ArcLibrary
L1入门L2进阶L3生态

NAT (Network Address Translation)

Why dozens of home devices share one public IP and still reach the internet — NAT.

NATRoutingGateway
核心 · Key Idea

In one line: NAT temporarily replaces a LAN's private IP (192.168.x.x) with a public IP when leaving, and reverses on return — the key reason IPv4 still scales today.

What it is#

A home router (a.k.a. gateway):

On LAN:    192.168.1.10:5500 → 8.8.8.8:443
              ↓ NAT rewrite
On WAN:    public_ip:external_port → 8.8.8.8:443
              ← reverse rewrite on return

Ten devices use the same public IP at once; the router uses the external port to demux who's who — this many-to-one variant is NAPT / PAT (port address translation), which dominates today.

Analogy#

打个比方 · Analogy

A company switchboard: outside callers see one company number; the receptionist routes by extension to find the right employee. NAT is the router playing receptionist.

Key concepts#

SNATSource NAT
Rewrites source IP — private→public on egress. Default behaviour on home routers.
DNATDestination NAT
Rewrites destination IP — public→private on return; used for port-forwarding / exposing services.
NAPT / PATPort Address Translation
Many-to-one NAT using port numbers to distinguish hosts. The only feasible home-router approach.
NAT typeCone / Symmetric
Affects P2P hole-punching difficulty. Symmetric is strictest, often unreachable.
Port forwardingPort Forwarding
A flavour of DNAT: router maps `public:8080 → 192.168.1.5:80`.

How it works#

Each NAT mapping is a session entry; closed TCP connections / idle UDP entries get cleared after a timeout.

Practical notes#

  • Outbound from LAN: auto-created entry, just works.
  • Inbound from WAN: blocked by default; need port-forwarding or a reverse tunnel (frp / ngrok / Cloudflare Tunnel).
  • P2P hole punching: both sides UDP-blast each other's "public IP:port" coordinated by a STUN/TURN server, so each NAT creates an entry — that's STUN / TURN's job.
  • NAT impacts gaming / VoIP. "Strict NAT type" usually means Symmetric NAT and peers can't reach you.
  • CGNAT (carrier-grade NAT): many home connections don't even get a public IP — multiple users share one — self-hosted services must use a tunnel.

Easy confusions#

NAT
**Network layer** rewriting addresses.
Apps unaware.
Proxy
**Application layer** relaying data.
App must know about it (HTTP_PROXY etc.).

Further reading#