Networking and Protocols

NAT

Address and port translation that lets many private hosts share fewer public IPv4 addresses.

Where you will see it: Shows up in packet captures, network diagrams, firewall rules, and system or network logs.

What it is

NAT (Network Address Translation) is a mechanism where a device rewrites packet headers to map one address realm to another, typically private IPv4 to public IPv4. The common home router behavior is port address translation, where many internal flows share one public address.

Key points
  • Creates mappings in a translation table as flows go out.
  • Replies are matched to those mappings and translated back in.
  • Breaks end to end addressing, which impacts some protocols and makes logging important.

How it works in broad strokes

  1. An internal host initiates an outbound connection to an Internet destination.
  2. The NAT device creates a mapping that ties the internal source IP and port to an external public IP and a chosen external port.
  3. The NAT rewrites the packet's source address and often the source port, then forwards it to the Internet.
  4. When the reply comes back to the public IP and external port, the NAT looks up the mapping and rewrites the destination back to the internal host.
  5. Mappings are kept for a limited time and are refreshed by traffic. When they expire, new inbound packets will be dropped.
  6. Inbound initiated connections require explicit configuration like port forwarding or static mappings.
  7. At large scale, ISPs may run carrier grade NAT, which adds another translation layer and complicates traceability.

Concrete example

At home, your laptop opens a TCP connection to a website. Your router rewrites your private source address to its public address and picks an unused external port. The website replies to that public IP and port, and the router translates it back to your laptop.

Why it matters

IPv4 addresses are scarce. NAT allows private networks to use non routable addresses internally while still accessing the Internet through one or a few public addresses. It also simplifies internal renumbering because internal addresses are decoupled from external ones.

Security angle

  • NAT provides some incidental shielding by blocking unsolicited inbound traffic, but do not rely on it for security policy.
  • For investigations, NAT logs can be critical to map a public IP and port back to an internal device.
  • Double NAT and CGNAT can hide clients and complicate allow listing and rate limiting on public services.

Common pitfalls

  • Assuming NAT is a firewall. Many NAT devices also firewall, but NAT alone is not a security control.
  • Protocols that embed IP addresses or ports in payloads can break unless an application layer gateway rewrites them.
  • Short NAT timeouts can break idle but valid sessions, especially for UDP.
  • Carrier grade NAT can cause port exhaustion and makes attribution and debugging harder.
  • Logging becomes essential because external observers only see the public address, not the internal host.

DEEP DIVE

The basic mechanism: a translation table

In its most common form, NAT is actually NAPT: many private hosts share one public IP by using different source ports. When an internal host sends a packet to the internet, the NAT device creates a mapping from the internal tuple to an external tuple. It then rewrites the packet's source IP and often the source port before forwarding it.

The mapping is stored in a translation table with timeouts. When the response comes back to the public IP and port, the NAT device looks up the mapping and rewrites the destination back to the internal host and port. For outbound initiated flows, this works smoothly and is mostly invisible to users.

This table driven behavior is why NAT feels stateful. It is not just rewriting headers. It is remembering which internal conversation corresponds to which external port so that replies can be demultiplexed correctly.

Why inbound connections are different

If a connection starts from the internet side, there is no existing mapping, so the NAT device has no idea which internal host should receive it. That is why you need port forwarding or a static mapping for inbound services like self hosted servers or remote desktop.

Some NATs support hairpinning, which lets an internal host reach another internal host using the public address. Others do not. This can create confusing cases where a service works from outside but not from inside, or vice versa.

Different mapping behaviors also matter for peer to peer. Some NATs create the same external mapping regardless of destination, while others vary mappings per destination. The more restrictive behavior makes it harder for two peers behind NATs to find a path to each other without help.

Mapping and filtering are separate behaviors

It helps to separate mapping from filtering. Mapping answers: what external address and port does this internal flow use. Filtering answers: which inbound packets are allowed back through. These choices affect whether UDP hole punching works, whether games can host sessions, and whether VoIP calls connect reliably.

The IETF has documented recommended behaviors for NAT handling of UDP so applications can make fewer assumptions and still work consistently. Even with recommendations, real deployments vary widely, which is why NAT traversal techniques exist at all.

When you debug NAT issues, look for three questions. Did the mapping exist. Was it still alive or did it time out. Did the firewall policy allow the return traffic. You can often pinpoint the failure by observing whether the outbound packet left and whether any inbound response reached the edge.

Side effects and security misconceptions

NAT breaks the pure end to end model of the internet. Protocols that embed IP addresses or ports inside payloads can fail unless an application level gateway rewrites those payloads too. This is why some legacy protocols are fragile behind NAT.

People sometimes claim NAT is security. It can reduce unsolicited inbound traffic by default, but that is a policy effect of stateful filtering, not a security guarantee. Malware can still connect outward and receive responses, and misconfigured port forwards can expose services directly.

A better framing is that NAT is an address and policy tool. Real security comes from explicit firewall rules, strong authentication, segmentation, and patching, whether or not NAT is present.