What is NAT and why you don't want it

Date: — Topic: — by Slatian

You may or may not have heard of NAT, Network Address Translation, here is how it works, why you don't want it and why you probably have to use it anyway.

How the Internet was supposed to work

The original idea of the internet was that every machine is reachable, can directly connect to other machines using nothing but their public address and also offer serveries. Which worked pretty well until …

Why the Internet community started NATing

… the Internet started running out of publicly reachable addresses. So everyone started assigning private IP-Addresses to their internal networks, trying to get the most out of the precious public address space.

Legacy NAT

Legacy NAT is simply swapping one IP-Address for another, with a 1:1 relationship between private and public addresses. Either statically assigned or on demand to a machine that wants to connect, so if you wanted to connect to the Internet you have to wait for a free Line (public Address) from a pool of available addresses (called a NAT Pool). Hello old dialup!

These are respectively called Static and Dynamic NAT.

Modern NAT - Port Address Translation (PAT)

Nowadays with 10s of devices per household with active connections to outside servers that Legacy approach of give a machine an IP when it needs one and recycle after doesn't work anymore.

But one can abuse the fact that most machines don't offer services for the public and therefore have a lot of outgoing and no incoming connections. So instead of assigning whole IP-Addresses we made our Routers translate combinations of Layer 4 ports and IP-Address.

If one now wants to connect to the server at on port 443 from from port 12345 via a router assigned (it would with multiple public addresses, too) as its public address …

For ICMP the identifiers can be used similar to port numbers. UDP based protocols need additional support from the NAT as UDP itself has no way of matching requests with replies.

With that setup one can support up to ~60000 concurrent TCP connections with a single public IP-Address, great isn't it?

Carrier grade NAT

Well, your provider most probably thinks that that is great because now they can serve a whole lot of customers and still only pay for a handful of public IPs. There is even the network reserved in RFC 6598 for exactly this purpose.

Problems with NAT

The problem with this is now that your average client is behind two or even more layers of NAT, one at their provider, one built into their home-router. That comes with at least two problems:

Also NAT actively hinders innovation. Ever heared of SCTP, the Stream Control Transmission Protocol (RFC 9260)? One of the reasons you have probably never seen it in the wild is because old NATs (like Joe Averages router running outdated firmware) have no clue what to do with it. Same problem with QUIC (RFC 9000) which is based on UDP, because punching a hole into the NAT that has the right shape is usually difficult to impossible you probably won't find it in the wild.


NAT64 was a way to translate IPv6 adresses in the 64:ff9b::/96 network to IPv4 but it has been deprecated in favour of dualstack configurations. Probably because for that to work either direct application support is needed or a dns Server which has to translate IPv4 addresses to the NATable IPv6 ones.

Myths around NAT

Great I don't need a Firewall!

Yes you do! A NAT only denies incoming connections because no machine in the internal network currently punched a hole in it with UPnP. Your NAT is also waaay too complex for trusting it with denying unwanted connections. (Don't confuse it with a NAT built into a firewall)

I want IPv6 NAT because of Privacy!

If you have this kind of network access you can as well reassign random addresses using your favourite IPv6 address assignment mechanism.

Solving the NAT problems

So you don't like your NAT anymore? What if the Internet had an address space large enough for every device? Well its your lucky day the solution is called IPv6 and if in 2023 your ISP doesn't give you IPv6, ask them nicely why they are stuck in the past.