Appearance
What is NAT? Network address translation, explained
NAT is the reason your laptop, phone, and TV all share one public IP: your router rewrites every outbound packet to come from its own address, remembers who asked in a translation table, and routes the replies back — a bookkeeping trick that stretched IPv4 decades past its address supply. It's also the reason inbound connections mysteriously fail, games complain about "NAT type," and self-hosting needs port forwarding. One mechanism, all of those symptoms.
Maintained by the ipconfig.io team · Reviewed 1 July 2026
The mechanism in one pass
Your laptop (192.168.1.23 — a private address) asks for a webpage. At the router:
- The packet's source,
192.168.1.23:51000, is rewritten to the router's public identity, say203.0.113.42:62001. - The mapping
62001 ↔ 192.168.1.23:51000lands in the translation table. - The reply arrives at port
62001, matches the entry, and is rewritten back to the laptop.
Every device's traffic flows through the same choreography — which is why curl ipconfig.io returns the same answer from every machine in the house: the world only ever sees the router.
The consequences you actually notice
Unsolicited inbound dies. The table only contains what outbound traffic put there. A connection from the internet to your public IP matches no entry, so it's dropped — free stealth for ordinary users, and the wall self-hosters hit. Port forwarding is the fix: a permanent, manual table entry ("port 8080 → the Pi"), verified from outside with curl ipconfig.io/port/8080.
Peer-to-peer needs tricks. When both peers are behind NAT, neither can accept the first packet. Games and calling apps use traversal — STUN to discover the public mapping (the same machinery behind WebRTC leaks), coordinated hole-punching, relays as a fallback. Game "NAT type" labels (Open/Moderate/Strict) are just a report on how much of that succeeds against your router.
Sometimes it's NAT twice. ISPs short on addresses run a second translation layer in their own network — CGNAT — where your router's "public" side is itself private. Port forwarding becomes structurally impossible; tunnels are the workaround.
Worth de-mythologizing while we're here: NAT feels like a firewall but isn't one by design — the security is a side effect of the bookkeeping, and modern routers pair it with an actual firewall. And on IPv6, where every device can hold a globally unique address, the entire mechanism — table, forwarding, traversal folklore — simply isn't needed; a firewall alone does the gatekeeping.
Frequently asked questions
What is NAT? The router rewriting traffic so all your devices share one public IP, with a table routing replies back to the right machine.
Why does it exist? IPv4 ran out of addresses; one-per-household plus NAT was the workaround. IPv6 doesn't need it.
Why do inbound connections fail? No table entry matches unsolicited traffic. Port forwarding creates the entry manually.
NAT types in games? A friendliness rating for P2P traversal: Open (inbound works) to Strict (outbound only, fewest connectable peers).
Next steps
- Public vs private IP — the two address spaces NAT translates between.
- What is CGNAT? — the same trick applied by your ISP, and what it breaks.
- Check if a port is open — testing your forwarding from the real outside.