Chapter 3

Public, Private & NAT

RFC1918, why home IPs repeat, port forwarding.

Learning objectives

  • Explain why private addresses are not routed on the internet
  • Describe how NAT maps internal hosts to one public IP
  • Configure port forwarding for a specific service

Public vs private

Public IPs are globally unique and routable on the internet. Your ISP assigns one (or a block) to Workshop Co.’s fibre connection: 198.51.100.44.

Private IPs (RFC 1918) are reused in millions of buildings. Workshop Co.’s shop LAN uses 192.168.10.0/24. Routers must not forward private sources onto the public internet — NAT rewrites them.

Internet
    │
    │ 198.51.100.44 (public WAN)
    ▼
 [ Router / NAT ]
    │
    ├── 192.168.10.1   (gateway)
    ├── 192.168.10.50  (office PC)
    ├── 192.168.10.60  (POS tablet)
    └── 192.168.20.0/24 (guest Wi‑Fi VLAN — separate subnet)

How NAT works

When the office PC (192.168.10.50) visits workshopco.ca:

  1. Packet leaves PC with source 192.168.10.50:52441
  2. Router replaces source with 198.51.100.44:52441 and remembers the mapping
  3. Return traffic hits the router; NAT restores destination to the PC

From the internet’s view, all shop devices share 198.51.100.44. Inbound connections need explicit rules.

Port forwarding

To reach an internal NVR from outside (generally discouraged without VPN), you forward WAN port → internal IP:port:

External: 198.51.100.44:8080  →  Internal: 192.168.10.70:80
Security

Workshop Co. should not expose cameras or admin panels directly. Prefer VPN or cloud-managed cameras outbound-only. Port forwarding increases attack surface.

Worked example — hairpin NAT

A staff member on shop Wi‑Fi tries to access the public website by typing the WAN IP 198.51.100.44. Some routers fail without hairpin NAT (NAT loopback). Fix: use internal DNS or the hostname www.workshopco.ca which resolves to the cloud VPS — not the shop router.

Try it yourself — outbound vs inbound

Which connections work by default through NAT without port forwarding?

  1. Office PC → Google
  2. Random internet host → office PC SSH
  3. Office PC → Swift Host VPS SSH (outbound)
Answer
  1. Works — outbound initiated.
  2. Blocked — inbound unless forwarded.
  3. Works — outbound to port 22 on VPS.

Quick quiz

  1. Name three private IPv4 ranges.
  2. Why do many homes share the same 192.168.1.x addresses?
  3. What is required for an internet host to initiate TCP to a LAN device?
Answers
  1. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
  2. Private addresses are reused; NAT maps them to unique public IPs at the edge.
  3. Port forwarding, public IP on device, or VPN/tunnel — something must deliver the packet inward.