The problem NAT solves
IPv4, the addressing scheme most of the internet still runs on, has a 32-bit address space — about 4.3 billion addresses. That felt limitless in the early 1980s, but the number of connected devices blew past it long ago. A single household today might have twenty or thirty things wanting internet access at once, and there simply are not enough public IPv4 addresses to give each one its own.
NAT is the workaround. Instead of handing every device a scarce public address, your ISP gives your router exactly one public IP, and every device inside your home shares it. The devices use private addresses drawn from ranges reserved for internal use — most commonly 192.168.x.x or 10.x.x.x — that are never routed on the public internet. The router sits at the boundary and translates between the private world inside and the public world outside. If the difference between those two kinds of address is fuzzy, the public vs private IP explainer lays it out.
The core idea: rewrite on the way out, reverse on the way back
The heart of NAT is a rewrite. When a device inside your network sends a packet to the internet, the packet carries a source address and source port that identify who sent it. Those are private values that the outside world cannot reply to. So the router replaces the private source IP and port with its own public IP and a port it picks, sends the modified packet on its way, and writes down what it did in a translation table.
When the reply comes back, it is addressed to the router's public IP and the port the router chose. The router looks that combination up in its table, finds the original private IP and port, rewrites the packet's destination back to those internal values, and delivers it to the device that started the conversation. The device never knows any of this happened — from its point of view it just sent a request and got an answer. The whole mechanism is stateful: the table entry is what lets the return trip find its way home.
Walking a concrete example
Say your laptop has the private address 192.168.1.10 and opens a connection from source port 51000 to a web server at, for the sake of the example,203.0.113.5 on port 443. Your router's public IP is198.51.100.7. Here is what the round trip looks like:
- Outbound. The laptop sends a packet: source
192.168.1.10:51000, destination203.0.113.5:443. - Rewrite. The router replaces the source with its own public IP and a chosen port, say
198.51.100.7:40000, and records the mapping198.51.100.7:40000→192.168.1.10:51000in its translation table. The packet leaves with source198.51.100.7:40000. - The server replies. As far as the web server can tell, the request came from
198.51.100.7:40000, so it addresses its response there: destination198.51.100.7:40000, source203.0.113.5:443. - Reverse. The router receives that reply, looks up
40000in its table, finds it belongs to192.168.1.10:51000, rewrites the destination back to those values, and hands the packet to your laptop.
That table entry is everything. Without it, a reply arriving at the router would be an orphan — the router would have no idea which of your many internal devices it belonged to.
PAT: why one public IP can serve a whole house
The example above translated one device, but the reason NAT scales is the port. The common home flavor is PAT — Port Address Translation, also called NAT overload or many-to-one NAT. Instead of needing a separate public IP per device, the router maps every internal connection onto its single public IP and simply gives each one a different source port.
A port number is 16 bits, so a single IP has on the order of tens of thousands of usable ports. That means one public address can carry a very large number of simultaneous conversations, each distinguished purely by its port. Your laptop on 40000, your phone on 40001, your TV on 40002, and so on — all riding the same public IP, all kept straight by the translation table. This is the ordinary case on essentially every home router, and it is why your whole household appears to the outside world as one address.
Other flavors of NAT
PAT is what most people mean by “NAT” at home, but it is not the only kind:
- Static NAT (one-to-one). A single private address is mapped permanently to a single public address. Nothing is shared — it just relabels one address as another, in both directions. This is used when an internal server needs to be consistently reachable from outside on its own dedicated public IP.
- Dynamic NAT. The router draws from a pool of public addresses and assigns one to an internal device for the duration of a session, then returns it to the pool. It is still one-to-one while a mapping is active, but the specific public address a device gets varies. This is more common in larger organizations that hold a block of public IPs than in a typical home.
The accidental firewall — and its manual exception
NAT is not a security feature by design, but it hands you one for free. Because the translation table only has entries for connections your own devices started, an unsolicited packet arriving from the internet has no matching entry. The router looks it up, finds nothing, and has no internal device to deliver it to — so it drops it. That means random inbound probes and scans from the outside world simply bounce off, without you configuring anything.
This is genuinely useful, but it is important not to mistake it for real security. NAT does not inspect traffic, filter by content, or protect the connections your devices deliberately open — it just has nowhere to send unrequested inbound packets. A proper stateful firewall does the inspecting and filtering, and most home routers run a firewall alongside NAT; the firewall explainer covers the difference in depth.
When you actually want something inbound — a game server, a security camera, a self-hosted app — you have to create a translation-table entry by hand. That is exactly what port forwarding does: it tells the router “any traffic that arrives on this public port, send it to this specific internal device and port,” manually creating the mapping that unsolicited inbound traffic would otherwise lack.
What NAT breaks
The same property that gives you accidental inbound protection also gets in the way. If nothing inside started a conversation, there is no table entry, so anything that relies on being contacted from the outside struggles:
- Inbound connections in general. Hosting a service that outsiders need to reach requires an explicit port-forwarding rule; it does not work out of the box.
- Peer-to-peer and VoIP. Two devices that each sit behind their own NAT both expect to be contacted, and neither can be reached directly. Real-time voice and video, direct file transfer, and some games hit this constantly.
The industry answer is a set of techniques called NAT traversal. At a high level, a helper server called a STUN server lets a device discover what public IP and port its NAT is presenting to the world, so two peers can try to talk to each other's public mappings directly. When that fails — because the NATs are too restrictive — a TURN server steps in and relays the traffic between the two peers, so both sides are really just holding outbound connections to the relay. It is slower than a direct path, but it works from behind almost any NAT.
CGNAT: NAT again, on the carrier's side
Because public IPv4 addresses are so scarce, many ISPs no longer give each customer even one public IP. Instead they run a second, huge layer of NAT in their own network and share a single public address across many customers at once. This is carrier-grade NAT (CGNAT), and it stacks another translation table above the one in your home router. It is the reason port forwarding sometimes fails even when you have configured it correctly — the entry you made on your own router is invisible to the carrier's NAT above it.
IPv6 mostly removes the need for NAT
NAT exists first and foremost because IPv4 addresses ran short. IPv6 has an address space so large that every device can hold its own globally routable address with room to spare, which means there is no need to share one public IP behind a translation table at all. IPv6 networks generally skip address translation entirely and lean on a stateful firewall for the inbound protection that NAT provided as a side effect. If you want the full contrast, see IPv4 vs IPv6, and you can check how far the transition has come on the IPv6 status page.
Frequently asked questions
How does NAT let many devices share one public IP?
Through PAT (port address translation, or NAT overload). Each outbound connection is rewritten to the router's single public IP but assigned a distinct source port, and the router keeps a translation table mapping every public IP-and-port back to the private IP-and-port that created it. Replies arriving on a given port are matched to the right internal device. Because one IP has tens of thousands of ports, a single public address serves many devices simultaneously.
Is NAT a firewall?
Not really. NAT is not a security feature by design, but it produces a helpful side effect: unsolicited inbound traffic has no matching table entry, so the router has nowhere to send it and drops it. That blocks casual unsolicited connections, but NAT does not inspect or filter traffic the way a real stateful firewall does. Most home routers run both together.
Does IPv6 still need NAT?
Mostly no. NAT exists chiefly to work around the IPv4 shortage. IPv6's address space is large enough that every device can have its own globally routable address, so there is no need to share one. IPv6 networks usually skip translation entirely and rely on a firewall for inbound protection instead.
Related reading
- Public vs private IP — the two kinds of address NAT sits between.
- Port forwarding explained — how to create the inbound translation entry NAT does not make for you.
- What is CGNAT? — a second layer of NAT run by your ISP.
- What is a firewall? — the real security layer NAT is often mistaken for.
- IPv4 vs IPv6 — why the address shortage that created NAT exists, and what replaces it.
- IPv6 status — how far the transition away from NAT has actually come.
- Networking glossary — quick definitions for the terms in this article.
