addresses run a second translation layer in their own network — CGNAT — where your router's "public" side is itself private. Port forwarding becomes structurally impossible; tunnels are the workaround.

Worth de-mythologizing while we're here: NAT feels like a firewall but isn't one by design — the security is a side effect of the bookkeeping, and modern routers pair it with an actual firewall. And on IPv6, where every device can hold a globally unique address, the entire mechanism — table, forwarding, traversal folklore — simply isn't needed; a firewall alone does the gatekeeping.

Frequently asked questions

What is NAT? The router rewriting traffic so all your devices share one public IP, with a table routing replies back to the right machine.

Why does it exist? IPv4 ran out of addresses; one-per-household plus NAT was the workaround. IPv6 doesn't need it.

Why do inbound connections fail? No table entry matches unsolicited traffic. Port forwarding creates the entry manually.

NAT types in games? A friendliness rating for P2P traversal: Open (inbound works) to Strict (outbound only, fewest connectable peers).

Next steps

Geolocation by MaxMind GeoLite2. No tracking, no keys.