What Is NAT

NAT (Network Address Translation) is a technology that translates between private IP addresses and public IP addresses. Multiple devices connected to a home router (smartphones, PCs, game consoles, etc.) each have a private IP address (such as 192.168.1.x), but when accessing the internet, the router's NAT function translates them to a single public IP address.

NAT is an important technology for mitigating IPv4 address exhaustion. By allowing dozens of devices to share a single public IP address, it enables efficient use of the limited IPv4 address space.

Types of NAT and NAPT

Maps a private IP to a public IP on a fixed one-to-one basis. Used for hosting servers. Does not save addresses.

Dynamically assigns from a pool of public IP addresses during communication. Limited by the number of addresses in the pool.

Translates both IP addresses and port numbers, allowing tens of thousands of simultaneous connections to share a single public IP. The standard method for home routers.

What is commonly called "NAT" is in most cases actually NAPT (Network Address Port Translation). By utilizing port numbers, a single public IP address can theoretically handle 65,535 simultaneous connections.

Problems with CGNAT

CGNAT (Carrier-Grade NAT) is large-scale NAT performed at the ISP level. As IPv4 address exhaustion has worsened, more ISPs assign private IP addresses (100.64.0.0/10) to subscribers and perform NAT on the ISP side.

CGNAT environments cause the following problems.

Port forwarding is impossible: You cannot host a home server or host online game sessions.
IP address sharing: Hundreds to thousands of users share the same IP address, reducing GeoIP accuracy and creating a risk of being caught up in IP-based access restrictions.
P2P communication limitations: Establishing P2P connections for video calls or file sharing may become difficult.

To avoid CGNAT, you can request a static IP option from your ISP or switch to an IPv6 IPoE connection.

NAT in the IPv6 Era

With IPv6, each device is assigned a global address, so NAT for address translation is in principle no longer needed. This eliminates the problems NAT caused, such as the hassle of port forwarding, P2P communication issues, and application compatibility problems.

However, some organizations deploy NAT66 (IPv6-to-IPv6 NAT) even in IPv6 environments for security purposes. While it can hide the internal network's address structure from the outside, it undermines IPv6's design philosophy of end-to-end communication, so controlling access with a firewall is the recommended alternative.

We are currently in a transitional period where IPv4 and IPv6 coexist, and knowledge of NAT remains important. NAT table inspection and understanding of port mapping are essential for network troubleshooting.

To learn more about this topic, see What Is an IP Address? How It Works and How to Check Yours.

Common Misconceptions

NAT is a security feature: While NAT has the side effect of blocking direct external access, it is not a technology designed for security. NAT is a mechanism for address translation and is not a substitute for proper firewall rules.
NAT protects you from external attacks: Even behind NAT, you are vulnerable to attacks that originate from internal-to-external communication, such as malware downloads, phishing, and DNS-based attacks. If UPnP is enabled, malware can also automatically open ports.

NAT vs. Firewall

NAT

Primary purpose is IP address translation. Blocks direct external access as a side effect. Does not inspect communication content.

Firewall

A security function that controls whether to allow or deny communication. Filters traffic based on source, destination, port, and protocol rules.

NAT (Network Address Translation)