Search “what is my IP address” on your phone and write down the number. Now do the same thing on your laptop ── somehow, you get exactly the same value. Different devices, same address. The thing working behind that little mystery is today’s protagonist: NAT. If any of these sound familiar, read on.
- You don’t know why every device in your house reports the same “my IP address”
- An online game told you to “check your NAT type” and you froze
- You tried to host a home server or game server and were told “you need to forward a port”
- You’ve heard that “nothing can reach your devices from outside” ── but you couldn’t explain why
NAT (Network Address Translation) is, in one sentence, the translation desk that lets every device in your house ── or your office ── share a single global IP address. But that one sentence doesn’t explain why traffic from outside can’t reach you, what exactly “opening a port” opens, or what an online game’s “NAT type” is actually diagnosing.
This article stays completely out of router setup instructions and walks through:
- Why NAT exists ── 4.3 billion addresses weren’t enough (§1)
- The translation desk’s ledger ── what NAT actually rewrites (§2)
- Why nothing reaches you from outside ── defense and inconvenience are two faces of one structure (§3)
- Port forwarding ── hand-writing one permanent line into the ledger (§4)
- Where NAT bites ── game “NAT types”, carrier-grade NAT, and the ledger’s limits (§5)
── taking the shortest path through the logic of how it works, and nothing else.
| Your question | Section |
|---|---|
| Why do all my devices report the same IP? | §1 |
| What does NAT concretely do? | §2 |
| Why can’t anything reach my devices from outside? | §3 |
| What is port forwarding, really? | §4 |
| What is a game’s “NAT type” checking? | §5 |
This article is the second deep-dive installment of our “how your PC really works” series (IP addresses, DNS, firewalls, why office networks get slow, and VPN). NAT has made cameo appearances in four of those articles already ── this is the one where the recurring background character finally gets the lead role.
1. Why NAT exists ── 4.3 billion addresses weren’t enough
1-1. If addresses are scarce, share them
As we saw in the IP address article, IPv4 has only about 4.3 billion addresses in total ── not even one per human being. In an era where one person owns a phone, a laptop, a TV, and a game console, that’s nowhere near enough.
So a stopgap spread across the world: each household borrows just one address that works on the whole internet (a global IP), and inside the house, devices use addresses that are only valid inside the house (private IPs). Each device at home gets a private IP like 192.168.1.10 (handed out automatically by a mechanism called DHCP).
1-2. The main office number and the extensions
What connects these two tiers of addresses is the router at your home’s internet doorway ── or more precisely, the NAT that the router runs behind the scenes. Think of a company’s main phone number. The outside world only knows one number; inside, every desk has its own extension. Every outgoing call appears to come from the main number ── the global IP is the main number, and a private IP plus a port is the extension.
One global IP, shared by everyone
Inside the house (private IPs) The address shown to the world
Phone 192.168.1.10 ──┐
PC 192.168.1.11 ──┼─→ router ──→ 203.0.113.5 (just one)
Console 192.168.1.30 ──┘ (NAT = translation desk)
= each desk's extension = the main office number
1-3. So that’s why every device reports the same IP
That solves the mystery from the intro. What the outside web sees is the single global IP your whole household shares. Whether you check from your phone or your laptop, what comes back is the house’s main number ── so the value is the same.
NAT spread as a stopgap for “we’re running out of addresses.” The stopgap then became the standard scenery of the internet, and even produced a defensive wall (§3) as a side effect ── this unplanned career success is what makes NAT such an interesting piece of technology.
2. The translation desk’s ledger ── what NAT actually rewrites
2-1. Outbound ── rewrite, then record
Say your phone (192.168.1.10) goes to visit a website. It can’t just go as-is. A private IP is only valid inside the house, so if the sender stays 192.168.1.10, the outside world has no way to address a reply.
So NAT (the translation desk) rewrites the sender on the way out. It handles not just the IP address but also the port number (the 0–65535 “service window numbers” that subdivide a single IP address ── the extensions, in our metaphor), and it records which extension’s traffic was assigned to which outward-facing window in a ledger: the NAT table.
2-2. Inbound replies ── look up the ledger, write it back
The website’s reply arrives addressed to “window 40001 at 203.0.113.5“. The translation desk looks up the ledger in reverse ── “window 40001 was assigned to the phone’s port 51000” ── rewrites the destination back to the private IP, and delivers it.
The NAT table ── record on the way out, look up on the way back
Outbound:
Phone 192.168.1.10:51000 ──→ desk ──→ 203.0.113.5:40001 ──→ website
│
└─ recorded in the ledger
192.168.1.10:51000 ⇔ 203.0.113.5:40001
Inbound reply:
Website ──→ 203.0.113.5:40001 ──→ desk "according to the ledger…" ──→ 192.168.1.10:51000
The key points: a ledger line is only written when a connection starts from the inside, and once the conversation ends, the line is eventually erased. The reason every device in the house can be online at once is that the translation desk keeps assigning separate window numbers and repeating this record-and-look-up cycle, endlessly.
thinking of NAT as “a feature of the home router box”. NAT is really the operation of this ledger, and it doesn’t care where it runs. Your phone’s tethering hotspot, the gateway box at your office, and the carrier-side equipment we’ll meet later (§5) are all the same translation desk, running on the same principle.
3. Why nothing reaches you from outside ── defense and inconvenience, two faces of one structure
3-1. If it’s not in the ledger, there’s nothing to do but drop it
So far we’ve covered connections that start from the inside. What about a connection that starts from the outside ── someone out there suddenly addressing 203.0.113.5?
The translation desk checks the ledger. But nobody inside started this conversation, so there is no matching line anywhere. The house has a phone, a PC, a game console ── and no way to decide which extension should take the call. Like a call to the main office number that names no employee, traffic with no known recipient can only be dropped.
A connection from outside has no line in the ledger
Someone outside ──→ to 203.0.113.5 ──→ desk: "not in the ledger ── no idea who inside this is for" ──→ ✕ dropped
This one structure has two faces:
├─ the defense face: nothing barges in from outside (the firewall article's "first wall")
└─ the inconvenience face: your home server and office servers are unreachable too
(which is why port forwarding and VPNs exist)
3-2. The defense face ── “the accidental fortress”
Seen as defense, this “unreachable” property is remarkably strong. It’s exactly what the firewall article called “wall #1: the NAT router” ── attacks and indiscriminate scans that start from outside get dropped as undeliverable, structurally, before they ever reach a device in your house. It was never designed as a defense, yet it ends up being a shield ── which is why NAT gets called an accidental fortress.
3-3. The inconvenience face ── legitimate traffic can’t get in either
But the very same structure turns straight into inconvenience. You set up a game server at home and want to invite friends. You want to reach the office file server from home. Both are “connections that start from outside”, so they get dropped just the same, malicious or not. The ledger doesn’t judge good from evil. No line, no delivery ── that’s all there is to it.
There are two legitimate ways past this wall. One is a VPN ── keep a tunnel open from the inside, so you can hold an inside address while being outside. The other is the subject of the next section: port forwarding ── writing an exception directly into the ledger.
Neither the defense nor the inconvenience is something NAT ever intended. One structure ── traffic with no ledger line cannot be forwarded ── acts as a shield from one angle and as a wall from the other. That two-sidedness is the single most important thing to understand about NAT.
4. Port forwarding ── hand-writing one permanent line into the ledger
4-1. Not “drilling a hole” ── adding a forwarding rule
Port forwarding (also called “opening a port” or “port mapping”) sounds like drilling a hole in a wall, but what actually happens is far more clerical: you hand-write one permanent line into the ledger that says “any traffic addressed to this window number on the global IP gets forwarded, always, to this window on this device inside” ── and that’s it.
Port forwarding ── one hand-written, permanent ledger line
A normal line (written automatically, erased when the conversation ends)
192.168.1.10:51000 ⇔ 203.0.113.5:40001 ← record of a connection started inside
A port-forwarding line (written by hand, never erased)
to 203.0.113.5:25565 ──→ always forward to 192.168.1.30:25565 (the console)
│
└─ even connections that start outside get through, as long as they match this line
Where the ledger lines of §2 were “temporary records of connections started inside”, a port-forwarding line is “a permanent reserved seat for connections that start outside”. Now a friend out on the internet can knock on port 25565 of your global IP and reach the game server inside your house.
4-2. Whatever’s behind that port is effectively outside the wall
But you need to understand precisely what that one line means. Traffic to a forwarded port is passed through to the designated device with no distinction between good and evil. As the firewall article showed, any publicly reachable IP address gets showered with indiscriminate scanning, continuously. From the moment you open the port, that device is no longer in the safe zone behind the wall ── it’s inside the scanners’ hit box.
the forgotten port-forward. The line for a long-finished game server stays in the ledger, and months later a vulnerability turns up on that device ── a classic accident. The rule for port forwarding is “forward to as little as possible, and delete it when you’re done.” This is also one of the firewall article’s “five moments the walls disappear”.
Many home routers ship with UPnP (a mechanism that lets an application ask the router to write a port-forwarding line for it, automatically). It’s why game consoles and video calls often “just work” with no setup ── but flip that around, and it means lines are being written into your ledger without you knowing. Worth being aware of the trade.
5. Where NAT bites ── game “NAT types”, carrier-grade NAT, and the ledger’s limits
5-1. The online game “NAT type” ── a reachability diagnosis
The “NAT type” you see in online games is a diagnosis of whether two parties who are both behind NAT can talk to each other directly (peer-to-peer), without a server in the middle. Your opponent is behind their house’s translation desk, and so are you. That means “connections from outside get dropped” (§3) applies to both of you at once ── and sometimes neither side can reach the other.
The verdict roughly expresses a scale of reachability ── from “restrictions are loose, P2P connects easily” down to “P2P barely ever succeeds”. The names (Type A/B/C, Type 1/2/3, Open/Moderate/Strict, and so on) are vendor-specific folk labels, not standard technical terms. The right way to read them isn’t the name but the structure: “how much room does my translation desk leave for letting outside-initiated traffic through as an exception?”
5-2. Carrier-grade NAT (CGNAT) ── two translation desks
This pattern is increasingly common. The global IP shortage is severe enough that some ISPs don’t even hand out “one per household” ── they place another layer of NAT inside the carrier network and have multiple subscribers share one global IP. This is called CGNAT (carrier-grade NAT).
CGNAT ── two translation desks
Home devices ──→ home router ──→ carrier NAT ──→ internet
192.168.1.10 (desk no. 1) (desk no. 2) 203.0.113.5
(shared with other subscribers)
Even if you set up port forwarding on your home router…
outside ──→ 203.0.113.5:25565 ──→ desk no. 2: "not in the ledger" ──→ ✕ dropped right here
(you can't write lines into desk no. 2's ledger)
In this setup, port forwarding on your home router doesn’t make you reachable from outside. Incoming traffic gets dropped first at desk no. 2 ── the carrier’s translation desk ── and that ledger lives in the ISP’s equipment, where you can’t write a thing. It’s the classic culprit behind “my settings are perfect and it still doesn’t work.”
5-3. The ledger’s limits, and a word on IPv6
The ledger is not infinite. It has a maximum number of lines, and as devices and cloud connections keep multiplying, a full ledger means new connections can’t open and existing ones get cut ── trouble with zero hardware failure. How that exhaustion shows up as “the office network is slow” is diagrammed in §5 of Why Is the Office Network Slow?.
And in the world of IPv6, where addresses are plentiful enough to hand several to every person, NAT-for-sharing becomes unnecessary in principle. But the defensive role that “unreachable from outside” (§3) was quietly playing doesn’t get to disappear with it ── a firewall takes over that job, explicitly. For the IPv4/IPv6 address situation, see §7 of the IP address article.
Summary ── the four-line essence
- NAT is the translation desk that lets everyone share one global IP ── which is why every device in the house reports the same “my IP”: it’s the main office number
- The core mechanism is the ledger (NAT table) ── connections started inside are recorded as “IP + port”, replies are written back via reverse lookup, and traffic with no ledger line can only be dropped
- That “unreachable” is defense (the first wall) and inconvenience (home and office servers can’t be reached) ── two faces of one structure. The legitimate ways past it are VPNs and port forwarding
- Port forwarding = one permanent ledger line. Whatever’s behind it enters the scanners’ hit box, so keep it minimal. And when you’re unreachable anyway, suspect CGNAT (a second desk) and ledger exhaustion
The two-tier address structure is covered in What Is an IP Address?, the wall’s defensive side continues in What Happens Without a Firewall?, crossing the wall from the inside is What Is a VPN?, and the slowness born of ledger exhaustion is in Why Is the Office Network Slow?. The series’ recurring background character should now connect the whole picture.
FAQ
Q1. Why do all the devices in my house report the same “my IP address”?
A. Because what the outside world sees is only the one global IP your whole household shares ── the main office number (§1). Your phone and your PC each have their own private IP inside the house, but on the way out, the translation desk (NAT) rewrites all of them to the same main number. A “what is my IP” site is answering with your house’s main number, not your device’s address.
Q2. Is port forwarding dangerous?
A. In the sense that “the device behind the forwarded port becomes directly exposed to indiscriminate scanning”, the risk genuinely increases (§4-2). Whether it’s dangerous depends on how you do it: keep the target device and its software up to date, forward as few ports as possible, and delete the line when you’re done. For a use case where you can keep those rules (a game server that’s only up while you play, say), it’s a manageable risk. If you can’t keep them, don’t open the port.
Q3. What actually improves a game’s “NAT type”?
A. Structurally, what helps is anything that “gives your translation desk more room to let outside-initiated traffic through as an exception” ── forwarding the relevant ports or enabling UPnP are the classic examples (§4). But in a CGNAT environment (§5-2), no home-side setting will make you reachable; you may need to switch to a plan or ISP that assigns you an individual global IP. The concrete steps vary by router and contract, so this article stays at the structural explanation.
Q4. Will NAT disappear with IPv6?
A. Its original job ── address sharing ── becomes unnecessary, because IPv6 has enough addresses for every device to hold a global one (§5-3). But the defense NAT provided as a side effect ── structurally blocking outside-initiated traffic ── can’t be allowed to vanish with it, so a firewall takes over that role explicitly. The accurate way to remember it: “NAT may go, but the wall stays (and must stay).”
Q5. Is NAT also why I can’t reach my company’s internal server from outside?
A. It’s one of the main reasons. Internal servers only have private IPs and sit behind NAT, so they can’t be named as a destination from outside (§3). On top of that, companies run firewalls that explicitly turn away outside-initiated traffic. The standard, legitimate way past both is a VPN ── a tunnel opened from the inside that lets you hold an internal address while you’re outside. The mechanism is diagrammed in What Is a VPN?.
Leave a Reply