NAT Types and Traversal: A Developer's Guide to Network Address Translation
Learn NAT types (Full Cone, Restricted Cone, Port Restricted, Symmetric), traversal techniques like STUN/TURN/ICE, and debugging tips for production network issues..
20+ years shipping production systems from the metal up. Everything here is grounded in real deployments.
- ✓Basic understanding of IP addressing and port numbers
- ✓Familiarity with TCP/UDP protocols
- ✓Basic networking concepts (routers, firewalls)
- NAT maps private IPs to a public IP for internet access.
- Four main types: Full Cone, Restricted Cone, Port Restricted Cone, Symmetric.
- Traversal methods: STUN, TURN, ICE, UPnP, NAT-PMP.
- Symmetric NAT is hardest to traverse; TURN relays traffic.
- Common bugs: address mismatch, port exhaustion, timeout.
Think of NAT like a company receptionist. Everyone inside (private IPs) uses internal extensions. To call outside, the receptionist (NAT) gives a temporary external number (public IP:port). Different receptionists have different rules: some let anyone reply (Full Cone), some only if you called them first (Restricted), and some give a new number each call (Symmetric). Traversal techniques are like tricks to get the receptionist to connect two internal callers.
Imagine you're building a peer-to-peer video chat app. Two users behind different home routers need to connect directly. But their routers use NAT, hiding their private IPs. How do they find each other? This is the NAT traversal problem.
Network Address Translation (NAT) is essential for IPv4 conservation, allowing multiple devices to share a single public IP. However, it breaks the end-to-end principle, causing headaches for applications that need incoming connections. Understanding NAT types and traversal techniques is crucial for developers working on real-time communications, gaming, IoT, or any peer-to-peer system.
In this tutorial, you'll learn the four main NAT types, how they behave, and practical traversal methods like STUN, TURN, and ICE. We'll also cover common production bugs and debugging strategies. By the end, you'll be able to diagnose NAT-related issues and design robust network applications.
What is NAT?
Network Address Translation (NAT) is a method that maps multiple private IP addresses to a single public IP address. It's commonly used in home and corporate networks to conserve IPv4 addresses. When a device inside the private network sends a packet to the internet, the NAT device (usually a router) replaces the source IP and port with its own public IP and a new port. It keeps a translation table to route responses back to the correct internal device.
NAT operates at the network layer (IP) and transport layer (TCP/UDP). There are several types, each with different behaviors regarding how incoming packets are handled. Understanding these types is critical for building applications that require incoming connections.
The Four NAT Types
NAT types are defined by how they handle incoming packets. The classification is based on RFC 3489 and later RFC 5389. The four main types are:
- Full Cone NAT: Maps all requests from the same internal IP:port to the same external IP:port. Any external host can send packets to the internal host by sending to the mapped external address.
- Address Restricted Cone NAT: Same mapping, but only allows incoming packets from an external IP that the internal host previously sent a packet to.
- Port Restricted Cone NAT: More restrictive: only allows incoming packets from the same external IP:port that the internal host sent to.
- Symmetric NAT: Each request from the same internal IP:port to a different destination gets a different external port mapping. Only the external host that received the packet can reply.
Symmetric NAT is the most challenging for traversal because the mapping changes per destination.
NAT Traversal Techniques
NAT traversal enables direct communication between peers behind NAT. Common techniques:
- STUN (Session Traversal Utilities for NAT): Client discovers its public IP:port by querying a STUN server. Works for Full Cone, Restricted Cone, but not Symmetric NAT.
- TURN (Traversal Using Relays around NAT): Relays all traffic through a server. Works for all NAT types but adds latency and bandwidth costs.
- ICE (Interactive Connectivity Establishment): Combines STUN and TURN, gathering multiple candidates (host, reflexive, relay) and testing connectivity.
- UPnP/NAT-PMP: Automatically configure port forwarding on the router. Requires router support and may have security risks.
- Hole Punching: Both peers send packets to each other's public addresses simultaneously, creating NAT bindings.
STUN in Depth
STUN (Session Traversal Utilities for NAT) is a lightweight protocol defined in RFC 5389. A client sends a binding request to a STUN server, which responds with the client's public IP and port as seen from the server. This allows the client to learn its reflexive transport address.
STUN also includes a mechanism for connectivity checks between peers. However, STUN cannot traverse Symmetric NAT because the server sees a different port than the peer would.
STUN servers are typically stateless and can be deployed easily. Google provides public STUN servers (e.g., stun.l.google.com:19302).
TURN Protocol
TURN (Traversal Using Relays around NAT) relays media between peers through a server. The client allocates a relay address on the TURN server and sends data to that address, which is forwarded to the peer. TURN works with all NAT types but introduces latency and server load.
TURN is defined in RFC 5766. It uses UDP by default but can also use TCP. Authentication is required to prevent abuse.
In practice, TURN is used as a fallback when direct P2P fails. Many WebRTC applications use TURN servers from providers like Twilio or Coturn.
ICE: Interactive Connectivity Establishment
ICE is a framework that combines STUN and TURN to find the best path between peers. It gathers multiple candidates: host (local IP), reflexive (STUN), and relay (TURN). Then it performs connectivity checks to determine which candidate pair works.
ICE is used in WebRTC, SIP, and other real-time communication protocols. It handles NAT traversal robustly by trying all possibilities.
The ICE process: 1. Gather candidates. 2. Prioritize candidates (host > reflexive > relay). 3. Exchange candidates with peer via signaling. 4. Perform connectivity checks (STUN binding requests). 5. Select the best working pair.
ICE can handle multiple NAT layers and firewalls.
Common NAT Traversal Pitfalls
Developers often encounter these issues:
- Address mismatch: STUN returns a different address than expected due to multiple NAT layers or VPNs.
- Port exhaustion: NAT devices have limited port mappings. High concurrency can exhaust them.
- Binding timeout: NAT mappings expire after inactivity. Keepalive packets are necessary.
- Firewall interference: Firewalls may block STUN or TURN traffic.
- Symmetric NAT: STUN fails, requiring TURN.
- Use ICE with TURN fallback.
- Send keepalives every 15-30 seconds.
- Monitor NAT table size.
- Test on diverse networks.
The One-Way Voice Call Outage
- Never assume NAT type; always use ICE to gather candidates.
- Implement TURN fallback for Symmetric NAT.
- Log NAT type detection for debugging.
- Test with diverse network configurations.
- Monitor port allocation to avoid exhaustion.
stun-client stun.l.google.com 19302ice-candidates --gather| File | Command / Code | Purpose |
|---|---|---|
| nat_behavior.sh | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | What is NAT? |
| detect_nat_type.sh | stun-client stun.l.google.com 19302 -v | The Four NAT Types |
| ice_candidates.sh | echo "Host candidate: 192.168.1.10:5000" | NAT Traversal Techniques |
| stun_request.sh | stun-client stun.l.google.com 19302 | STUN in Depth |
| turn_allocate.sh | turnutils -u username -w password -p 3478 turn.example.com | TURN Protocol |
| ice_connectivity_check.sh | echo "Checking pair: 192.168.1.10:5000 <-> 10.0.0.2:6000" | ICE |
| keepalive.sh | while true; do | Common NAT Traversal Pitfalls |
Key takeaways
Common mistakes to avoid
4 patternsAssuming STUN always works
Not sending keepalives
Ignoring multiple NAT layers
Using UPnP without security review
Interview Questions on This Topic
Explain the four types of NAT.
Frequently Asked Questions
20+ years shipping production systems from the metal up. Everything here is grounded in real deployments.
That's Computer Networks. Mark it forged?
3 min read · try the examples if you haven't