NAT Translation Flow: Mermaid Flowchart Diagram

About Source

NAT (Network Address Translation) is the process by which a router or firewall rewrites IP address and port information in packet headers to allow multiple devices on a private network to share a single public IP address for internet communication.

IPv4 address exhaustion is the primary driver for NAT. RFC 1918 reserves private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that are not routable on the public internet. NAT bridges private and public address spaces.

NAPT (Network Address and Port Translation): The most common form is "masquerade" NAT, also called NAPT. The NAT device maintains a translation table mapping (private IP, private port) → (public IP, public port). When a private host initiates a connection, the NAT device: 1. Assigns an available public-side port 2. Rewrites the source IP and port in the outbound packet 3. Stores the mapping in the NAT table 4. On return traffic, performs the reverse translation — rewriting the destination IP and port back to the private host's address

Connection Tracking: The NAT table entry is created on the first outbound packet and kept alive as long as traffic flows. Entries time out after inactivity (UDP: typically 30s, TCP: up to hours).

Implications for Developers: NAT is why peer-to-peer connectivity is complex — neither peer can initiate a connection to the other's private IP. Techniques like STUN (for discovering public IP:port), TURN (relaying), and ICE (the combination used by WebRTC) exist to traverse NAT. VPN tunnel setup also involves NAT traversal. Port forwarding explicitly maps an inbound public port to a private host, enabling server operation behind NAT.

Frequently asked questions

NAT is the process where a router rewrites source IP addresses (and typically ports) in packet headers so that multiple devices on a private network can share a single public IP address for internet communication. It bridges the gap created by IPv4 address exhaustion, where private RFC 1918 addresses are not routable on the public internet.

When a private host initiates a connection, the NAT device assigns an available public-side port, rewrites the source IP and port in the outbound packet, and stores the mapping. When return traffic arrives at the public IP and port, the NAT device reverses the translation — rewriting the destination to the private host's address and forwarding it to the correct internal device.

Both peers are typically behind NAT, so neither knows the other's public IP:port mapping. Neither can initiate a direct connection to the other's private IP. Solutions include STUN (a server that tells each peer its public IP:port), TURN (a relay server that forwards traffic between peers), and ICE (used by WebRTC to negotiate the best path automatically).

IPsec integrity-protects the IP header, but NAT modifies it, causing verification to fail. NAT-T (RFC 3947) solves this by encapsulating ESP packets inside UDP port 4500, making them appear as regular UDP traffic that NAT can forward without breaking integrity protection. Most modern VPN clients handle NAT-T automatically.

mermaid

flowchart LR
    PrivNet([Private Network\n192.168.1.0/24])

    PrivNet --> HostA[Host A\n192.168.1.10:54321]
    PrivNet --> HostB[Host B\n192.168.1.20:54322]

    HostA --> NAT[NAT Router\nPublic IP: 203.0.113.5]
    HostB --> NAT

    NAT --> TableA[NAT Table Entry:\n192.168.1.10:54321\n→ 203.0.113.5:41000]
    NAT --> TableB[NAT Table Entry:\n192.168.1.20:54322\n→ 203.0.113.5:41001]

    TableA --> OutA[Outbound packet:\nSrc: 203.0.113.5:41000\nDst: 8.8.8.8:443]
    TableB --> OutB[Outbound packet:\nSrc: 203.0.113.5:41001\nDst: 1.1.1.1:443]

    OutA --> Internet([Internet])
    OutB --> Internet

    Internet --> ReturnTraffic[Return traffic:\nDst: 203.0.113.5:41000]
    ReturnTraffic --> ReverseNAT{Reverse NAT\nlookup port 41000}
    ReverseNAT --> DeliverA[Rewrite Dst:\n192.168.1.10:54321\nForward to Host A]