The whole internet has a shortage of "real" (public) addresses. Imagine an apartment building (your home/office) where everyone inside shares ONE street address (the building's). Letters going out get the building's return address; the doorman (the router) remembers which apartment sent which letter, so replies come back to the right room. That doorman is NAT (Network Address Translation) .
IPv4 has only 2 32 ≈ 4.3 2^{32} \approx 4.3 2 32 ≈ 4.3 billion addresses. There are far more devices than that. We needed a way to let many private devices share few public addresses .
The solution was private address ranges (RFC 1918) that are not routable on the public internet:
WHY a /8 has 2 24 2^{24} 2 24 hosts: the prefix /8 fixes the first 8 8 8 bits, leaving 32 − 8 = 24 32-8=24 32 − 8 = 24 host bits, so 2 24 2^{24} 2 24 addresses. (Same logic for /12 → 2 20 2^{20} 2 20 , /16 → 2 16 2^{16} 2 16 .)
NAT rewrites the IP address (and often the port) fields inside a packet's header as it crosses the router boundary, then keeps a translation table so it can reverse the rewrite for return traffic.
It changes one or more of these four header fields:
( src IP , src port , dst IP , dst port ) (\text{src IP},\ \text{src port},\ \text{dst IP},\ \text{dst port}) ( src IP , src port , dst IP , dst port )
…and recomputes the affected checksums (IP + TCP/UDP).
When a packet leaves, NAT stores a mapping. When the reply returns, NAT looks up that mapping in reverse.
Worked example PAT in action (the home-router case)
Two laptops behind one public IP 203.0.113.5.
Inside (src)
Translated (src)
Dest
192.168.0.10:51000
203.0.113.5:40001
93.184.216.34:80
192.168.0.11:51000
203.0.113.5:40002
93.184.216.34:80
Why this step? Both laptops used the same internal port 51000. If NAT only swapped the IP, both flows would look identical from outside and replies couldn't be told apart. So PAT also rewrites the port (→ 40001, 40002) to make every flow unique.
Definition Source NAT (SNAT)
Rewrites the source address of outbound packets. Used when inside hosts initiate connections to the outside. "Hide my private IP." This is the default behavior of home routers.
Definition Destination NAT (DNAT)
Rewrites the destination address of inbound packets. Used to expose an internal server: outsiders hit a public IP, NAT redirects to a private server. Also called port forwarding when a specific port is mapped.
Definition PAT (Port Address Translation) — a.k.a. "NAT overload" / masquerade
A special SNAT that rewrites source IP and source port , so many private hosts share one public IP. This is what makes "one home, one public IP, 30 devices" possible.
SNAT = "change who it's from ." (outbound, hiding clients)
DNAT = "change who it's to ." (inbound, exposing servers)
PAT = SNAT + port-mux, the many-to-one trick.
Recall Predict before reading the answer
A home network has 50 devices and ONE public IP. All 50 open a webpage at the same time. Forecast: can plain SNAT (IP-only) handle this? Why or why not?
Recall
No. IP-only SNAT maps each private IP to a public IP 1:1 , so 50 devices need 50 public IPs — defeating the purpose. You need PAT , which differentiates the 50 flows by port number (each gets a unique source port on the single shared public IP). The table key becomes the full tuple ( IP , port ) (\text{IP},\text{port}) ( IP , port ) , giving up to ~64000 simultaneous flows per public IP.
Common mistake "NAT is a firewall / NAT makes me secure."
Why it feels right: outsiders can't initiate a connection to your private IP, so it seems like protection.
The fix: NAT's hiding is a side effect , not security policy. It does nothing about malware you initiate outbound, doesn't inspect payloads, and DNAT/port-forwarding punches holes. Use an actual firewall for security.
Common mistake "SNAT and PAT are the same thing."
Why it feels right: both rewrite the source, both run on the outbound path.
The fix: plain SNAT can be 1:1 (IP only). PAT additionally rewrites the port to achieve many-to-one. PAT is a subset/extension of SNAT. Every PAT is SNAT; not every SNAT is PAT.
Common mistake "NAT works fine for everything."
Why it feels right: browsing always works.
The fix: NAT breaks protocols that embed IPs/ports inside the payload (FTP active mode, SIP/VoIP) because rewriting only the header leaves stale addresses in the body — needing ALGs. Peer-to-peer connections need hole-punching/STUN.
Recall Explain to a 12-year-old
Your house has one mailbox address but lots of people inside. When you mail letters, the doorman writes the house address as the return address and notes "this reply is for Anya, reply ticket #40001." When the reply comes back to the house with ticket #40001, the doorman knows to hand it to Anya, not her brother. NAT is that doorman, and the ticket number is the port .
"S ource S hields, D est D elivers, P AT P acks-by-P ort."
S NAT → S hields/hides the source (clients leaving).
D NAT → D elivers to the right inside server (traffic arriving).
P AT → P acks many hosts into one IP using P orts.
Why was NAT created? To let many private (RFC1918) hosts share scarce public IPv4 addresses, working around the
2 32 2^{32} 2 32 address limit.
What three private IPv4 ranges does RFC 1918 define? 10.0.0.0 / 8 10.0.0.0/8 10.0.0.0/8 ,
172.16.0.0 / 12 172.16.0.0/12 172.16.0.0/12 ,
192.168.0.0 / 16 192.168.0.0/16 192.168.0.0/16 .
How many hosts in a /8? 2 32 − 8 = 2 24 2^{32-8}=2^{24} 2 32 − 8 = 2 24 addresses.
What does SNAT rewrite and when? The source IP of outbound packets when inside hosts initiate connections (hides clients).
What does DNAT rewrite and when? The destination IP of inbound packets, to redirect outsiders to an internal server (port forwarding).
What does PAT additionally rewrite vs plain SNAT? The source port, enabling many private hosts to share one public IP (many-to-one).
Why can't IP-only SNAT serve 50 devices with one public IP? It maps IPs 1:1, so 50 devices would need 50 public IPs; you need PAT to distinguish flows by port.
What four header fields can NAT modify? src IP, src port, dst IP, dst port (plus checksum recompute).
Is NAT a security feature? No; hiding is a side effect, not policy. It inspects nothing and DNAT opens holes.
Which protocols break under NAT and why? FTP active, SIP/VoIP — they embed IP/port inside the payload, which header-only rewriting doesn't fix; need ALGs/STUN.
Roughly how many simultaneous flows can one public IP support under PAT? ~64000 (limited by the 16-bit port space per protocol).
IPv4 Addressing & Subnetting — prefixes, /8 /12 /16 math
RFC 1918 Private Addresses
Ports & TCP-UDP Headers — why ports enable PAT
Firewalls vs NAT — security distinction
STUN, TURN & NAT Traversal — fixing P2P under NAT
IPv6 — abundant addresses reduce NAT need
Port Forwarding & DMZ
exposes via port forwarding
IPv4 address shortage 2^32
src/dst IP and port fields
Inside hosts initiate outbound
Intuition Hinglish mein samjho
Dekho, IPv4 me sirf 2 32 2^{32} 2 32 (~4.3 billion) addresses hain, par duniya me devices usse kahin zyada. Isliye har ghar me hum "private" addresses use karte hain jaise 192.168.0.x (RFC 1918 ranges). Ye addresses internet pe travel nahi kar sakte. To router ek doorman ki tarah kaam karta hai — jab packet bahar jaata hai, router uska private source address hata ke apna ek public IP laga deta hai, aur ek table me note kar leta hai ki "ye reply kiske liye aayega." Yahi NAT hai.
Ab types samjho. SNAT matlab outbound packet ka source badalna — clients ko chhupana. DNAT matlab inbound packet ka destination badalna — bahar wale ko apne andar ke server tak pahunchana (port forwarding). Aur PAT (NAT overload) special hai: ye source IP ke saath source port bhi badalta hai, taaki 50 devices ek hi public IP share kar sakein. Port unique hota hai, isliye reply ko sahi laptop tak bhej dete hain.
Ek common galti: log sochte hain "NAT firewall hai, secure ho gaya." Nahi bhai — chhupana side effect hai, security policy nahi. Real firewall alag cheez hai. Doosri galti: SNAT aur PAT ko same samajhna — PAT actually SNAT ka extension hai jisme port bhi rewrite hota hai. Yaad rakho: S ource S hields, D est D elivers, P AT P acks-by-P ort. Exam aur real networking dono me yeh concept bahut kaam aata hai.