Articles

NAT: The IP Address Illusionist

March 24, 2026 7 min read

NAT is a bit of a misnomer; it’s not really about translating IP addresses as much as it is about translating connections.

Imagine your home network. You have a router, and every device connected to it (your laptop, phone, smart TV) has a private IP address like 192.168.1.10, 192.168.1.11, etc. These are great for talking to each other within your house, but the outside world, the internet, has no idea what 192.168.1.10 is. It’s like trying to send a letter with just a room number and no street address.

Your router, however, has a public IP address assigned by your Internet Service Provider (ISP). This is the actual, routable address that the rest of the internet knows. When your laptop wants to fetch a webpage, it sends the request to your router. The router, instead of just forwarding the packet with the private source IP, performs a bit of magic.

Here’s a simplified view of what happens when your laptop at 192.168.1.10 wants to connect to example.com on port 80:

  1. Packet Leaving Your Laptop:

    • Source IP: 192.168.1.10
    • Source Port: 54321 (a random ephemeral port)
    • Destination IP: 93.184.216.34 (example.com)
    • Destination Port: 80 (HTTP)

  2. Packet Arriving at Your Router:

    • The router receives this packet. It knows it needs to send this out to the internet, but 192.168.1.10 isn’t a valid internet address.
    • The router looks up its NAT translation table. If there isn’t an entry for this specific connection (source IP, source port, destination IP, destination port), it creates one.
    • Crucially, it replaces the private source IP address with its own public IP address. It also often replaces the source port with a new, unique port from its available pool. Let’s say the router picks port 12345.

  3. Packet Going to the Internet:

    • Source IP: YOUR_PUBLIC_IP_ADDRESS (e.g., 203.0.113.5)
    • Source Port: 12345 (router’s chosen port)
    • Destination IP: 93.184.216.34
    • Destination Port: 80

    The router records this mapping: (192.168.1.10:54321) <-> (YOUR_PUBLIC_IP_ADDRESS:12345).

  4. Response Coming Back:

    • example.com sends a response back to YOUR_PUBLIC_IP_ADDRESS on port 12345.
    • Source IP: 93.184.216.34
    • Source Port: 80
    • Destination IP: YOUR_PUBLIC_IP_ADDRESS
    • Destination Port: 12345

  5. Packet Arriving at Your Router (Response):

    • The router receives the packet destined for its public IP and port 12345.
    • It consults its NAT translation table. It finds the entry matching (YOUR_PUBLIC_IP_ADDRESS:12345) and sees that it corresponds to the internal connection (192.168.1.10:54321).
    • It then rewrites the destination IP and port back to the original private values.

  6. Packet Delivered to Your Laptop:

    • Source IP: 93.184.216.34
    • Source Port: 80
    • Destination IP: 192.168.1.10
    • Destination Port: 54321

This process is called Network Address Port Translation (NAPT), or sometimes PAT (Port Address Translation). It’s the most common form of NAT used in homes and small businesses. The "Port" in NAPT is key: it allows multiple devices on your private network to share a single public IP address by using different source ports for their outgoing connections. The router multiplexes these connections through its single public IP.

The primary benefit is conservation of public IPv4 addresses. Instead of each device needing its own public IP, only the router does. It also provides a basic layer of security, as devices on the private network are not directly addressable from the internet unless explicitly configured for port forwarding.

Consider a scenario where two devices on your network, 192.168.1.10 and 192.168.1.11, both try to connect to example.com on port 80 at the exact same time, and the router happens to pick the same ephemeral port for both (e.g., 54321).

  • Device 1 (192.168.1.10): 192.168.1.10:54321 -> Router:12345
  • Device 2 (192.168.1.11): 192.168.1.11:54321 -> Router:12346

In this case, the router assigns different public ports (12345 and 12346) to distinguish the two outgoing connections originating from the same private IP and port. The NAT table would look something like this:

  • 192.168.1.10:54321 <-> YOUR_PUBLIC_IP:12345
  • 192.168.1.11:54321 <-> YOUR_PUBLIC_IP:12346

This port mapping is what allows the router to direct incoming response packets to the correct internal device. Without the port translation, the router wouldn’t know which of your devices initiated the request that the incoming packet is a reply to.

The most surprising aspect of NAT is how it treats UDP and TCP connections. For TCP, the state of the connection (SYN, ACK, FIN, RST flags) is largely ignored by basic NAT. The translation is purely based on the IP addresses and ports. For UDP, it’s even simpler, as UDP is connectionless. NAT simply maps an outgoing UDP packet’s source IP/port to a public IP/port and expects subsequent incoming UDP packets for that public IP/port to be routed back to the original private IP/port. This stateless nature of UDP NAT is why some protocols (like certain VoIP or gaming protocols) can sometimes struggle with NAT, as they rely on direct peer-to-peer communication that NAT can interfere with if not properly handled by the application itself or through NAT traversal techniques.

The next logical step is understanding how to allow external devices to initiate connections to devices behind NAT, which leads to the concept of port forwarding.

Want structured learning?

Take the full Internet Protocol Deep Dives course →