Network Address Translation (NAT)

Network Address Translation (NAT) is one of the most important technologies in modern networking. It enables millions of devices to access the Internet despite the limited availability of public IPv4 addresses. Without NAT, the rapid growth of home networks, enterprises, mobile devices, and IoT systems would have exhausted IPv4 address space much earlier.

NAT acts as a translator between private networks and public networks, allowing multiple devices to share a single public IP address. While it was originally designed as a solution to address exhaustion, NAT has evolved into a fundamental component of modern network architecture.

The Problem NAT Was Designed to Solve

The Internet Protocol version 4 (IPv4), uses a 32-bit addressing scheme, providing approximately:

4.3 billion unique addresses

At the time IPv4 was created, this seemed more than sufficient. However, the explosive growth of:

• Personal computers
• Smartphones
• Servers
• Cloud infrastructure
• IoT devices

quickly consumed the available address space.

To delay complete exhaustion of public IPv4 addreses, networking engineers introduced private IP address range that could be reused by organization worldwide.

Private IPv4 address ranges include:

These addresses cannot be routed directly on the public Internet.

This created a challenge:

How can private devices communicate with public Internet resources?

The solution is NAT.

Instead of giving every device a public IP, give public IP to the router only.

What Is NAT?

Network Address Translation (NAT) is a networking technique used by routers to translate private IP address inside a local network into a public IP address that can communicate over the internet.

Most devices connected to a home or office network do not have their own public IP address. Instead, they use private IP addresses such as:

192.168.1.10
192.168.1.11
192.168.1.12

These addresses are only valid within the local network and cannot be reached directly from the internet.

The router acs as a gateway between the local network and the internet by translating these private addresses into a single IP address.

Why NAT Exists

The primary reason NAT was introduced is the limited number of IPv4 addresses available worldwide.

IPv4 provides approximately 4.3 billion addresses, which is not enough for every internet-connected device on earth.

Instead, NAT allows multiple devices share a single public IP address, significantly reducing address consumption.

For example:

Home Network:

Laptop -> 192.168.1.10
Phone -> 192.168.1.11
Smart TV -> 192.168.1.12

Router Public IP -> 203.0.133.50

To the outside world, all devices appear to be communicating from the same public IP address.

Understanding IP Addresses

Every device on a network needs a identifier.

Just as every house has an address:

221B Baker Street
New Delhi
London
New York

Every device on the Internet needs an address too.

Example:

Laptop
49.207.10.55

Server
8.8.8.8

Website
142.250.193.14

This identifier is called an IP Address.

Without it:

• Data would not know where to go
• Responses could not come back
• Communication would be impossible

IPv4 Address Structure

The original Internet protocol used:

IPv4

An IPv4 address contains:

32 bits

Example:

192.168.1.10

Internally:

11000000
10101000
00000001
00001010

32 total bits.

Since each bit can be:

0
or
1

Total combinations:

2^32 = 4,294,967,296

Approx: 4.3 Billion Addresses

At that time, this number felt practically infinite.

The Address Consumption Explosion

Then the Internet exploded.

First:

Universities

Then:

Businesses

Then:

Homes

Then:

Mobile Phones

Then:

Smart TVs

Then:

Cars

Then:

Iot Devices

Then:

Smart Watches

Then:

Industrial Sensors

Suddenly billions of devices needed addresses.

Why 4 Billion Wasn't Enough

Many people:

“4 billion addresses sounds huge. Why wasn't it enough?”

Imagine every device required a public address.

A home could contain:

1 Router
3 Laptops
4 Phones
2 TVs
1 Printer
2 Tablets
3 Cameras

Total:

16 Devices = 16 Public IPs

Now multiply by:

Millions of home
Millions of offices
Millions of devices

The Internet would collapse under address demand.

The Brilliant Idea

Engineers asked:

“Do devices inside a house really need globally unique addresses?”

Answer:

No

Most devices only communicate through the router.

So they invented:

Private Addressing

Inside your house:

Laptop
192.168.1.10

Phone
192.168.1.20

TV
192.168.1.30

These addresses only need to be unique inside your home.

They don't need to be unique worldwide.

Reusing Addresses

This was revolutionary.

Your home can use:

192.168.1.10

And someone in another country can also use:

192.168.1.10

Because these addresses never appear directly on the Internet.

Think of apartment numbers.

Building A:

Flat 101

Building B:

Flat 101

No conflict exists because they belong to different buildings.

Private IPs work similarly.

NAT Becomes the Translator

Now we have a problem.

Suppose:

Laptop: 192.168.1.10

wants to access:

Google Server: 142.250.x.x

Google has never heard of:

192.168.1.10

And Internet routers don't know where it exists.

So we need a translator.

That's NAT.

How NAT Works

What Is Inside a Packet?

Every packet contains:

Layer 3 (IP Header)

Source IP
Destination IP

Example:

Source IP: 192.168.1.10
Desintation IP: 142.250.192.78

Layer 4 (TCP/UDP Header)

Contains:

Source Port
Desintation Port

Example:

Source Port: 5000
Desination Port: 443

Complete packet:

192.168.1.10:5000
        →
142.250.190.78:443

Imagine your laptop wants to access a website.

Before leaving your network:

Source IP: 192.168.1.10
Destination IP: 142.250.190.78

The router receives the packet and replaces the private source address with its public address:

Source IP: 203.0.113.50
Destination IP: 142.250.190.78

The router stores this mapping internally:

203.0.113.50:50001
     ↕ 
192.168.1.10:12345

When the website responds, the router consults its translation table and forwards the response to the correct device.

This translation process happens continuously for every device on the network.

Basic NAT Workflow

Consider the following network:

• Laptop: 192.168.1.10
• Router Public IP: 203.0.113.5
• Web Server: 142.250.x.x

Step 1: User Requests a Website

The laptop sends:

Source IP: 192.168.1.10
Destination IP: 142.250.x.x

Since private addresses are not routable on the Internet, the router intercepts the packet.

Step 2: NAT Translation

The router modifies:

Source IP: 203.0.113.5
Destination IP: 142.250.x.x

The packet now appears to originate from the router.

Step 3: Internet Response

The website sends a reply to:

Destination: 203.0.113.5

Step 4: Reverse Translation

The router checks its NAT table and determines:

203.0.113.5 -> 192.168.1.10

The packet is forwarded to the correct internal device.

The communication appears seamless to the user.

NAT Translation Table

A NAT device maintains a translation table.

Example:

This table allows multiple devices to share a single public IP simultaneously.

NAT as a Reception Desk

A useful analogy is to think of NAT as the receptionist in a large office building.

• The building address is the public IP.
• Each office room is a private IP.
• The receptionist keeps tracks of who initiated communication.

When a visitor sends a package to the building, the receptionist knows exactly which office should receive it.

Without the receptionist, external visitors would have no way to know which office to contact.

Types of NAT

1 Static NAT (One-to-One NAT)

Static NAT creates a permanent one-to-one mapping between private IP and a public IP.

Example:

Characteristics:

• Fixed mapping
• Predictable connectivity
• Useful for servers

Advantages:

• Easy inbound access
• Consistent public identity

Disadvantages:

• Consumes one pubic IP per device

2 Dynamic NAT (Many-to-Many NAT)

Dynamic NAT uses a pool of public IP addresses.

When an internal device needs Internet access, the NAT device temporarily assigns an available public IP from the pool.

Example:

Internal Devices:

192.168.1.10
192.168.1.11
192.168.1.12

Public Pool:

203.0.113.10
203.0.113.11
203.0.113.12

Mappings may become:

When sessions end, addresses return to the pool.

The router assigns a public address dynamically whenever a connection is established.

Advantages:

• More efficient than static NAT
• Flexible allocation

Disadvantages:

• Requires multiple public IP addresses
• Users cannot be reached consistently from outside

3 PAT (Port Address Translation)

Also called:

• NAT Overload
• Many-to-One NAT

This is the most common NAT implementation used in homes and enterprises.

It allows many private IP addresses to share a single public IP address by using different port numbers.

Problem:

Let's assume only IP translation exists.

Router mappings:

Laptop: 192.168.1.10
Phone: 192.168.1.20

Now both sends traffic:

192.168.1.10	192.168.1.20
	↓				↓
49.207.10.55	49.207.10.55

means both trying to access the same website.

When response arrives from 49.207.10.55

Router cannot determine:

Laptop?
Phone?
TV?
Tablet?

Impossible.

We need another identifier.

Enter Port Numbers

As we already know IP addresses identify devices.

Ports identify applications.

Think of:

IP Address = Apartment Building

Port Number = Apartment Number

Example:

49.207.10.55:443

Building: 49.207.10.55
Apartment: 443

What Is a Port?

TCP and UDP use:

16-bit Port Number

Range:

0- 65535

Total:

65,536 Ports

Source and Destination Ports

When browser opens a website:

Source: 192.168.1.10:5000
Destination: 142.250.x.x:443

Port 5000 is chosen by OS.

Port 443 belongs to server.

Connection:

192.168.1.10:5000 -> 142.250.x.x:443

Multiple Devices Using Same Port

Suppose:

Laptop: 192.168.1.10:5000

Phone: 192.168.1.20:5000

Tablet: 192.168.1.30.5000

All connect to Google.

Without PAT:

49.207.10.55:5000
49.207.10.55:5000
49.207.10.55:5000

Collision, Router cannot distinguish them.

PAT Solves the Problem

Router rewrites ports.

Laptop: 192.168.1.10.5000 -> 49.207.10.55.10001
Phone: 192.168.1.20.5000 -> 49.207.10.55.10002
Tablet: 192.168.1.30.5000 -> 49.207.10.55.10003

Now every connection is unique.

Example:

Internal Devices:

192.168.1.10
192.168.1.11
192.168.1.12

Single Pubic IP:

203.0.113.50

Different port numbers distinguish sessions.

This method enables thousands of devices to share a single public IP.

Advantages:

• Thousands of devices can share one public IP
• Excellent IPv4 conservation
• Used in almost every home router

Disadvantages:

• More complex tracking
• Some applications require NAT traversal techniques

Not all NAT devices behave the same way. Different NAT implementations affect peer-to-peer connectivity differently.

Why Ports Matter

Imagine:

Laptop 192.168.1.10

Phone 192.168.1.20

Tablet 192.168.1.30

All browse Google simulataneously.

Without ports:

All appear as:
49.207.10.55 (Public IP of the router)

Impossible to distinguish.

Router assigns:

Laptop: 49.207.10.55:10001

Phone: 49.207.10.55:10002

Tablet: 49.207.10.55:10003

Now every connection is unique.

Port Exhaustion

Public IP provides:

65535 Ports

Not all usable.

Effective range roughly:

~64K connections

per public IP.

Problem:

Large networks may have:

100,000 Users

sharing one public IP.

Port shortage occurs.

Called: Port Exhaustion.

Why PAT Breaks Peer-to-Peer Communication

PAT works perfectly when:

Client -> Server

because connection starts from inside.

Problem:

Peer A <-> Peer B

Neither side knows:

• Current public port
• Current mapping
• NAT behavior

This cause issues for:

• WebRTC
• Gaming
• VoIP
• Video calls
• Remote desktop

NAT Mapping

Suppose:

Laptop: 192.168.1.10:5000

contacts:

Google: 142.250.1.1:443

Router creates:

192.168.1.10:5000
	↓
49.207.10.55:10001

Now:

49.207.10.55:10001

exists on the internet.

Question:

Can another machine send packet to:

43.207.10.55:10001

Well, Different NATs behave differently

NAT Classification

The classic NAT types are:

1. Full Cone NAT

2. Restricted Cone NAT

3. Port Restricted Cone NAT

4. Symmetric NAT

1 Full Cone NAT

This is the most permissive type. Also called as One-to-One NAT Mapping

Once a mapping is created, any external host can send packets back through the mapped port.

Internal Device
 ↓ 
Public Mapping
 ↓ 
Any external host can respond

This NAT type generally works well with WebRTC.

Example:

Laptop: 192.168.1.10:5000
Contacts
Google: 142.250.1.1:443

Router Creates: 49.207.10.55:10001
Mapping: 192.168.1.10:5000 <-> 49.207.10.55:10001

Now something interesting happens.

Any Internet host can send packets to:

49.207.10.55:10001

and router forwards them.

Benefits:

• Easy P2P
• Easy WebRTC
• Easy Gaming

Drawbacks:

• Less restrictive

2 Restricted Cone NAT

A remote host can only send packets back if the internal device has previously communicated with that host.

This provides additional security while still allowing many peer-to-peer scenarios.

Mapping remains:

192.168.1.10:5000 <-> 49.207.10.55:10001

Example:

Laptop contacts:

Google 142.250.1.1

Router remembers: Allowed IP: 142.250.1.1
Responses: Google -> Allowed

But:
Cloudflare: 104.16.1.1
tries: Cloudflare -> Blocked

because Laptop never contacted Cloudflare.

Rule:

Previously Contacted IP = Allowed

3 Port Restricted NAT

An even stricter version of restricted NAT.

The incoming packet must originate from both:

• The same IP address
• The same port

that the internal device previously contacted.

Now NAT checks:

IP
AND
Port

Example:

Laptop contacts: 142.250.1.1:443

Router records: 142.250.1.1: Port 443

Allowed: 142.250.1.1:443
Blocked: 142.250.1.1:80
Blocked: 142.250.1.1:8080

Peer-to-peer connectivity becomes more challenging under this configuration.

Rule:

Same IP
AND
Same Port

4 Symmetric NAT

Symmetric NAT is the most restrictive and problematic for WebRTC. The enemy of peer-to-peer networking. The reasons TURN servers exist.

Instead of maintaining a single public mapping, it creates a different mapping for each destination.

For example:

Laptop: 192.168.1.10:5000

contacts
Google: 142.250.1.1:443

Router creates: 49.207.10.55:10001

Now Laptop contacts:
cloudflare: 104.16.1.1:443

Question: Will NAT reuse 10001?
Answer: No

Creates: 49.207.10.55:10002

Table:

Google: 192.168.1.10:5000 <-> 49.207.10.55:10001

Cloudflare: 192.168.1.10:5000 <-> 49.207.10:55:10002

Notice:

Same internal socket.

Different destination.

Different public mapping.

Why Symmetric NAT is Difficult

Suppose STUN server says:

Your Public Address: 49.207.10.55:10001

Peer attempts:

49.207.10.55:10001

But that mapping only exists for:

Google

or STUN server.

Not for peer.

Packet gets dropped.

Result:

P2P Failure

In such situations, WebRTC often relies on a TURN server to relay traffic.

NAT Behavior Comparison

Full Cone: Everyone can reply

Restricted Cone: only contacted IPs can reply

Port Restricted: Only contacted IP+Port can reply

Symmetric: Different Destination, Different Mapping

If User A from India
want to direct video call to User B at USA

If both behind: Full Cone NAT
Connection Direct, easy

If behind Restricted NAT
Usually works.

If behind Port Restricted NAT
Often works with hole punching.

If behind Symmetric NAT
Frequently fails, Need TURN

NAT Type Detection

How does WebRTC know your NAT type?

Using:

STUN Servers

STUN asks:

What public address do you see?

from multiple locations.

By comparing mappings:

Same mapping?
Different mapping?

STUN can classify NAT.

Example:

Request to STUN A:

49.207.10.55:10001

Request to STUN B:

49.207.10.55:10001

Likely:

Cone NAT

If:

10001
10002
10003

Different each time:

Symmetric NAT

Why NAT Is a Problem for WebRTC

WebRTC is designed to establish direct peer-to-peer connections between users.

Consider two users:

Peer A
Private IP: 192.168.1.5

Peer B
Private IP: 10.0.0.8

Neither address is reachable from the public internet.

Even if Peer A knows Peer B's private IP address, it cannot because that address only exists within Peer B's local network.

This is where NAT becomes a challenge.

NAT Traversal Techniques

Because NAT blocks direct inbound connectivity, special methods have been developed.

STUN

Session Traversal Utilities for NAT

Helps a device discover its public-facing address.

TURN

Traversal Using Relays around NAT

Relays traffic through a third-party server when direct communication fails.

ICE

Interactive Connectivity Establishment

Combines STUN and TURN to find the most efficient communication path.

Widely used in WebRTC applications.

Limitations of NAT

1 Breaks End-to-End Connectivity

Originally, the Internet was designed so every device could communicate directly with every other device.

NAT disrupts this model.

2 Complicates Peer-to-Peer Applications

Applications such as:

• Online gaming
• VoIP
• Video conferencing
• Peer-to-peer file sharing

often require NAT traversal techniques.

3 Increases Complexity

Network troubleshooting becomes harder because packet addresses change during transit.

4 Protocol Compatibility Issues

Some protocols embed IP addresses inside payload data.

Examples include:

• SIP
• FTP
• H.323

NAT devices may require Application Layer Gateways (ALGs) to handle such traffic.

5 Logging Challenges

Many users may share one public IP address.

Security investigations rqeuire NAT logs to identify the original source.