What is NAT (Network Address Translation)?
NAT allows multiple devices to share one public IP address. Learn how NAT works, the different NAT types (full cone, restricted, symmetric), double NAT problems, and why NAT is essential for home networking.
Network Address Translation (NAT) is the mechanism that allows every device in your home to access the internet through a single public IP address. Your ISP gives your router one public address. Behind that router, you might have a phone, a laptop, a tablet, a smart TV, a game console, and a dozen other devices, each with its own private IP address. NAT is what makes this one-to-many arrangement work.
Without NAT, each device would need its own public IP address to communicate on the internet. Given that IPv4 only provides about 4.3 billion addresses and there are over 20 billion connected devices worldwide, that is not possible. NAT is the bridge that kept the internet functional while IPv4 addresses ran out and IPv6 adoption gradually increased.
How NAT Works Step by Step
NAT operates on your router, sitting between your private local network and the public internet. Every outgoing packet gets its source address rewritten, and every incoming response gets its destination address restored. The router maintains a translation table to track which internal device owns which connection.
Here is what happens when your laptop (private IP 192.168.1.50) loads a webpage:
- Your laptop creates a packet with source address 192.168.1.50, source port 52000, destination address 93.184.216.34 (the web server), and destination port 443.
- The packet reaches your router. NAT replaces the source address with the router’s public IP (say, 203.0.113.10) and may change the source port to 40500. The router records this mapping in its translation table: public port 40500 maps to internal 192.168.1.50, port 52000.
- The web server receives the packet and sees it came from 203.0.113.10 on port 40500. The server has no knowledge of your private IP.
- The web server sends a response back to 203.0.113.10 on port 40500.
- Your router receives the response, looks up port 40500 in the translation table, finds the mapping to 192.168.1.50 port 52000, rewrites the destination address and port, and delivers the packet to your laptop.
This translation happens for every packet, for every device, simultaneously. A busy home router might manage thousands of active translation entries at any given moment.
NAT Types Explained
NAT implementations vary in how they handle incoming connections. The differences matter for applications that need direct device-to-device communication, like online gaming, voice calls, and video conferencing.
Full Cone NAT (Static NAT). Once an internal device sends a packet through a specific port, the router allows any external host to send packets back through that same port to reach the internal device. This is the most permissive type and is easiest for applications that rely on inbound connections.
Address-Restricted Cone NAT. The router only allows inbound packets from an external IP address that the internal device has previously sent packets to. If your device contacted server A, only server A can send packets back through that port mapping. Server B cannot.
Port-Restricted Cone NAT. This adds port-level restriction on top of address restriction. The router only allows inbound packets from the same external IP and port combination that the internal device contacted. This is more restrictive than address-restricted but still allows some peer-to-peer connectivity.
Symmetric NAT. Each connection to a different external destination gets a unique port mapping. A packet to server A uses one external port, and a packet to server B uses a different external port. This makes peer-to-peer connection establishment extremely difficult because the port mapping is unpredictable. Many corporate firewalls and carrier-grade NAT deployments use symmetric NAT.
For home users, the NAT type affects online gaming (where “NAT Type Open/Moderate/Strict” labels map roughly to these categories), VoIP call quality, and peer-to-peer application performance.
Port Forwarding and NAT
NAT blocks all unsolicited inbound connections by default. If no device on your network initiated a connection to a specific external address, the router has no translation table entry for the incoming packet and drops it. This is generally good for security but problematic when you want to host a service.
Port forwarding creates a permanent entry in the NAT table. You tell the router: “Any incoming traffic on port 8080 should be forwarded to internal device 192.168.1.50 on port 80.” Now external users can reach your internal web server by connecting to your public IP on port 8080.
Common port forwarding use cases include hosting game servers, accessing security cameras remotely, running a web server, and enabling remote desktop connections. Each rule maps a public port to a private IP address and port.
UPnP (Universal Plug and Play) automates port forwarding. Applications like game consoles and torrent clients use UPnP to ask the router to create temporary port forwarding rules without manual configuration. While convenient, UPnP is a security risk because any application on your network can open ports. Security-conscious users disable UPnP and configure port forwarding rules manually.
Double NAT Problems
Double NAT occurs when your network traffic passes through two devices that both perform NAT. The most common scenario is connecting your own router to an ISP-provided gateway (modem-router combo). Your devices get NATted by your router, and then your router’s traffic gets NATted again by the ISP gateway.
Double NAT causes several problems:
Port forwarding breaks. You can set up port forwarding on your router, but the ISP gateway does not know about it. Incoming traffic reaches the ISP gateway, which has no forwarding rule, and gets dropped. You would need to configure port forwarding on both devices, and the ISP gateway must forward to your router’s WAN IP.
VPN connections fail. Some VPN protocols (particularly IPSec) cannot traverse double NAT because the address translation breaks the integrity checks built into the protocol.
Gaming suffers. Online games that require open NAT for matchmaking or hosting will report a strict or closed NAT type. This can prevent you from joining certain lobbies or hosting matches.
UPnP stops working reliably. UPnP requests from your devices reach your router but not the ISP gateway. Automatic port opening fails.
The cleanest fix for double NAT is putting the ISP gateway into bridge mode. This disables its routing and NAT functions, turning it into a simple modem. Your router handles all NAT and routing. If bridge mode is not available, you can place your router’s WAN IP in the ISP gateway’s DMZ, which forwards all traffic to your router.
NAT and the Future with IPv6
NAT exists primarily because of IPv4 address scarcity. With IPv6 providing enough addresses for every device on Earth to have billions of unique public addresses, the fundamental reason for NAT disappears.
In an IPv6 network, each device receives its own globally routable address. Devices can communicate directly without translation. This simplifies connectivity for applications that struggled with NAT, like peer-to-peer communication, online gaming, and IoT device management.
However, NAT does not disappear overnight. The transition from IPv4 to IPv6 is gradual, and most networks run dual-stack with NAT still active for IPv4 traffic. Some organizations also deploy NAT66 (NAT for IPv6) for policy reasons, wanting to obscure internal addressing even when addresses are plentiful.
For home users, NAT will remain a part of networking for years. Your router will continue performing NAT for IPv4 traffic while allowing IPv6 traffic to pass directly. Understanding how NAT works helps you troubleshoot port forwarding, gaming connectivity, and VPN issues that stem directly from how address translation handles (or mishandles) your traffic.
Frequently Asked Questions
Does NAT provide security?
NAT provides a degree of security by hiding internal IP addresses from the internet. External devices cannot directly address or reach devices behind NAT without port forwarding. However, NAT is not a firewall. It does not inspect traffic or block malicious content. A proper firewall provides real security.
What is double NAT and why is it a problem?
Double NAT occurs when two devices on your network both perform NAT, typically when you connect your own router behind your ISP's router. Traffic gets translated twice, which can break port forwarding, VPN connections, online gaming, and UPnP. The fix is to put the ISP router in bridge mode or use only one router.
What is the difference between NAT and a firewall?
NAT translates addresses to allow private devices to share a public IP. A firewall inspects and filters traffic based on rules. NAT incidentally blocks unsolicited inbound connections, but it does not examine packet contents, block malware, or enforce security policies the way a dedicated firewall does.
Can I disable NAT on my router?
You can disable NAT on most routers, but doing so will prevent your devices from reaching the internet unless each one has its own public IP address. This is only practical in specific enterprise configurations. Home users should always leave NAT enabled.
Does IPv6 eliminate the need for NAT?
IPv6 was designed to provide enough addresses that every device can have a globally unique public IP, removing the primary reason for NAT. In practice, some IPv6 networks still use NAT66 for policy reasons, but the widespread address-sharing NAT used with IPv4 becomes unnecessary with IPv6.