Updated 2 hours ago
Every device in your home—laptop, phone, smart TV, game console—appears to the outside world as the same machine. This is a lie your router tells on your behalf. NAT is how it gets away with it.
A Problem That Couldn't Wait
IPv4 gave us 4.3 billion addresses for the entire Internet. By the early 1990s, it was obvious this wouldn't be enough. IPv6 promised a solution—340 undecillion addresses, enough for every atom on Earth to have a billion IPs—but deployment would take decades.
NAT emerged as the bridge. Not a fix, but a workaround. Instead of rationing addresses or forcing a new protocol, NAT let thousands of devices hide behind each public IP. The Internet kept growing. IPv6 kept waiting.
Three decades later, we're still waiting. NAT bought us time. We spent it building infrastructure around the workaround.
Translation as Sleight of Hand
Your laptop at 192.168.1.100 requests a webpage. The packet reaches your router, which performs a substitution: it replaces your private address with its public address (say, 203.0.113.5), notes the swap in a translation table, and forwards the packet.
When the server responds to 203.0.113.5, the router consults its table: "This reply belongs to 192.168.1.100." It reverses the translation and delivers the packet to your laptop.
From the server's perspective, it never spoke to your laptop. It spoke to 203.0.113.5. Your laptop believes it connected directly to the Internet. The intermediary stays invisible.
The Table That Remembers Everything
The NAT table is a running ledger of who asked for what. Each entry maps an internal address and port to an external address and port:
Without this table, return traffic is ambiguous. A packet arrives at 203.0.113.5—does it belong to your laptop, your phone, or your TV? All share the same public address.
The table tracks only active sessions. When a connection closes or times out, the entry disappears. This state management is NAT's power and its weakness: it enables address sharing but requires the router to remember every conversation passing through it.
Three Flavors of Translation
Static NAT creates permanent one-to-one mappings. Internal server 192.168.1.50 always translates to public IP 203.0.113.10. Useful for servers that need stable addresses, but it defeats address conservation—each device still needs its own public IP.
Dynamic NAT maintains a pool of public IPs. When a device initiates a connection, it gets an address from the pool. When the session ends, the address returns. Better than static, but still limited by pool size.
PAT (Port Address Translation) is what actually runs in your home router. It translates both addresses and ports. Your laptop connects on port 54321. Your phone uses the same port. The router assigns different external ports—62000 for your laptop, 62001 for your phone—and tracks which is which.
Since each IP supports 65,535 ports, PAT can juggle tens of thousands of connections through a single public address. This is how your household shares one IP.
What NAT Costs
NAT conserved addresses. It also broke the Internet's founding promise: any device can talk to any other device.
Devices behind NAT can't receive unsolicited connections. You can call out. You can't be called. The server-client model works fine. Peer-to-peer doesn't.
Protocols that embed IP addresses in their payload—FTP, SIP, certain VPNs—break passing through NAT. Application Layer Gateways try to fix this by rewriting packet contents, but they're fragile and protocol-specific.
NAT routers must remember every active connection. Unlike stateless routers that simply forward packets, NAT devices are vulnerable to state-exhaustion attacks: flood them with connection requests, overflow the table, crash the router.
The Peer-to-Peer Problem
Two devices both behind NAT face a dilemma: neither can accept incoming connections. How do they talk?
They can't. Not directly.
STUN lets a device discover its public IP and port by contacting an external server. If both peers share their discovered addresses, they can sometimes punch a hole through NAT—exploiting its behavior to sneak past the firewall.
TURN admits defeat. A relay server forwards traffic between the two devices. It works reliably but routes everything through a third party.
ICE tries multiple approaches in sequence—direct connection, STUN, TURN—using whatever works.
These techniques work most of the time. But "most" isn't "all." Symmetric NAT (common in corporate networks) and carrier-grade NAT (where ISPs add another layer of translation) break hole-punching entirely. When STUN fails, applications fall back to relay servers.
The workaround needed workarounds.
The Forever Workaround
IPv6 deployment has finally reached real scale—about 45% of traffic to Google now uses IPv6, with countries like France, Germany, and India exceeding 70%. But IPv4 and NAT remain entrenched. Entire architectures assume NAT: mobile apps expect to connect to servers, not peer devices. Cloud services centralize traffic through data centers rather than enabling direct communication.
NAT was supposed to be temporary. It became infrastructure. It didn't just extend IPv4's life—it changed what we thought the Internet was for. The transition away requires not just adopting IPv6, but rethinking application design.
NAT is the invisible translator making your multi-device home possible. A hack that worked so well we forgot it was a hack. We'll keep using it until something finally replaces the thing it was never meant to replace.
Frequently Asked Questions About NAT
Sources
Was this page helpful?