NAT and PAT

Network Address Translation and Port Address Translation for private networks.

The Internet's Address Shortage and the Need for a "Receptionist"

As we've learned, the IPv4 addressing system, with its ~4.3 billion addresses, was not built to handle the explosion of internet-connected devices we see today. The world has long run out of new IPv4 addresses to assign. This created a huge problem: how can billions of new devices in our homes and offices get online if there are no unique public addresses left for them?

Imagine a large office building with thousands of employees, each with their own telephone extension number (e.g., x101, x245, x501). The company only has a single, public telephone number that the outside world knows. When an employee wants to call an external client, they don't use their private extension. Instead, they dial out through the company's receptionist, who connects the call using the public number. When the client calls back, they dial the public number and ask the receptionist to connect them to the specific employee.

acts as this digital receptionist for a network. It's a technology built into routers that allows an entire private network of devices (your home computers, phones, smart speakers) to access the internet using a single public IP address provided by your Internet Service Provider (ISP).

Private vs. Public IP Addresses: The Two Worlds

To understand NAT, it's crucial to understand the difference between two types of IPv4 addresses:

Private IP Addresses

These are like the internal telephone extensions in our office analogy. They are reserved for use inside a private network (like your home Wi-Fi network). Routers on the public internet are configured to ignore and never forward packets from these address ranges. This means they are completely isolated from the outside world.

The blocks of addresses reserved for private use (defined in ) are:

  • 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
  • 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)

Public IP Addresses

These are like the company's main public telephone number. A public IP address is a globally unique and routable address assigned by an ISP. This is the address that the rest of the internet sees when you visit a website or send an email. Servers, websites, and any service that needs to be directly reachable from anywhere on the internet must have a public IP address.

NAT's job is to act as the bridge, translating between the private, internal world and the public, external world.

Types of Network Address Translation

There are three primary ways NAT can be implemented, each serving a different purpose.

1. Static NAT

Static NAT creates a permanent, one-to-one mapping between a private IP address and a public IP address.
Analogy: This is like giving the CEO a dedicated, direct public phone line that rings directly on their desk, bypassing the main receptionist.

Whenever a packet is sent from the internal device (e.g., `192.168.1.50`), the router always translates its source IP to the same public IP (e.g., `203.0.113.10`). Conversely, any traffic coming from the internet to `203.0.113.10` is always forwarded to `192.168.1.50`. This is mainly used for hosting public services like a web server or email server on a device that has a private IP address. It doesn't conserve addresses, as it requires one public IP for each internal device.

2. Dynamic NAT

Dynamic NAT maps a pool of private IP addresses to a pool of public IP addresses on a first-come, first-served basis.
Analogy: The office has a small number of public phone lines (e.g., 5). When any of the 100 employees wants to make an external call, the receptionist assigns them the next available public line. The call is active for the duration, and then the line is returned to the pool for someone else to use.

In this model, an organization has a group of internal devices and a smaller group (a pool) of public IP addresses. When an internal device wants to access the internet, the NAT router picks an unused IP from the public pool and creates a temporary one-to-one mapping. This mapping is kept in a translation table only for the duration of the session. The major limitation is that the number of simultaneous internet connections is limited by the number of available public IPs in the pool. If all public IPs are in use, the next internal device that tries to get out will have to wait.

3. Port Address Translation (PAT) / NAT Overload

This is by far the most common form of NAT, used in virtually every home and small business router today. PAT allows many internal devices to share a single public IP address simultaneously.
Analogy: The office has thousands of employees but only one public phone number. The receptionist is incredibly skilled. When an employee makes an outgoing call, the receptionist notes both the employee's extension and assigns a unique call ID number. When a client calls back, they ask for the call ID, and the receptionist instantly knows which employee's extension to route the call to.

PAT, often called NAT Overload, leverages not just IP addresses but also port numbers to keep track of conversations. This is the mechanism we will explore in detail next.

In-Depth: How Port Address Translation (PAT) Works

To understand PAT, we must first introduce the concept of port numbers. An IP address gets a packet to the correct device (the "building address"), but a gets it to the correct application on that device (the "apartment or office number"). Every connection you make (e.g., opening a new browser tab) uses a unique source port number.

PAT cleverly uses these port numbers to distinguish between the many different communication sessions originating from the private network.

A Step-by-Step Example of PAT in Action

Let's imagine two computers in your home network want to browse a website at the same time.

  • Your Router's Public IP: 203.0.113.45
  • Computer A's Private IP: 192.168.1.100
  • Computer B's Private IP: 192.168.1.101
  • Website Server's Public IP: 198.51.100.10 (listening on standard web port 443)
  1. Computer A sends a request: Your browser on Computer A wants to connect to the website. It creates a packet. The source address in the packet is `192.168.1.100` and it picks a random, high source port, let's say `12345`. The destination is `198.51.100.10:443`.
  2. Router A performs PAT: The packet arrives at your router. The router sees it's going to the internet. It performs translation:
    • It replaces the private source IP (`192.168.1.100`) with its own public source IP (`203.0.113.45`).
    • It replaces the original source port (`12345`) with a new, unique public port from its available range, let's say `61001`.
    • It records this translation in its NAT table: 192.168.1.100:12345 ↔ 203.0.113.45:61001.
    • It sends the modified packet out to the internet. The website server sees a request coming from `203.0.113.45:61001`.
  3. Simultaneously, Computer B sends a request: Your other device also wants to connect to the same website. It creates a packet with source `192.168.1.101` and picks a different random port, say `54321`. Destination is `198.51.100.10:443`.
  4. Router B performs PAT: This second packet also arrives at the router. The router performs a similar translation:
    • It replaces the source IP `192.168.1.101` with the same public IP `203.0.113.45`.
    • It replaces the source port `54321` with another unique public port, say `61002`.
    • It adds a second entry to its NAT table: 192.168.1.101:54321 ↔ 203.0.113.45:61002.
    • It sends this modified packet out. The server sees a completely separate request coming from `203.0.113.45:61002`.
  5. The Reverse Trip: The website server responds. It sends one reply packet back to `203.0.113.45:61001` (for Computer A) and another to `203.0.113.45:61002` (for Computer B).
  6. The Router Translates Back:
    • When the packet destined for port `61001` arrives, the router looks it up in its table, finds the entry ...↔ 203.0.113.45:61001, and knows it belongs to 192.168.1.100:12345. It reverses the translation and forwards the packet to Computer A.
    • When the packet for port `61002` arrives, it finds the other entry and correctly forwards that packet to Computer B.

Thanks to this port mapping, the router can manage tens of thousands of simultaneous sessions from all devices on the local network, all using just one public IP address.

Advantages and Disadvantages of NAT

NAT has been an indispensable technology, but it is not without its drawbacks.

Advantages

  • Conserves IPv4 Addresses: This is its primary and most celebrated benefit. PAT allows a single public IPv4 address to be shared by hundreds or thousands of devices, dramatically slowing down address exhaustion.
  • Provides a Basic Security Layer: NAT inherently acts as a simple stateful firewall. By default, incoming connections from the internet cannot be initiated to internal private devices because the router has no entry in its NAT table to translate them. An incoming connection is only allowed if it is a response to an outgoing connection that an internal device already made.
  • Network Flexibility: Administrators can design and manage their internal private network addressing scheme with great flexibility, without needing to coordinate with their ISP or change all internal addresses if the public IP address changes.

Disadvantages

  • Breaks the End-to-End Principle: The original vision of the internet was that any device could directly communicate with any other device. NAT breaks this model because the internal device is hidden behind the router's public address. The server on the internet sees the router, not the actual device it is communicating with.
  • Complicates Certain Applications: Applications that rely on initiating incoming connections, such as peer-to-peer (P2P) file sharing, some online games, and VoIP protocols, can have problems working through NAT. This often requires complex workarounds like port forwarding or STUN/TURN servers.
  • Performance Overhead: While minimal on modern hardware, the process of inspecting and modifying the IP and transport layer headers of every single packet adds a small amount of latency and consumes router resources.
  • Loss of Traceability: Because many users are hidden behind one address, it can be more difficult to trace malicious activity back to a specific device.
    NAT and PAT | Teleinf Edu