Understanding NAT, NAPT, and How Private IPs Communicate with the Public Internet

IPv4 provides only about 4.2 billion addresses, so home networks use private IP ranges (e.g., 192.168.xx.xx ) behind a router that shares a single public address. This saves address space but requires a translation mechanism.

When a device sends a packet, the IP layer fills in the source and destination IPs, similar to a shipping address on a parcel. Inside the LAN the source IP is a private address, but the router must replace it with its public IP before the packet leaves the network.

The device that performs this replacement is a NAT (Network Address Translation) device, typically the home router. It rewrites the source IP ( 192.168.30.5 ) to the router’s public IP (e.g., 20.20.20.20 ) – this process is called SNAT (Source NAT) . The router also stores a mapping record such as 192.168.30.5 → 20.20.20.20 .

When the remote host replies, the router looks up the mapping, restores the original private destination IP, and forwards the packet back to the internal device – this is DNAT (Destination NAT) .

Because many devices share the same public address, NAT must also translate ports. This extended technique is called NAPT (Network Address Port Translation) . The router rewrites both the source IP and source port (e.g., 192.168.30.5:5000 → 20.20.20.20:6000 ) and records the full five‑tuple mapping.

Only protocols that carry port numbers (TCP, UDP) can be distinguished by NAT. For ICMP (used by ping ) the router uses the ICMP Identifier field similarly to a port.

Since NAT blocks unsolicited inbound traffic, external services cannot directly reach a device inside the LAN. Port‑forwarding or hole punching techniques are needed. A common solution is to run a public server that internal devices connect to, establishing a mapping; the server can then relay traffic to the internal host – this is known as NAT traversal or internal‑network penetration .

For peer‑to‑peer communication (e.g., P2P file sharing), both peers first contact a rendezvous server, which learns their external IP/port pairs. The server then instructs each peer to send UDP packets to the other's external address, creating a temporary mapping on both NATs (the “hole‑punching” process). Once the mappings exist, the peers can exchange data directly, optionally upgrading to TCP after the UDP hole is established.

In summary, NAT conserves IPv4 addresses by allowing many private hosts to share a single public address, but it also hides internal hosts from the outside world. Techniques such as NAPT, port forwarding, and NAT hole punching enable inbound connections when needed, while the underlying five‑tuple (protocol, source IP, destination IP, source port, destination port) ensures correct packet delivery.