What Is NAT and Why Does It Exist?
Network Address Translation (NAT) was introduced in the 1990s as a stopgap for IPv4 address exhaustion. One public IP address is shared by many devices. The router translates private addresses (192.168.x.x, 10.x.x.x) to the single public IP when packets leave, and back again when packets arrive.
Without NAT, the ~4.3 billion IPv4 addresses would have been exhausted decades ago.
Reference: RFC 1631, The IP Network Address Translator (NAT), May 1994. tools.ietf.org/html/rfc1631
The Four Types of NAT
RFC 4787 (NAT Behavioral Requirements for Unicast UDP, 2007) defines NAT behavior in terms of mapping and filtering:
| NAT Type | Port Mapping | Packet Filtering | P2P Feasibility | Typical Deployment |
|---|---|---|---|---|
| Full Cone | Same port for all destinations | None | ✅ Easy | Legacy home routers |
| Address-Restricted | Same port per src IP | Only from contacted IP | ✅ Easy | Consumer routers (2000s) |
| Port-Restricted Cone | Same port per src IP:port | Only from contacted IP:port | ✅ Moderate | Most modern home routers |
| Symmetric | Different port per destination | Only from exact IP:port | ⚠️ Hard | ISP CPE, CGNAT |
Reference: RFC 4787, NAT Behavioral Requirements for Unicast UDP, January 2007. tools.ietf.org/html/rfc4787
What Is CGNAT?
Carrier-Grade NAT (CGNAT), standardized in RFC 6598, adds a second layer of NAT at the ISP level. Dozens or hundreds of customers share a single public IP.
Your Device (192.168.1.x)
↓
Your Home Router ← First NAT (private → ISP-assigned IP 100.64.x.x)
↓
ISP CGNAT Gateway ← Second NAT (shared 100.64.x.x → true public IP)
↓
Internet (203.0.113.x)
CGNAT is deployed by:
- Mobile carriers (4G/5G home internet, LTE routers)
- Satellite ISPs (Starlink uses CGNAT for residential by default)
- Budget broadband providers conserving IPv4 allocations
- Developing-region ISPs with limited IPv4 allocations
Reference: RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space, April 2012. Defines the
100.64.0.0/10block used by CGNAT. tools.ietf.org/html/rfc6598
UDP Hole Punching: The Classic Technique
UDP hole punching exploits a NAT property: sending a packet out creates a NAT mapping (a "hole") that allows incoming packets from that destination to return. By coordinating two peers to send simultaneously, both NATs create holes — and a direct P2P path opens.
Step 1 – Discover external endpoints via STUN:
Peer A ─── STUN Request ──► STUN Server
"Your external IP:port is 203.0.113.1:54321"
Peer B ─── STUN Request ──► STUN Server
"Your external IP:port is 198.51.100.2:61234"
Step 2 – Exchange endpoints via signaling server:
Peer A learns: Peer B is at 198.51.100.2:61234
Peer B learns: Peer A is at 203.0.113.1:54321
Step 3 – Simultaneous UDP send (hole punching):
Peer A ─── UDP Probe ──► 198.51.100.2:61234 [creates hole on A's NAT]
Peer B ─── UDP Probe ──► 203.0.113.1:54321 [creates hole on B's NAT]
Step 4 – Probes arrive, P2P path is open:
Peer A ◄──────────────────────────────────────► Peer B
[Direct WireGuard tunnel established]
Reference: Bryan Ford, Pyda Srisuresh, Dan Kegel, "Peer-to-Peer Communication Across Network Address Translators," USENIX ATC 2005. pdos.csail.mit.edu/~rtm/papers/p2pnat.pdf
Where Hole Punching Fails: Symmetric NAT + CGNAT
Symmetric NAT breaks standard hole punching. The NAT assigns a different external port per destination. Peer A probes STUN and gets back port 54321 — but when probing Peer B, the NAT uses port 54322. Peer B is probing the wrong port.
| Scenario | Hole Punch Success | wantasticd Handling |
|---|---|---|
| Both behind Port-Restricted Cone | ~90% | P2P direct |
| One Symmetric, one Cone | ~60–75% | Port-range prediction |
| Both behind Symmetric NAT | ~15–30% | Relay activated |
| One/both behind CGNAT (symmetric) | ~20–40% | Relay + background retry |
| One peer has public IPv6 | ~99% | Direct IPv6 path |
Estimates based on large-scale measurement studies. Ref: Maier et al., "An empirical study of NAT traversal techniques," IMC 2021.
How wantasticd Handles CGNAT
wantasticd employs a multi-strategy approach:
- IPv6 first — If either peer has a public IPv6 address, skip NAT entirely. IPv6 eliminates this entire problem class.
- STUN hole punching — Standard technique for Cone NAT. Works on ~90% of consumer connections.
- Port-range probing — For symmetric NAT, probe a predicted range based on observed allocation patterns.
- Relay fallback — When P2P attempts fail (within ~500 ms), route through the nearest Wantastic relay. Continues attempting P2P in the background.
- Persistent retry — On CGNAT, periodic reattempts can succeed when CGNAT mapping timeouts reset.
The relay fallback ensures CGNAT never blocks connectivity — it only affects latency. And because wantasticd keeps retrying P2P in the background, many CGNAT connections eventually upgrade to direct P2P.
The IPv6 Long-Term Solution
The permanent solution is IPv6 adoption. With a public IPv6 address, every device is globally reachable, NAT traversal is unnecessary, and WireGuard P2P establishes directly on the first attempt.
IPv6 deployment has exceeded 50% globally, with mobile carriers leading. wantasticd is fully dual-stack and automatically prefers IPv6 when available.
Reference: APNIC, IPv6 Deployment World, updated monthly. stats.labs.apnic.net/ipv6
Summary
| Technology | Purpose | Wantastic Use |
|---|---|---|
| NAT | Share one public IP | Must traverse to reach devices |
| CGNAT | ISP-level IP conservation | Double-NAT, relay fallback |
| STUN | Discover external endpoint | Phase 1 of hole punching |
| UDP Hole Punching | Open NAT for P2P | Primary P2P establishment |
| Relay | Guaranteed connectivity | Fallback when P2P fails |
| IPv6 | Global reachability | Best path when available |
The combination ensures Wantastic works on Starlink, LTE home internet, mobile tethering, and every other connectivity scenario — without requiring a public IP or port forwarding.