What Is Router NAT?
Understand what router NAT does, how WAN and LAN IP addresses work, and when router NAT causes strict NAT, double NAT, or port forwarding problems.
Router NAT is the NAT function running on a router. It lets devices on a private LAN share one public-facing IPv4 address by translating private IP address and port pairs to public mappings.
Router NAT is normal on home networks. It becomes a problem when the router is too restrictive, when another router sits upstream, or when the ISP uses CGNAT so the home router does not hold a normal public IPv4 address.
Quick Answer
Router NAT sits between the LAN side of a router and the WAN side. The LAN side uses private addresses such as 192.168.1.x. The WAN side receives an internet-facing address from the modem, ISP gateway, or ISP. NAT keeps a translation table so replies from the internet can return to the correct local device.
What Router NAT Does
When a device on your Wi-Fi or Ethernet network opens a connection, the router replaces the private source address with a WAN-side address and records the mapping. When the reply comes back, the router reverses the translation and sends the packet to the original device.
This is separate from Wi-Fi itself. Wi-Fi is the local radio connection. Router NAT is the address translation behavior between your local network and the upstream network.
WAN IP vs LAN IP
Most NAT confusion starts with two different address views: the address your device has inside the home, and the address your router has toward the internet.
LAN IP
A private device address such as 192.168.1.25, 10.0.0.14, or 172.16.5.20. Other devices in the same home can use it, but it is not normally reachable from the public internet.
WAN IP
The address assigned to the router's internet-facing side. If it is private, shared, or different from the public IPv4 seen by outside checkers, another NAT layer exists upstream.
Router NAT Table Example
1A LAN device opens a session
A console at 192.168.1.40 contacts a game service from a temporary source port. The router sees the private address and port on the LAN side.
2The router creates a mapping
The router maps that private address and port to a WAN-side IP and port. The mapping is stored in a NAT table while the session is active.
3Internet replies return through the mapping
If inbound packets match the router's expected source and destination pattern, the router sends them back to the console.
4The mapping expires when idle
After inactivity, the router removes the mapping. Later inbound traffic may be dropped unless a new session, UPnP rule, or port forwarding rule creates a path.
Router NAT vs Bridge Mode and Access Point Mode
A router in normal router mode usually performs NAT, DHCP, firewalling, and routing. Bridge mode passes the upstream connection through so another router can take over. Access point mode keeps Wi-Fi and switching but stops the second device from doing NAT. These modes matter when an ISP gateway and a separate router create Double NAT.
Router Settings That Affect NAT
| Router setting | What it does | When to use it | Risk or limitation |
|---|---|---|---|
| NAT | Translates private LAN addresses to WAN-side mappings. | Normal home routing with one router connected to the ISP. | Can become restrictive for inbound hosting or P2P connections. |
| UPnP | Lets trusted apps request temporary port mappings automatically. | Consoles and games on a trusted home network. | Not ideal on shared or untrusted networks; buggy routers may create stale rules. |
| Port forwarding | Sends a public port to a specific private device and port. | Known game, server, camera, NAS, or remote access ports. | Fails if the device IP changes, the protocol is wrong, or upstream NAT blocks the path. |
| DMZ | Forwards broad inbound traffic to one internal device. | Temporary troubleshooting or a dedicated console when narrower rules fail. | Broad exposure; avoid using it as a first fix for a general-purpose PC. |
| Bridge/AP mode | Removes a second routing and NAT layer from one device. | ISP gateway plus your own router, mesh systems, or two-router setups. | May move Wi-Fi, firewall, or login responsibilities to another device. |
When Router NAT Causes Problems
| Symptom | Likely cause | Next page |
|---|---|---|
| Game shows Strict or Moderate NAT | Router mappings are too restrictive, UPnP is off, ports are missing, or another NAT layer is upstream. | Router NAT type guide |
| Console reports Double NAT detected | Two home devices may both be routing, often an ISP gateway plus your own router. | Check Double NAT |
| Port forwarding does not work | Wrong local IP, wrong protocol, closed local firewall, Double NAT, or CGNAT. | Check CGNAT |
| Router WAN IP is private or shared | The router is behind another NAT device or ISP CGNAT instead of holding a normal public IPv4 address. | Compare WAN and public IP |
Check the NAT Behavior From This Network
Test from the same router and Wi-Fi or Ethernet network where the problem happens. Then compare the result with your router WAN address and settings.
Check NAT Type Now →Where to Go Next
FAQ
Should NAT be enabled on my router?
Usually yes for a normal IPv4 home network. If another router should handle routing, use bridge mode or access point mode instead of two NAT layers.
Is router NAT the same as Wi-Fi?
No. Wi-Fi connects devices locally by radio. NAT translates addresses between the local network and the upstream network.
Is NAT a firewall?
No. NAT is address translation. A firewall is a traffic policy. Home routers often combine them, so they can appear as one feature.
What is a full cone NAT router?
It is a router behavior where an established mapping can receive inbound traffic with fewer source restrictions. It is usually easier for gaming and peer-to-peer connections.
Why does my router show a private WAN IP?
A private WAN IP means something upstream is also translating traffic. It may be an ISP gateway, another home router, or ISP CGNAT.
Can router NAT be changed to Open NAT?
Often yes if the issue is local: UPnP, port forwarding, stable device IP, or Double NAT. If the ISP uses CGNAT, local router settings alone may not be enough.