NAT, Network Address Translation

What is NAT?

NAT is router software that hides the router's LAN attached devices from the Internet. There is a single internet IP address allocated to the router by the ISP (perhaps using DHCP) and this address is used for all communications external to the router's LAN. The router relays messages from the LAN to the external Internet but for the Internet simulates that the message came from the router itself and not a LAN attached device.

How does NAT Work?

NAT works by maintaing a table of LAN to Internet connections, internal ip address and port number to external port numbers (the IP address is fixed). NAT also logs the external destination IP address so that it can recognise responses from that address. NAT table entries are added for each LAN to Internet connection i.e. from any PC, tablet, phone etc. to the outside world. For each outbound message the router finds the IP and TCP headers where it changes the origin device's LAN IP address to it's own external IP address and changes the origin port number to one allocated by the NAT software. When a response is returned the reverse process copies in the correct port number and LAN IP address. A LAN header is added to the message and it is ready for sending to the device.

Which Addresses are from the LAN?

Routers could potentially become confused between an IP address on the LAN and one in the Internet but for the fact this was anticipated and special IP address ranges have been reserved as being private. Private addresses cannot be exposed to the Internet and must therefore be on the LAN side of the router. It probably will not surprise you to know that 192.168.1.x (x = 1 to 255) is a range of private IP addresses and is the one most commonly used as the factory default for small routers. If you need more addresses you can always change your IP address to 10.x.x.x (x = 0 to 255 excl. which is also private.

From what is visible to our server, we see:

Your LAN Internal IP address: not detected
Router's external IP address: not detected

Inbound Connections

If you are away from home but want to view what your IP security camera has detected you need to access an internal LAN IP address and port (IP camera factory settings are normally set to port 80 i.e. web server). You can find the router's external IP address via a DDNS lookup but all addresses on the LAN are private and hidden from the Internet, so how can you access the camera?

The answer is similar to the NAT process, this time though you reserve specific port numbers on the router's external IP address for forwarding to specific LAN IP addresses and ports e.g. your camera (or other server type device). Port Forwarding is normally a configuration option on your router. You reserve an arbitrary port number to be externally opened on the router's external IP address and then specifiy the local IP address and port to which connections should be relayed. To access this non-standard port number simply add it after the domain name separated by a colon e.g. would attempt to access google's port 1966 which is not available and the connection request will simply time out or give some other error.


  1. Avoid low numbered external port numbers, like 80. Malicious internet users frequently scan IP addresses for open (connectable) low numbered ports and then try to hack into these. In your router's config reserve a port such as 4848, forward connections to your camera's local IP address and port e.g. 80.
  2. LAN
  3. The camera's LAN IP address needs to be fixed for port forwarding to work, use the button to the right to find out how to do this.

Why NAT?

If NAT causes all these problems for inbound connections why use it? NAT saved the Internet from a dramatic mandatory change to IPV6 by hiding the addresses of devices attached to a router, this dramatically reduced the total number of IP addresses needed.


IPV6 and IoT
TCPIP Networking
WWW, FTP, eMail and TCP ports