The Problem NAT Solves
IPv4 has approximately 4.3 billion addresses — far fewer than the number of internet-connected devices in the world. Rather than give every smartphone, laptop, and smart thermostat its own globally unique public IP address, NAT (Network Address Translation) allows many devices to share a single public IP. Your ISP assigns one public IP to your home router. All the devices behind it — phones, computers, streaming sticks, game consoles — communicate through that single address. Without NAT, the consumer internet as we know it could not function under IPv4.
NAT is defined in RFC 3022 and is implemented in virtually every home router and enterprise firewall. The router maintains a NAT table — a record of active connections mapping internal private addresses and port numbers to the external public address and port numbers. When a packet arrives from the internet, the router consults this table to determine which internal device should receive it.
How NAT Works: Port Address Translation
The most common form of NAT is PAT (Port Address Translation), also called NAPT or "NAT overload." Here is the sequence for a typical outbound connection:
Your laptop at 192.168.1.50:54321 sends a packet to a web server at 93.184.216.34:443. The router receives this packet, replaces the source address 192.168.1.50:54321 with its public IP and a new port number — say 203.0.113.7:8001 — and forwards the modified packet to the internet. The router records the mapping: 203.0.113.7:8001 corresponds to the session from 192.168.1.50:54321.
The web server replies to 203.0.113.7:8001. The router looks up port 8001 in its NAT table, finds the mapping, replaces the destination with 192.168.1.50:54321, and delivers the packet to your laptop. Your laptop's application receives the response as if it had a direct connection to the web server.
Port numbers are the key: by using different port numbers on the public side, one public IP can simultaneously support thousands of distinct connections from different internal devices.
The Four NAT Types
| NAT Type | How It Works | Gaming Impact |
|---|---|---|
| Full Cone (Open) | Once an internal address:port is mapped to a public address:port, any external host can send packets to the mapped public endpoint | Best — all connections work; labeled Open/Type 1/Type A |
| Restricted Cone | External hosts can only send to the mapped endpoint if the internal host has previously sent a packet to that external IP | Good — works for most gaming scenarios |
| Port-Restricted Cone | Same as restricted cone but also requires the external port to match the port the internal host previously sent to | Moderate — labeled Moderate/Type 2/Type B on consoles |
| Symmetric | A new public port is assigned for every unique destination IP:port combination; only the specific external host that received the original packet can reply | Worst — labeled Strict/Type 3/Type C; blocks many peer-to-peer connections |
Why Double NAT Causes Problems
Double NAT happens when two routers each perform NAT between your device and the internet. A common home setup: the ISP provides a modem-router that performs NAT (assigning your home router a private IP like 192.168.100.1). You then connect your own router behind it, which performs another round of NAT for your devices. Your laptop ends up with a private address, which is NATted by your router to another private address, which is then NATted by the ISP's device to the real public IP — two full NAT layers.
Double NAT breaks port forwarding: if you forward port 25565 on your router to your game server, that rule only applies to the inner NAT. The outer ISP device still blocks inbound connections on that port. VPNs that embed the public IP in the handshake fail because the reported public IP does not match the actual source. Peer-to-peer protocols that use hole-punching to negotiate direct connections fail because neither side can agree on a reachable endpoint.
The fix is to put the ISP's device into bridge mode (disabling its NAT and router functions) so only your own router performs NAT. Alternatively, configure your router as a DMZ host on the ISP's device, which forwards all inbound traffic to your router's WAN port.
CGNAT: Your ISP's NAT
CGNAT (Carrier-Grade NAT), defined in RFC 6598, is NAT performed by your ISP before traffic even reaches your home. Instead of assigning your home router a real public IPv4 address, the ISP assigns it an address from the 100.64.0.0/10 range (the "shared address space" reserved for CGNAT). The ISP's own routers then translate this to a shared public IP that may be used by hundreds of customers simultaneously.
CGNAT compounds all the problems of double NAT. Port forwarding is impossible without ISP cooperation. Inbound connections are blocked. Applications that embed the public IP — certain VPNs, SIP telephony, peer-to-peer software — break. If you need a real public IP and suspect CGNAT, check your router's WAN address: if it starts with 100.64 through 100.127, or is an RFC 1918 private address not matching your home subnet, you are behind CGNAT. Contact your ISP to request a real public IP, which may be offered as a paid add-on.
Frequently Asked Questions
What does NAT stand for?
NAT stands for Network Address Translation. It is a technique where a router modifies source or destination IP addresses in packet headers as they pass through, allowing multiple private devices to share a single public IP address.
Does NAT affect gaming?
Yes. Gaming consoles report a NAT type — Open (Type 1/A), Moderate (Type 2/B), or Strict (Type 3/C). Open NAT allows all connections and is ideal. Strict NAT blocks most inbound connection attempts, causing matchmaking failures and preventing certain multiplayer modes.
What is double NAT?
Double NAT occurs when two routers each perform NAT between your device and the internet. It breaks port forwarding, peer-to-peer applications, and VPNs. The fix is to put the outer router into bridge mode so only one device performs NAT.
What is CGNAT?
CGNAT (Carrier-Grade NAT) is NAT performed by your ISP. Your router receives a private address from the 100.64.0.0/10 range instead of a real public IP. This makes inbound connections and port forwarding impossible without ISP assistance.
Does NAT provide security?
NAT provides incidental security by blocking unsolicited inbound connections — the NAT table only has entries for outbound sessions your devices initiated. However, NAT is not a deliberate firewall. A proper stateful firewall provides rule-based security; NAT's blocking behavior is a side effect of address translation.
Will IPv6 eliminate NAT?
Architecturally, yes. IPv6 provides enough addresses for every device to have a globally unique, directly routable address, making NAT unnecessary. Pure IPv6 networks use stateful firewalls for access control without any address translation.