NAT

NAT (Network Address Translation) allows multiple devices on your home network to share a single public IP address. Your router translates outgoing requests (replacing the private device IP with the public IP) and maps incoming responses back to the correct device. Without NAT, every device would need its own public IP — which is why IPv4 address exhaustion would otherwise be catastrophic.

Why NAT was created

IPv4 provides approximately 4.3 billion unique addresses — far fewer than the number of internet-connected devices in the world. NAT was introduced as a stopgap in the 1990s (RFC 1631, later updated in RFC 3022) to allow many devices to share a single public IP address. A typical home network uses private IP addresses in the 192.168.x.x range (RFC 1918) for all internal devices, while the router holds one public IP address assigned by the ISP. NAT at the router boundary translates between the two address spaces, extending the useful life of the IPv4 address pool by orders of magnitude.

How NAT works step by step

When a device on your home network initiates a connection to an internet server, the router's NAT process works as follows:

• Your device (192.168.1.5, port 54321) sends a TCP SYN packet to a web server (93.184.216.34, port 443)
• The router rewrites the source address to its public IP (e.g., 203.0.113.10) and assigns a new source port from its available pool (e.g., port 12345), creating a NAT table entry: 192.168.1.5:54321 ↔ 203.0.113.10:12345
• The modified packet is sent to the server, which sees only the router's public IP and the translated port
• When the server responds, it sends the reply to 203.0.113.10:12345
• The router consults its NAT table, rewrites the destination back to 192.168.1.5:54321, and forwards the packet to the correct device on the local network

This process is called PAT (Port Address Translation) or NAPT, and it is what virtually all home routers perform. The NAT table entries expire after a configurable idle timeout (typically 30 seconds for UDP, several minutes for TCP).

Types of NAT

• Full cone NAT: Once a mapping is created (internal IP:port → external IP:port), any external host can send packets to the external port and they will be forwarded to the internal device. The most permissive type — peer-to-peer applications work easily.
• Address-restricted cone NAT: External traffic is only forwarded if the internal device previously sent a packet to that external IP address. The external port does not matter.
• Port-restricted cone NAT: External traffic is only forwarded if the internal device previously sent a packet to that specific external IP:port combination. More restrictive than address-restricted.
• Symmetric NAT: A different external port is assigned for each unique destination IP:port combination. This breaks most peer-to-peer protocols because the external port cannot be predicted by the remote peer. Common in enterprise and CGNAT deployments.

NAT and gaming: open, moderate, and strict NAT types

Gaming consoles and matchmaking services use a simplified three-level classification. Open NAT (Type 1) means the device has a direct internet connection or a fully permissive NAT — all peer connections work. Moderate NAT (Type 2) means the device is behind a router with UPnP enabled or manual port forwarding; most peer connections work but some lobby features may be restricted when connecting to strict-NAT peers. Strict NAT (Type 3) means port-restricted or symmetric NAT with no port forwarding — the device can only connect to open NAT peers, causing matchmaking failures and lobby join errors in many games.

Double NAT and its problems

Double NAT occurs when two devices in series both perform NAT — typically an ISP-supplied modem-router (performing NAT between the WAN and its own LAN) and your personal router (performing NAT between its WAN port and your home devices). From your devices' perspective, there are two layers of address translation between them and the internet. Double NAT forces strict gaming NAT, breaks UPnP (since UPnP port mapping requests only reach the inner router, not the outer one), prevents port forwarding from working, and complicates VPN configurations. The fix is to set the ISP device to bridge mode or IP passthrough, so it passes the public IP directly to your router, leaving only one NAT layer.

NAT traversal: STUN, TURN, and ICE

Many applications need to establish direct peer-to-peer connections between two devices both sitting behind NAT — for example, a WebRTC video call or a VoIP call. Since neither device has an inbound-reachable address, they use NAT traversal techniques. STUN (Session Traversal Utilities for NAT) allows a device to discover its own public IP:port as seen from outside its NAT, and to keep NAT mappings alive with keepalive packets. If both peers can learn their public endpoints via STUN, they attempt a hole-punching technique where both send packets simultaneously to open symmetric NAT mappings. TURN (Traversal Using Relays around NAT) is the fallback when hole-punching fails — all media traffic is relayed through a TURN server, adding latency but guaranteeing connectivity. ICE (Interactive Connectivity Establishment) is the framework (used by WebRTC, SIP, and modern VoIP) that orchestrates the process: gather STUN candidates, attempt direct connection, fall back to TURN if needed.

NAT vs firewall

NAT and a firewall are distinct functions, though home routers often perform both. NAT translates addresses — it has no concept of "allow" or "deny." A firewall applies policy rules to permit or block traffic based on source, destination, port, and state. The reason NAT incidentally provides some security is that unsolicited inbound packets have no matching NAT table entry and are simply dropped — but this is a side effect of stateful address translation, not an intentional security policy. A proper firewall provides explicit access control. You can have NAT without a firewall (unusual) or a firewall without NAT (common in IPv6 networks where every device has a public address).

NAT types (gaming context)

Gaming consoles and peer-to-peer applications classify NAT as:

• NAT Type 1 / Open — no router between you and the internet; full connectivity; rare on home networks
• NAT Type 2 / Moderate — behind a router with UPnP enabled; most features work; acceptable for gaming
• NAT Type 3 / Strict — behind a restrictive firewall; limits peer connections; causes lobby issues in games

Frequently Asked Questions

Does NAT affect internet speed?

Modern routers perform NAT in hardware at line rate — it does not meaningfully affect throughput on consumer connections. On very old routers with software NAT, you may see CPU bottlenecks above 100 Mbps.

What is double NAT?

Double NAT occurs when you have two routers in series, each performing NAT (e.g., an ISP modem-router and your own router). It causes strict NAT for gaming and can break UPnP. Fix it by putting the ISP device in bridge mode or enabling IP passthrough.