You have a phone, a laptop, a TV and a games console all online at once — through a single internet connection with one public address. The technology making that work is NAT (Network Address Translation). It's invisible until you try to host something from home, where it suddenly becomes the obstacle. This guide explains what NAT is, how it works, the types, and the CGNAT problem that blocks self-hosting.
What NAT is
NAT (Network Address Translation) lets many devices on a private network share one public IP address. Each device has a private address (like 192.168.x.x) that can't be used on the public internet. When a device connects out, your router rewrites the packet to use its own public IP, remembers the mapping, and translates replies back to the right device.
NAT is why all your devices share one home connection — and a big reason IPv4 didn't run out years ago.
How it works
When a device sends traffic out, the router replaces the private source address and port with its own public IP and a unique port, recording the translation in a table. The destination sees only the router's public IP. When the reply returns, the router looks up the table and forwards it to the correct internal device.
This port-based form — PAT ("NAT overload") — is what lets one public IP serve dozens of devices at once, invisibly.
The types
- Static NAT — one private IP ↔ one public IP, permanently.
- Dynamic NAT — private IPs map to a pool of public IPs as needed.
- PAT / NAT overload — many private IPs share one public IP via different ports (what home routers do).
- DNAT (destination NAT) — the inbound direction, used in port forwarding to route an incoming public port to a specific internal device.
Why NAT makes self-hosting harder
NAT is designed to allow outbound connections, not unsolicited inbound ones. Your devices reach the internet freely, but the internet can't reach them — the router has no mapping for an unexpected incoming connection, so it drops it.
To host a service (a VPN, game server, NAS), you must create that mapping yourself with port forwarding, and give it a stable address with dynamic DNS. NAT is a one-way door: great for security, inconvenient when you want to be reachable.
The CGNAT wall
CGNAT (Carrier-Grade NAT) is a second layer of NAT run by your ISP, where many customers share a pool of public IPs. The result: you don't have a real public IP of your own, so even port forwarding can't make you reachable — the public-facing address isn't yours to control. It's increasingly common on mobile and some fibre.
If you're behind CGNAT, self-hosting from home is effectively blocked. The clean fix is a VPS with its own public IP: a Contabo VPS at €4.99/month sidesteps NAT entirely with a permanent public address — see what a VPS is.
The bottom line
NAT lets a whole network share one public IP by translating private addresses — invisible and essential for everyday browsing, and the reason IPv4 stretched this far. But it's a one-way door: it allows outbound, blocks unsolicited inbound, so self-hosting needs port forwarding. And if your ISP adds CGNAT, no router setting makes you reachable — a VPS with a real public IP is the way around it.
Editorial guide based on how NAT works (PAT, static/dynamic, DNAT) and CGNAT's impact on self-hosting. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→
