First: What NAT Does
Network Address Translation lets many private devices share one public IPv4 address. Your router maintains a translation table recording which internal device and port created each outbound connection, and maps inbound replies back to the right device. The NAT type describes the rules governing what unsolicited inbound traffic is allowed to reach a mapped port.
The Four Classic NAT Types
| NAT Type | Behavior | Peer-to-Peer Impact |
|---|---|---|
| Full Cone | Any external host can send to the mapped port once the internal device has sent outbound | Most open — easiest for direct P2P connections |
| Address-Restricted Cone | Only hosts that the internal device has previously contacted can send inbound | Usually workable for most P2P |
| Port-Restricted Cone | Only the specific IP and port the device contacted can send inbound | More restrictive; some P2P combinations fail |
| Symmetric NAT | A different external port mapping is created for each distinct destination IP:port | Hardest — breaks most direct P2P without relay |
Full Cone NAT
Full Cone NAT creates a single public IP:port mapping for an internal device's outbound connection. Once that mapping exists, any external host can send packets to that public IP:port and they will be forwarded to the internal device — regardless of whether the internal device has ever communicated with that external host. This is the most permissive NAT type and enables direct inbound connections most easily. Consumer routers rarely implement true Full Cone NAT today due to security concerns.
Address-Restricted and Port-Restricted Cone NAT
Address-Restricted Cone NAT allows inbound packets only from external IP addresses that the internal device has previously sent traffic to. This limits unsolicited inbound traffic to known correspondents but still allows flexible port usage from those hosts. Port-Restricted Cone NAT tightens this further — inbound packets must come from the exact IP address and port that the internal device contacted. A server on the same IP but a different port cannot reach back. Most home routers implement Port-Restricted Cone behavior when not using Symmetric NAT.
Symmetric NAT
Symmetric NAT creates a new, distinct external IP:port mapping for every unique destination address and port. If your device contacts server A on port 80, it gets one external mapping. If it contacts server B on port 443, it gets a completely different external mapping. Outside peers who discover one mapping cannot use it to send traffic from a different IP or port. This makes Symmetric NAT the hardest to traverse for peer-to-peer applications — two devices behind Symmetric NAT typically cannot establish a direct connection without a relay server.
Gaming NAT Labels and Their Mapping
Game consoles and PC gaming platforms simplify NAT behavior into three labels. These map approximately to the classic cone types:
| Gaming Label | Approximate Cone Type | Peer Connectivity |
|---|---|---|
| Open / Type 1 | Full Cone or no NAT | Can connect to all other NAT types |
| Moderate / Type 2 | Address or Port-Restricted Cone | Can connect to Open; some Moderate pairs work |
| Strict / Type 3 | Symmetric NAT or blocked ports | Can only connect to Open; many matchmaking failures |
STUN for NAT Type Detection
Session Traversal Utilities for NAT (STUN) is the standard protocol used to discover NAT type and external IP:port mappings. A STUN client sends requests to a STUN server from multiple ports. By comparing the external IP:port the server reports seeing versus what the client sent from, and testing from multiple server addresses and ports, STUN can determine whether NAT is full cone, restricted, or symmetric. WebRTC, VoIP clients, and game platforms use STUN to discover their NAT type and external address before attempting peer connections.
NAT Traversal Techniques
For cone NAT types, hole punching allows two clients behind NAT to establish a direct connection by simultaneously sending packets to each other's external IP:port (learned via STUN), causing both routers to create forwarding rules at the same moment. This works for Full Cone, Address-Restricted, and Port-Restricted Cone, but not for Symmetric NAT because the mapping changes with each destination. When hole punching fails — especially with Symmetric NAT on one or both sides — a TURN (Traversal Using Relays around NAT) server acts as a relay, forwarding traffic between peers. TURN guarantees connectivity at the cost of higher latency and relay server bandwidth.
CGNAT: Carrier NAT Forces Strict Behavior
Carrier-Grade NAT (CGNAT) places another translation layer at the ISP between your home router and the public internet. Your router receives a private address in the 100.64.0.0/10 range (IANA Shared Address Space) rather than a true public IP. Port forwarding on your home router is useless because the ISP's NAT layer above it blocks all unsolicited inbound traffic. Even a home router implementing Full Cone NAT internally appears as Strict or Symmetric from the perspective of internet peers. CGNAT makes it effectively impossible to host services or achieve Open NAT type without the ISP providing a dedicated public IPv4 address (often as a paid add-on) or deploying IPv6 with a reachable global address.
How to Improve NAT Type
- Restart the modem, router, and console or PC.
- Make sure only one device is acting as your main router — double NAT compounds restrictions.
- Enable UPnP if you trust the devices on your LAN and need automatic port mapping.
- Use a reserved LAN IP address before creating manual port forwards.
- Check whether your router's WAN address matches your public IP — a mismatch indicates CGNAT.
- Ask your ISP about a public IPv4 address or IPv6 support if CGNAT is confirmed.
Frequently Asked Questions
What is NAT type in gaming?
Gaming NAT type is a simplified label for how easily your console or PC can connect directly with other players. Open is easiest, Moderate has some limits, and Strict is most restrictive.
What is symmetric NAT?
Symmetric NAT creates different external mappings depending on the destination. It is harder for peer-to-peer applications because outside peers cannot easily reuse one predictable mapping.
Can CGNAT cause Strict NAT?
Yes. Carrier-grade NAT adds another translation layer at the ISP, which can prevent inbound connections even if your home router is configured correctly.