Understanding NAT

Introduction

Every device that connects to the internet needs an IP address to communicate. When the internet was designed in the 1980s, the architects created IPv4, which provides roughly 4.3 billion unique addresses. At the time, that seemed like more than enough. They could not have predicted that by the 2020s, there would be over 15 billion connected devices worldwide.

This is where Network Address Translation, or NAT, comes in. NAT is the clever workaround that has kept the internet running despite the shortage of IPv4 addresses. It allows your entire household or office, with potentially dozens of devices, to share a single public IP address. Your router acts as a translator, swapping private addresses for public ones and keeping track of which responses belong to which device.

Think of NAT like an apartment building's mail system. The building has one street address (the public IP), but inside there are many individual units (private IPs). When you send a letter, the return address shows the building. When mail arrives, the mailroom knows which unit it belongs to based on the apartment number included in the address.

The IPv4 Address Crisis

To understand why NAT exists, you need to understand the problem it solves. An IPv4 address is a 32-bit number, typically written as four decimal numbers separated by dots (like 192.168.1.1). This gives us 2³² or approximately 4.3 billion possible addresses.

That sounds like a lot, but consider that large chunks are reserved for special purposes: private networks, multicast, loopback testing, and documentation. The actual pool of usable public addresses is closer to 3.7 billion. With the explosion of smartphones, IoT devices, and cloud services, we ran out of new IPv4 addresses to allocate in 2011 for Asia-Pacific, 2012 for Europe, and 2015 for North America.

How NAT Works

When a device on your local network wants to communicate with a server on the internet, the process involves several steps. Your device creates a packet with its private IP address as the source. The router intercepts this packet, replaces the private source address with its own public IP address, and notes the translation in a table. When the server responds, the router looks up the translation and forwards the packet to the correct internal device.

The magic happens through port numbers. Even though multiple devices share one public IP, each connection uses a different source port number. The router keeps track of which internal device is associated with which external port. This combination of IP address and port creates a unique identifier for each connection.

The NAT Table

The NAT table is the brain of the translation process. Every time an outgoing connection is made, the router creates an entry that maps the internal address and port to an external port. This table is what allows responses to find their way back to the correct device.

Entries in the NAT table are temporary. They typically expire after a period of inactivity (often 2-5 minutes for UDP and longer for TCP connections). This is important for security and resource management, as it prevents the table from growing indefinitely.

Types of NAT

Not all NAT implementations work the same way. There are several types, each with different trade-offs between simplicity, security, and compatibility. Understanding these differences is particularly important for applications that need to receive incoming connections, such as video calls, online games, or peer-to-peer file sharing.

Port Forwarding

By default, NAT blocks incoming connections because there is no entry in the NAT table for unsolicited traffic. But what if you want to run a web server, game server, or access your home computer remotely? This is where port forwarding comes in.

Port forwarding creates a permanent rule that says "any traffic arriving on port X should be forwarded to internal device Y on port Z." It is like telling the apartment building's mailroom to always deliver packages addressed to "Apt 80" to unit 100. The rule persists even when no active connection exists.

NAT Traversal

Many modern applications need peer-to-peer connections: video calls, online gaming, file sharing. But when both peers are behind NAT, neither can initiate a connection to the other. This chicken-and-egg problem requires special techniques called NAT traversal.

The most common approaches are STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT). STUN helps peers discover their public IP and port mappings, while TURN provides a relay server for cases where direct connections are impossible.

Security Implications

NAT was designed for address conservation, not security, but it does provide a useful side effect: devices behind NAT are shielded from unsolicited incoming connections. An attacker scanning the internet cannot directly reach your internal devices because there is no NAT table entry for their traffic.

However, NAT should not be confused with a firewall. It does not inspect traffic content, block malware, or prevent internal devices from connecting to malicious servers. Once an internal device initiates a connection (perhaps by clicking a phishing link), the NAT table opens a path for the attacker's response. True security requires additional layers: firewalls, intrusion detection, and good security practices.

NAT can also complicate security monitoring and incident response. When multiple devices share one public IP, logs from external services show only that IP, making it harder to identify which internal device performed a particular action. Organizations often deploy additional logging at the NAT device to maintain accountability.

IPv6 and the Future

IPv6, with its 128-bit addresses providing 340 undecillion unique addresses, was designed to eliminate the need for NAT. In theory, every device could have its own globally routable address, restoring the internet's original end-to-end connectivity model.

In practice, the transition has been slow. As of 2024, IPv6 adoption hovers around 40-45% globally, with significant variation by country and network. Many networks run "dual stack," supporting both IPv4 and IPv6 simultaneously. NAT continues to be necessary for IPv4 connectivity and will likely remain relevant for years to come.

Interestingly, some organizations deploy NAT66 (NAT for IPv6) despite having abundant addresses, primarily for privacy (hiding internal network structure) or for multihoming (connecting to multiple ISPs). The security-through-obscurity benefits that NAT accidentally provided have made some network administrators reluctant to give it up entirely.

Carrier-Grade NAT (CGNAT)

As IPv4 addresses became scarcer, some Internet Service Providers began deploying NAT at the network level, not just in customer routers. This is called Carrier-Grade NAT or Large-Scale NAT. With CGNAT, your home router gets a private address from the ISP, which then translates it to a public address shared among many customers.

This creates a double NAT situation: your device is translated by your home router, and then again by the ISP's CGNAT device. While this extends the life of IPv4, it makes hosting services nearly impossible and can cause issues with some applications that were not designed to work through multiple layers of translation.