If you've ever tinkered with a home server, NAS, or remote desktop, you've likely run into this scenario: you set up a service on your home NAS, it works perfectly on your local network, but the moment you leave home and try to access it via your phone's data connection, it's unreachable.
Then you start searching. The more you read, the more confused you get—public IP, NAT, port forwarding, CGNAT,Internal Network Penetration (intranet penetration)... every term seems related to "can't access from outside," but it's hard to see how they fit together.
This article uses a home network scenario to clearly explain these concepts once and for all.
Your home devices typically have addresses like these:
Computer: 192.168.1.23
NAS: 192.168.1.50
Phone: 192.168.1.66
These are private IP addresses. They only have meaning within your home's local network. Think of them as room numbers in your house—living room is 101, bedroom is 102, study is 103. These numbers help distinguish devices inside your home.
But if someone outside asks "where is your 192.168.1.50," they won't be able to find it. These addresses are not globally unique, just like every apartment complex can have a "Building 1, Room 101" — that's useless for locating you outside your own complex.
In short: Private IPs let devices find each other inside your home, but they don't help outsiders find you.
For the outside world to reach you, you theoretically need a publicly routable address on the internet—a public IP address.
Your Public IP: 203.0.113.45
External requests find this address first, and then your router decides which internal device to forward them to.
Years ago, many home broadband connections did come with a dedicated public IPv4 address. You could configure port forwarding on your router and external access worked without much trouble.
But now, with IPv4 addresses nearly exhausted, Internet Service Providers (ISPs) are forced to share a single public IP among many users, which brings us to the next concept.
You have computers, phones, NAS, and TVs all accessing the internet. But you usually have only one public IP. How does that work? Your router translates all these devices' requests to use your home's single public IP address for outgoing traffic. External websites don't see each device's private IP; they only see your home's one public IP address.
Analogy: Think of a company reception desk. The company has 200 employees, but only one main phone number. When employees make outgoing calls, the receptionist connects them. When someone calls back, the receptionist routes the call to the right employee based on their records.
This is NAT (Network Address Translation) in essence. It allows multiple internal devices to share one public IP for internet access.
NAT works well for outgoing connections. Because the internal device initiated the request, the router remembers it, and knows where to send the returning data.
However, when an external request arrives unsolicited: "I want to access port 8080 on your public IP"—the router doesn't know what to do. To the computer? To the NAS? To the phone? Without a rule, it can't forward the traffic.
The core NAT problem: "Outgoing traffic is easy, but incoming traffic is hard."
In the familiar scenario, you run a web service on your NAS at 192.168.1.50:8080. It works fine at home, but outsiders can only see your home's public IP. This is where port forwarding comes in. You set a rule on your router:
PublicIP:8080 → 192.168.1.50:8080
This means: forward all external requests to port 8080 to your NAS at 192.168.1.50:8080.
Analogy: It's like a security guard at your building entrance with a forwarding list—when someone asks for room 8080, the guard directs them to the specific apartment 192.168.1.50.
But there's a crucial prerequisite: external requests must first reach your home router. If you're behind your ISP's CGNAT (Carrier-Grade NAT), the request might stop at the ISP's infrastructure and never get to your router. In this case, no amount of port forwarding configuration will work. This is why many people's port forwarding fails—not because they wrote the rules wrong, but because they don't have a truly reachable public entry point.
It's simple, check two places:
Log into your router's admin panel and look at the IP address on the WAN port.
Visit ip.sb or ifconfig.me to see your IP address as seen from the outside.
If both addresses match, you likely have a public IP. If they differ, you are behind NAT.
Also, if your WAN IP falls within these ranges, it's not a public IPv4 address:
10.x.x.x
172.16.x.x – 172.31.x.x
192.168.x.x
100.64.x.x – 100.127.x.x (a special range used by ISPs for CGNAT)
If you have one of these, you can either try calling your ISP to request a public IP (sometimes free), or look for alternative solutions.
The most common solution is Internal Network Penetration (intranet penetration/tunneling) . Common tools include frp, Cloudflare Tunnel, Tailscale, ZeroTier, ngrok, etc.
The core idea is consistent: since outsiders can't initiate a connection to you, have your internal device initiate a connection outwards.
Analogy: Your internal device "calls" an external relay server and says, "I'm here. If anyone needs to reach me, route the traffic back through this line."
This outbound connection is established from inside the NAT, so it's allowed. When an external user accesses the relay server, the server forwards the request back to your internal device through this pre-established secure channel.
So, 内网穿透 doesn't make you directly reachable from the outside; it works around the "incoming requests can't get in" problem. The trade-off is that it relies on a relay service, so speed and stability can be affected. Security is also critical—ensure proper authentication, access restrictions, and don't expose your internal NAS or camera interfaces without protection.
Many home broadband connections now allocate IPv6 addresses even without a public IPv4. With its massive address space, IPv6 can give each device a globally routable address, theoretically allowing direct external access.
Sounds great, but it also significantly increases your attack surface. NAT acted as a default "gatekeeper" under IPv4. This protection is gone with IPv6. You need to properly configure your firewall: decide which ports to open, which devices can be accessed, and which services are restricted to certain sources—all of this becomes your responsibility.
A word of caution: IPv6 can solve some "accessibility from the internet" issues, but "direct accessibility" also means "directly attackable." Security configurations are a must.
Myth 1: I can access the internet, so the internet can access me.No. You can access the internet because you initiated the connection and NAT remembered it. For external access, someone else initiates the connection, and NAT doesn't know where to send it. These are different scenarios.
Myth 2: Port forwarding always works.Not necessarily. Port forwarding only works if requests can reach your router. If you're behind CGNAT, they won't.
Myth 3: Intranet penetration is completely safe.Not at all. It only solves the access path issue. Authentication, permissions, firewall rules, and logging are all still vital.
Public IP, NAT, and port forwarding aren't that complicated. Remember these three key points:
Private IPs are home room numbers that only work locally; Public IPs are internet addresses that allow the whole world to find you.
NAT lets your whole family share one front door for leaving the house, but if someone knocks from the outside, nobody inside knows who should answer.
Port forwarding is putting a list on the door that tells visitors which internal room to go to for which service.
If your "front door" address (public IP) isn't real, then no matter how many forwarding lists you put up, visitors won't find your house. At that point, you either ask the operator for a real door address (public IP) or have your internal devices call out first (intranet penetration) to establish a path.