Skip to main content
Explainer · networking

Public vs private IP addresses (the difference, in plain English)

Every device you own has two identities on the network: a private address that only works inside your home or office, and a shared public address that the rest of the internet sees. Understanding the split explains NAT, port forwarding, CGNAT, and half the “why can't I reach my server?” questions in networking.

Two addresses, two jobs

An IP address is how a device is found on a network. The confusing part is that most devices have two addresses that matter, doing two different jobs. Your laptop has a private IP — something like 192.168.1.42 — that identifies it inside your local network. Your whole network also has a single public IP that identifies it to the rest of the internet. When you visit What is my IP?, the address you see is the public one: the face your network shows the world, not the private address on the device in your hand.

The reason this split exists is a simple accounting problem. The original internet protocol, IPv4, has a 32-bit address space — about 4.3 billion possible addresses. That felt limitless in 1981 and is nowhere near enough for the tens of billions of connected devices today. The fix that kept IPv4 alive for decades was to stop giving every device a globally unique address and instead let entire networks share one, using private addressing plus NAT.

What makes an address “private”

Private IP addresses are not a technical accident — they are formally reserved. In 1996, RFC 1918 set aside three blocks of the IPv4 space for “private internets” that would never be routed on the public network. Any organization can use these addresses internally, as many times as they like, without asking anyone, because they are guaranteed never to collide with a public destination. The three ranges are:

The moment you see an address beginning with 10., 192.168., or 172.16172.31, you know it is private and cannot be reached directly from the internet. (There are a few other special ranges — 127.0.0.0/8 for loopback, 169.254.0.0/16 for link-local autoconfiguration, and 100.64.0.0/10 for carrier-grade NAT — but the three RFC 1918 blocks are the ones you meet every day.) If you want to see exactly how many addresses a given prefix contains, the CIDR calculator breaks any range down for you.

How NAT bridges private to public

Private addresses solve the scarcity problem, but they create a new one: if your laptop's address is meaningless outside your network, how does a reply from a website ever find its way back? The answer is NAT — Network Address Translation, and it runs on your router.

When your laptop (192.168.1.42) opens a connection to a web server, the packet leaves your network through the router. The router rewrites the source address from your private IP to its own public IP, records the swap in a translation table along with the port numbers involved, and sends the packet on its way. The server replies to the public IP — the only address it ever saw — and when that reply arrives, the router consults its table, sees which internal device the connection belongs to, rewrites the destination back to 192.168.1.42, and delivers it. This specific flavor, where many private devices share one public IP by multiplexing on port numbers, is called PAT (Port Address Translation) or “NAT overload,” and it is what nearly every home router does.

Why your devices all share one public IP

This is the direct consequence of NAT, and it is worth stating plainly: your phone, your laptop, your smart TV, and every smart bulb in the house all appear to the internet as the same public IP address. There is only one on the outside of the router, and NAT lets dozens of internal devices take turns behind it. That is why what a website sees is your router's public address, never the private address of the specific device you are using — and why two people in the same house show up at the same IP.

It also explains why inbound connections are awkward. Outbound traffic works effortlessly because your device initiates it, so the router has a table entry ready for the reply. But if someone on the internet tries to reach you unprompted, the router has no entry telling it which of your many devices the traffic is for, so it drops the packet. Making an internal service reachable from outside requires port forwarding — a manual rule that says “traffic arriving on this public port always goes to this private device.” This is exactly why you have to configure port forwarding to host a game server or a website from home.

When even the public IP is shared: CGNAT

Here is the twist that trips up a lot of people. IPv4 ran out so thoroughly that many ISPs can no longer give each customer even a single public IP. Their solution is a second layer of NAT — carrier-grade NAT (CGNAT) — run inside the ISP's own network. Under CGNAT your router does not receive a real public address at all. Instead it gets a private-style address from the 100.64.0.0/10 shared range, and the ISP's giant NAT box translates that into a genuine public IP shared among hundreds of other customers.

The practical upshot is that port forwarding on your own router stops working entirely, because there is another NAT layer above it that you do not control. If you have ever set up a forward correctly and still could not reach your service from outside, CGNAT is the usual culprit. Mobile networks are almost universally CGNAT, and a growing number of fiber and fixed-wireless ISPs use it too.

IPv6 and the shrinking role of private addressing

NAT and private addressing exist because IPv4 addresses are scarce. IPv6 removes that scarcity by design. Its 128-bit address space holds roughly 340 undecillion addresses — enough to give every device that will ever exist a globally unique, publicly routable address with room to spare. In an IPv6 world, the whole public-versus-private dance largely dissolves: your laptop can have its own public address again, exactly as the original internet intended, and end-to-end connectivity is restored without NAT in the middle.

IPv6 does keep a notion of “private” scope in the form of Unique Local Addresses (ULAs, the fc00::/7 range), used for internal-only communication that should never leave the network. But the goal is very different from IPv4 NAT: ULAs are about administrative scoping and stable internal routing, not about squeezing many devices behind one scarce address. You can check whether your own connection has working IPv6 with the IPv6 test, and explore the wider ecosystem in the IPv6 tools. The migration is slow and IPv4 with NAT will be around for years, but the long-term direction is unmistakable: fewer private addresses, fewer NAT layers, more direct reachability.

Security implications of the split

A common myth is that NAT is a firewall. It is not — but it does provide a real, if accidental, layer of protection. Because inbound connections have no default translation entry, devices behind NAT are not directly reachable from the internet unless you explicitly forward a port. That means an unpatched service on a machine with only a private IP is far harder to attack from outside than the same service on a machine with a naked public IP.

There are two important caveats. First, this protection is a side effect, not a security policy — malware inside your network can still open outbound connections freely (that is how most modern attacks actually work), and it can punch through NAT using techniques like UPnP or hole-punching. You still need a real firewall and good endpoint hygiene. Second, IPv6 changes the calculus: when every device has a public address, the accidental shield of NAT disappears, and you must rely on an explicit stateful firewall — which, thankfully, virtually all IPv6-capable routers enable by default. Separately, remember that a public IP reveals information: it maps to a rough geographic location and to your ISP. If that matters to you, tools like a VPN, proxy, or Tor change which public IP the world associates with your traffic. And if you are curious about how a private hostname ever resolves to a public destination in the first place, the mechanics live in how DNS works.

A quick way to see it yourself

Open the IPFerret home page and note the public IP it reports. Now find your device's private IP: on Windows run ipconfig, on macOS or Linux run ip addr (or ifconfig), or just open your Wi-Fi settings. You will almost certainly see something starting with 192.168. or 10.. The two addresses are different, and now you know why: one is the private identity your router gave your device, the other is the shared public identity your router presents to the internet, with NAT quietly stitching the two together for every packet you send.

Frequently asked questions

What is the difference between a public and a private IP address?

A public IP address is globally unique and routable across the internet — it is the address the rest of the world uses to reach your network. A private IP address comes from one of the RFC 1918 reserved ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), is only meaningful inside your own local network, and is never routed on the public internet. Your router holds the public IP; every device behind it gets a private one.

Why do all my devices share the same public IP address?

Because your router uses NAT — Network Address Translation. Each device has its own private IP inside the network, but when they talk to the internet the router rewrites the source address to its single public IP and tracks which internal device each connection belongs to. To an outside website, every phone, laptop, and smart bulb in your home appears to come from the same public address.

How do I find my public and private IP addresses?

Your public IP is shown on the IPFerret home page — it is whatever your router presents to the internet. Your private IP is local to your device: on Windows run ipconfig, on macOS or Linux run ip addr or ifconfig, or check your Wi-Fi settings. A private address almost always starts with 192.168, 10., or 172.16 through 172.31.

Related reading