Public vs. Private IP Addresses and NAT Explained
IP addresses come in two flavours: public addresses that are globally unique and routable on the Internet, and private addresses that you can reuse freely inside any organization. Understanding the difference explains why the IP on your PC almost never matches the IP a website sees.
Why private addresses exist
There are only ~4.3 billion IPv4 addresses and they ran out years ago. If every phone, laptop, TV and lightbulb needed a unique public address, the Internet would have stalled. Instead, RFC 1918 reserved three ranges that anyone may use internally, as long as they never appear directly on the public Internet.
The RFC 1918 private ranges
| Range | CIDR | Addresses | Typical use |
|---|---|---|---|
10.0.0.0 – 10.255.255.255 |
10.0.0.0/8 |
~16.7 million | Large enterprises, clouds |
172.16.0.0 – 172.31.255.255 |
172.16.0.0/12 |
~1 million | Medium networks |
192.168.0.0 – 192.168.255.255 |
192.168.0.0/16 |
65,536 | Home / small office |
Because these are reused everywhere, they cannot be routed across the public Internet — a router must translate them with NAT.
Other special ranges you'll meet
| Range | Name | Meaning |
|---|---|---|
127.0.0.0/8 |
Loopback | Your own machine (localhost) |
169.254.0.0/16 |
Link-local (APIPA) | Self-assigned when DHCP fails |
100.64.0.0/10 |
CGNAT shared space | Between your router and the ISP (CGNAT) |
These and more are covered in special addresses.
NAT (Network Address Translation)
A home router maps many internal devices (private IPs) onto the single public IP assigned by your provider:
[PC 192.168.0.10]─┐
[Phone 192.168.0.11]─┼─[Router / NAT]──→ [Public IP 203.0.113.5] ──→ Internet
[TV 192.168.0.12]─┘
The trick that makes this work for many devices at once is port translation (NAPT/PAT). The router rewrites the source IP and source port of each outgoing connection and remembers the mapping in a table, so replies can be sent back to the right device:
| Internal | → seen on Internet as |
|---|---|
192.168.0.10:51000 |
203.0.113.5:40001 |
192.168.0.11:51000 |
203.0.113.5:40002 |
That is why a website sees your router's public IP — the same address shown on this site's home page — not the private IP on your PC.
What NAT breaks (and how people work around it)
Because connections must start from the inside, NAT quietly blocks inbound connections, which affects:
- Hosting a server or game behind NAT — needs port forwarding to map an external port to an internal device.
- Double NAT (your router behind the ISP's router) — port forwarding must be set in both.
- CGNAT — when the ISP itself shares one public IP among many customers, you can't port-forward at all. See CGNAT explained.
- VPNs and proxies change which public IP the world sees — see NAT, proxies and VPNs.
IPv6 mostly ends NAT
IPv6's address space is so large that every device can have its own globally unique address, removing the need for NAT (firewalls still control access). During the long transition most networks run IPv4 + IPv6 together. See IPv6 vs IPv4.
Check whether you're behind NAT
Compare your two addresses. If your local IP is in an RFC 1918 range but the home page shows a different public IP, you are behind NAT (almost everyone is).
# Linux: local (private) IP
ip -4 addr show
# Windows: local (private) IP
Get-NetIPAddress -AddressFamily IPv4
Note: If your router's WAN IP is in
100.64.0.0/10, your ISP is using CGNAT — you share a public IP with other subscribers and cannot host inbound services without a relay or a paid static IP.