What Is NAT?

Acutis · plain-English network help · updated June 2026

What is NAT, in plain English?

NAT stands for Network Address Translation. In one sentence: it's the trick your router uses to let many devices share a single public IP address. Your laptop, phone, TV, and game console all have their own private addresses inside your home, but to the rest of the internet they all appear as one address — your router's public IP. NAT is what rewrites the addresses to make that work.

This is why a website only ever sees one address for your whole household, even when a dozen devices are online at once. NAT runs silently in every home router, and most people never know it's there until they need to understand why their devices show 192.168.x.x while the world sees something completely different.

How one public IP serves many devices

Internet providers typically hand your home a single public IP address. But you have many devices that all need to reach the internet at the same time. NAT solves this by acting as a translator at the boundary between your private network and the public internet.

When your laptop sends a request out, your router swaps the laptop's private address for the router's public one before sending it onward. When the reply comes back, the router swaps the address again so the data lands on the laptop and not your phone. Every device gets internet access while sharing the one public address your provider gave you.

The NAT table and port mapping

The router keeps track of all this with something called a NAT table — a running list of which internal device started which connection. The key to keeping conversations straight is port numbers.

When your laptop opens a connection, the router records an entry roughly like this: "traffic on this port belongs to 192.168.1.42." When a reply arrives on that port, the router checks the table and forwards it to the right device. This is sometimes called PAT (Port Address Translation) or "NAT overload," and it's what allows hundreds of simultaneous connections from many devices to all funnel through one public address without getting mixed up.

• Outbound: private address + private port is rewritten to the public address + a unique tracking port.
• The table remembers that mapping for the life of the connection.
• Inbound replies are matched against the table and sent to the correct internal device.

Why your devices see 192.168.x.x but the world sees one IP

Addresses starting with 192.168., 10., and 172.16.–172.31. are reserved as "private" ranges. They only have meaning inside a local network and are never routed across the public internet. That's deliberate: it lets every home reuse the same private ranges without conflict.

So your devices live in that private space, and NAT is the bridge that connects that private space to the single public address the outside world can actually reach. Seeing a 192.168.x.x address on your laptop isn't a problem — it's exactly how a NAT'd home network is supposed to look.

CGNAT — when even your router is behind NAT

As public IPv4 addresses ran short, some providers added a second layer called Carrier-Grade NAT (CGNAT). Here, even your router's "public" address is actually private, shared among many customers, and the provider runs its own NAT on top. You're behind NAT twice over.

CGNAT mostly goes unnoticed for normal browsing, but it can complicate things like hosting a game server, remote access, or port forwarding, because you don't truly control a unique public address. If a forward "just won't work" no matter what you try, CGNAT on your provider's side is a common culprit.

Why NAT acts as a basic firewall

NAT delivers a useful side benefit: because incoming traffic only gets forwarded when it matches an existing entry in the NAT table, unsolicited connections from the internet have nowhere to go. A stranger scanning your public IP can't reach a specific device inside your home, because the router has no table entry telling it where to send that traffic.

This isn't a true, configurable firewall — it doesn't inspect content or block malicious data — but it does quietly stop the most basic unsolicited probes by default. It's one reason home networks are reasonably safe out of the box, and one reason you have to deliberately set up port forwarding when you actually want outside traffic to reach a device.