Network Address Translation

  • NAT
  • NATs
Image of Author
February 21, 2023 (last updated April 28, 2023)

Wiki Article on NAT

NAT, or Network Address Translation, is a technique for changing packet IP addresses. There are a few historical use cases for this technique, but the most important one is circumventing IPv4 address exhaustion.

IPv4 address exhaustion, in plain english, is: We are out of IP addresses. There are more devices that IP addresses. People created a finite space of addresses in the early 80s of almost 5 billion addresses. Even in the 80s people were predicting we'd run out. NAT is one way to stem the exhaustion. Eventually, migrating fully to IPv6 will solve this problem since it's address space outnumbers the atoms in the universe.

NAT mapping

NAT mapping is the translation itself, how the internal IP/port map, or translate, to an external IP/port. Your router is essentially creating a table of mappings, internal IP/port to external IP/port. There are a variety of ways the router can implement this mapping. I'll use "internal" and "external" to refer to the mappings, and "source" and "destination" to refer to the endpoints, with "source" being the "internal" computer, and "destination" being the server/peer computer.

The names for the most commons mapping implementations are not intuitive, in my opinion.

Destination independent NAT mappings

The simplest example is when your router maps your internal IP/port to an external IP/port. This is source dependent and destination independent. All communications done from that internal IP/port will go through the external IP/port. A STUN server is trustworthy here. You can trust that the external IP/port reported by the STUN server will work for other destinations as well. (This is also known as full-cone NAT, or one-to-one NAT.)

There are other implementation types.

Destination dependent NAT mappings

A common mapping of this type is when your router maps your internal IP/port and your destination IP/port to an external IP/port. This is source dependent and destination dependent. A STUN server is not trustworthy here. The STUN destination IP/port has affected the mapping, and an alternative destination with receive an alternative mapping. (This is also known as "symmetric" NAT.)

NAT traversal

NAT Traversal is the art of figuring out how to talk to another device on the internet. It can be complicated. WebRTC uses NAT traversal techniques in its WebRTC#Signaling phase.

NAT hairpinning

NAT Hairpinning is where a router can notice that you are trying to communicate with another local device using a public IP address.

If you knew the local IP/port of a device, you could talk to it via the router. For example, could send a packet to, through the router. This is normal routing. A router would detect the two local IP address and pass the packet between them.

The other normal situation is local to public, so communicating with some public server out in the cloud, This would involve NAT mappings, etc.

Here's where hairpinning comes into play. You have used STUN on two local devices and determined their public IP/port. If the routers public IP is, then, for example, could map to, while could map to Now if ...5 wants to talk to ...6, it would pass through the router. If the router supports hairpinning, it can "make a hairpin turn" and notice that it manages the destination address, and immediately convert the IP address back to local, and pass the packets back locally.

If your router does not support hairpinning it is not a problem. The network will still get the packet to your peer.