What is NAT and why does it exist?

Also: why your IoT fish tank is currently not part of a botnet.


3 min read

I'm sure everyone has encountered NAT at least once in their lives. If you're a gamer, you have probably run into connectivity issues caused by it already. Other people more interested in tech may have run into issues accessing their home services from the outside because of NAT. Users of Peer2Peer protocols are also familiar with it.

But what is NAT really?

Public and private IP addresses

To understand the need for NAT, you first need to understand why LAN exists.

A graphic showing a direct connection between a server and PC without a firewall or router

In a truly perfect world, it would be possible to connect all networked devices directly to the internet. Everything would be easily addressable and much simpler.

Sadly, this just is not reality. The internet is evil, and someone you don't know sending traffic you did not ask for your way is almost always a bad sign. Many IoT devices are laughably insecure and end up forming gigantic botnets, like the infamous "Mirari" botnet, which once took down internet giants like Netflix, Amazon, GitHub, Twitter, Spotify, SoundCloud, Reddit, and the New York Times by accident.

The same graphic as above, but with a hacker attacking a device instead

What if someone discovers an exploit in your IoT fish tank filter? All they have to do is connect directly to it and exploit the vulnerability. Boom, now your fish tank is part of a botnet. That's not good.

The obvious solution to this problem is not making it possible to communicate with your devices from the outside. But how will people you want to talk with respond to you then?

This is exactly what NAT is for.

What is NAT?

NAT stands for Network Address Translation. It is a way to shield your devices from the "real" Internet while still allowing two-way communication.

A graphic showing a firewall hard-separating LAN and WAN areas

Instead of connecting your devices directly to the internet, your router acts as a middleman. It will not let the outside internet connect to your devices first at all unless you configure it that way first.


All devices connected to the router locally form the local area network (LAN). These devices can communicate with each other with virtually zero restrictions. Each device receives a local IP that is used to talk with other local devices and only valid inside this LAN. These IPs can not be used by the outside world to talk with a device.

Communication tunnels

To simplify it, whenever a device wants to communicate with the outside world, it asks the router to open a tunnel to the outside. This opens a direct communication channel to one external device. This allows for two-way communication between the two devices.

The important thing to understand about this approach is that there are downsides to this. The performance can suffer in case a slow router has to manage too much bandwidth and it is impossible to initiate a connection from the outside (when using hard NAT without forwarding). How do you handle communication between two clients that are BOTH behind hard NAT? You can't, it's impossible and a major problem for P2P protocols in the modern-day.

Note: I am aware that port forwarding exists. This is however not set up by the average Internet user and there may be an additional layer of NAT on top of the router, also called CGNAT, which is impossible to bypass for the user.


To sum it up, NAT is an essential security measure in the modern-day. It reduces the attack surface for devices and also hides how your network looks in reality from the outside world. However, it also makes P2P communication impossible and may be a performance hog with a bad router.