9 min read

Homelab NAT Explained: How Network Address Translation & Port Forwarding Work

Learn how NAT works in a homelab, how port forwarding exposes services, and why reverse proxies are safer for self-hosting.
Digitized cyberpunk styled wolf jumping through a LAN to WAN NAT table.
The packet wolf leaping through from LAN to WAN and being NAT'd.The packet wolf leaping through from LAN to WAN and being NAT'd.

When you start your journey into self-hosting, you quickly encounter a sea of networking terms. While some are easy to grasp, others, like Network Address Translation or NAT, can feel like a digital fog bank. As a professional tech I've been dealing with NAT on public and private networks for 20 years now, I’m here to clear the air, translating complex networking concepts into plain English so you can navigate your home network with confidence.

Now we answer a critical question: How does your private homelab actually communicate with the internet? The answer is Network Address Translation - NAT or "NAT-ing". If you plan to self-host anything, you must understand it.

If you're new to networking, this guide is part of a structured homelab networking roadmap. Start from Part 1 and work forward.

What Is NAT?

Network Address Translation (NAT) allows multiple private devices to share a single public IP address.

Your ISP assigns you one public IP address. Inside your home, you might have:

  • 192.168.10.20 (Laptop)
  • 192.168.20.10 (Server)
  • 192.168.40.50 (IoT device)

All of those devices need internet access. NAT makes that possible by translating your internal private IPs to your single public one.

Without NAT, every device would require its own public IP address - which isn’t realistic and would be a security nightmare.

How NAT Works (Outbound Traffic)

Let’s say your laptop (192.168.10.20) visits a website.

Here’s what happens:

  1. Your laptop sends traffic to its default gateway.
  2. The router receives the packet.
  3. NAT rewrites the source address from 192.168.10.20 to your public IP (for example 203.0.113.10).
  4. The website responds to 203.0.113.10.
  5. Your router checks its NAT table and forwards the response back to your laptop.

To the internet, it looks like all traffic came from one address. Internally, your router keeps track of who started what. That tracking is stored in the NAT table. Similar to a routing table but for IP addressing, not say, MAC addresses to ports.

Stylized infographic showing how NAT is passing outbound from your LAN to the internet.
It's more complex here than it actually is. NAT working on the fly.

Outbound NAT flow from LAN->WAN

flowchart TD
    %% Network Address Translation (NAT) Workflow

    %% Internet Subgraph
    subgraph Internet["🌐 Internet"]
        WEB_SERVER["🌐 Web Server (203.0.113.5)"]
        INTERNET_CLOUDE["☁️ The Internet"]
    end

    %% WAN Subgraph
    subgraph WAN["📡 WAN Side (Public Network)"]
        WAN_PORT["💻 WAN Port (203.0.113.10)"]
        WAN_PORT --> INTERNET_CLOUDE
        INTERNET_CLOUDE --> WAN_PORT
    end

    %% Router Subgraph
    subgraph Router["📶 Router / Firewall"]
        NAT_TABLE["📜 NAT Table"]
        FIREWALL["🛑 Firewall"]
        L2_SWITCH["📦 L2 Switch"]
        NAT_TABLE --> FIREWALL
        FIREWALL --> WAN_PORT
        WAN_PORT --> FIREWALL
        FIREWALL --> L2_SWITCH
        L2_SWITCH --> FIREWALL
    end

    %% LAN Subgraph
    subgraph LAN["🏠 LAN Side (Private Network)"]
        PC1["💻 PC1 (192.168.1.10:8000)"]
        PC2["💻 PC2 (192.168.1.11:9000)"]
        PRINTER["🖨 Printer (192.168.1.12)"]
    end

    %% Connections
    PC1 --> L2_SWITCH
    PC2 --> L2_SWITCH
    PRINTER --> L2_SWITCH
    L2_SWITCH --- PC1
    L2_SWITCH --- PC2
    L2_SWITCH --- PRINTER

    %% Data Flow
    %% Outbound Packet
    L2_SWITCH --> |Packet from PC1: '192.168.1.10:8000'| FIREWALL
    FIREWALL --> |NAT Translation| NAT_TABLE
    NAT_TABLE --> |Packet translated to: '203.0.113.10:8000'| WAN_PORT
    WAN_PORT --> |Packet to internet| WEB_SERVER
    WEB_SERVER --> |Response from Web Server| WAN_PORT

    %% Inbound Packet
    WAN_PORT --> |Packet from Internet: '203.0.113.10:8000'| FIREWALL
    FIREWALL --> |NAT lookup| NAT_TABLE
    NAT_TABLE --> |Packet translated to: '192.168.1.10:8000'| L2_SWITCH
    L2_SWITCH --> |Packet to PC1| PC1

    %% Node Styling
    style PC1 fill:#d8b4fe,stroke:#333,stroke-width:1px,color:#111
    style PC2 fill:#d8b4fe,stroke:#333,stroke-width:1px,color:#111
    style PRINTER fill:#d8b4fe,stroke:#333,stroke-width:1px,color:#111
    style L2_SWITCH fill:#93c5fd,stroke:#333,stroke-width:1px,color:#111
    style FIREWALL fill:#93c5fd,stroke:#333,stroke-width:1px,color:#111
    style NAT_TABLE fill:#5eead4,stroke:#333,stroke-width:1px,color:#111
    style WAN_PORT fill:#f88,stroke:#333,stroke-width:2px,color:#111
    style WEB_SERVER fill:#d8b4fe,stroke:#333,stroke-width:1px,color:#111
    style INTERNET_CLOUDE fill:#fff,stroke:#333,stroke-width:2px,color:#111

    %% Subgraph Styling (dashed outlines)
    style LAN fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4
    style Router fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4
    style WAN fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4
    style Internet fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4

Why NAT Improves Security

By default:

  • Devices on the internet cannot directly initiate connections to your private IP addresses.
  • Your router only allows inbound responses to connections that originated from inside your network.

This is why your home network is relatively safe out of the box. NAT hides your internal structure.

But this creates a problem for self-hosters.

The Problem: Hosting Services Behind NAT

If you run:

  • A game server
  • A web server
  • A Plex / Jellyfin instance
  • A Blog or website

External users have no way to reach it. Why? Because your router doesn’t know which internal device should receive the traffic. By default, unsolicited inbound traffic is dropped.

This is where port forwarding comes in! I know, I know, you've probably read horror stories about how you'll be insta-pwned by elite hackers the second you do a port forward...

🤯
NAT Reflection (Hairpin NAT)
Ever wonder why you can access your server via yourdomain.com when you're at the coffee shop, but it fails when you're at home on your own Wi-Fi? That's because your router sees a request for its own Public IP from inside the network and gets confused. You need to enable NAT Reflection or Hairpin NAT in your firewall settings to fix this!

What Is Port Forwarding?

Port forwarding is a manual NAT rule.

You are telling your router:

“If traffic arrives on this public port, send it to this internal device and port.”

Example:

  • Public IP: 203.0.113.10
  • Forward port 443 → 192.168.20.10:443

Now when someone visits your public IP on port 443:

  • The router rewrites the destination
  • The traffic is forwarded to your internal server

You’ve punched a hole through NAT.

That’s powerful — and dangerous if misused.

Inbound Flow from WAN->LAN! 🚨 Danger!

flowchart TD
    subgraph Internet["🌐 Internet"]
        User["💻 User (Public IP)"]
    end

    subgraph WAN["📡 WAN Side (Public Network)"]
        Firewall_WAN_Port["💻 Firewall WAN Port"]
    end

    subgraph Router_Firewall["🛑 Firewall / Reverse Proxy"]
        Firewall_Rule["📜 Inbound Firewall Rule"]
        Reverse_Proxy["🔄 Reverse Proxy"]
    end

    subgraph LAN["🏠 LAN Side (Private Network)"]
        Internal_Web_Server["🌐 Internal Web Server (192.168.1.10)"]
    end

    %% Connections
    User --> |Request for domain.com| Firewall_WAN_Port
    Firewall_WAN_Port --> Firewall_Rule
    Firewall_Rule --> |Allow Traffic to RP| Reverse_Proxy
    Reverse_Proxy --> |Forward Request to Internal Server| Internal_Web_Server

    %% Data Flow (Response)
    Internal_Web_Server --> |Response| Reverse_Proxy
    Reverse_Proxy --> |Send Response to Client| Firewall_WAN_Port
    Firewall_WAN_Port --> |Response to User| User

    %% Node Styling
    style User fill:#d8b4fe,stroke:#333,stroke-width:1px,color:#111
    style Internal_Web_Server fill:#d8b4fe,stroke:#333,stroke-width:1px,color:#111
    style Reverse_Proxy fill:#93c5fd,stroke:#333,stroke-width:1px,color:#111
    style Firewall_WAN_Port fill:#f88,stroke:#333,stroke-width:2px,color:#111
    style Firewall_Rule fill:#5eead4,stroke:#333,stroke-width:1px,color:#111

    %% Subgraph Styling
    style Internet fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4
    style WAN fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4
    style Router_Firewall fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4
    style LAN fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray:4 4

The Risk of Basic Port Forwarding

When you forward a port:

  • That service is now exposed to the entire internet.
  • Bots will scan it.
  • Attackers will attempt brute force attacks.
  • Vulnerabilities become public.

Port forwarding works. But it does not add security. It simply bypasses NAT restrictions for a specific port. If you forward five services, you open five holes.

That doesn’t scale well.

A Better Approach: Using a Reverse Proxy

Instead of forwarding multiple ports, modern homelabs use a reverse proxy.

A reverse proxy:

  • Receives all inbound HTTPS traffic (port 443)
  • Inspects the domain name requested
  • Routes traffic to the correct internal service

Example:

  • plex.yourdomain.com → Plex server
  • obsidian.yourdomain.com → Nextcloud
  • dashboard.yourdomain.com → Admin panel
Only one port is forwarded: 443.

Everything else stays internal, this is cleaner and safer.

If you’re using tools like SWAG (Secure Web Application Gateway), NGINX, or Traefik, you’re already using this model.


NAT vs Port Forwarding vs Reverse Proxy

Let’s simplify it:

NAT

  • Happens automatically
  • Allows outbound internet access
  • Blocks unsolicited inbound traffic

Port Forwarding

  • Manual NAT rule
  • Exposes a specific service
  • Opens one hole per service

Reverse Proxy

  • Central entry point
  • Routes traffic based on domain
  • Exposes one port for many services
  • Adds SSL/TLS management

In modern homelabs:

NAT is required.
Port forwarding is basic exposure.
Reverse proxies are best practice.

Full Flow: What Happens When Someone Visits Your Domain

  1. User types yourdomain.com.
  2. DNS resolves it to your public IP.
  3. Traffic reaches your router.
  4. Port 443 is forwarded to your reverse proxy.
  5. Reverse proxy routes request internally.
  6. Internal server responds.
  7. NAT translates and returns response.

Understanding this flow makes troubleshooting dramatically easier.


Common NAT & Port Forwarding Mistakes

  • Double NAT (ISP modem + your router both doing NAT)
  • Forgetting to forward the correct port
  • Forwarding to a dynamic IP instead of a static reservation
  • Exposing services without HTTPS
  • Opening too many ports instead of using a reverse proxy

If something isn’t reachable externally, it’s almost always:

  • DNS
  • Port forwarding
  • Firewall rules
  • Or double NAT

Why NAT Still Matters in 2025

Even with IPv6 adoption increasing, most home networks still rely heavily on IPv4 and NAT.

If you self-host:

  • You must understand it.
  • You must control it.
  • You must design around it.

NAT is not just a background feature — it defines how your lab interacts with the world.


What Comes Next

Now you understand:

  • How outbound traffic works
  • Why inbound traffic is blocked
  • How port forwarding exposes services
  • Why reverse proxies are smarter

In the next part of this series, we’ll go deeper into firewall rules and how to control traffic between VLANs securely.

That’s where segmentation and exposure come together.



FAQ: NAT & Port Forwarding

  • What is the difference between NAT and Port Forwarding? NAT is the "post office" that lets everyone in the house send mail using one return address. Port Forwarding is the specific instruction telling the post office, "If a package comes for Room 302, deliver it directly there instead of throwing it in the general pile."
  • How do I know if I have "Double NAT"? Check your router’s WAN IP address. If it starts with 192.168.x.x, 10.x.x.x, or 172.16.x.x, your ISP modem is also acting as a router. You must put the ISP modem into "Bridge Mode" to fix this, or port forwarding will fail.
  • Does Port Forwarding slow down my internet? No. It is a simple routing instruction handled by the router’s hardware at wire speed. It does not add latency or decrease bandwidth.
  • What is CGNAT and why is it a problem? Carrier-Grade NAT is when your ISP puts you behind their own NAT. If you have CGNAT, standard Port Forwarding is impossible. You would need a workaround like a Cloudflare Tunnel or Tailscale Funnel.