What Is NAT Traversal?

NAT traversal is the process of establishing peer-to-peer connections through routers and firewalls — essential for WebRTC video chat.

NAT traversal is the process of establishing direct connections between two devices that are each behind their own router (NAT). It's one of the fundamental challenges in peer-to-peer communication and the reason technologies like STUN, TURN, and ICE exist.

What Is NAT?

NAT (Network Address Translation) is what your home router does to let multiple devices share a single public IP address. Your laptop, phone, tablet, and smart TV all have different local IP addresses (192.168.x.x), but the outside internet sees them all as coming from one public IP address — your router's.

NAT was invented to deal with IPv4 address exhaustion (there aren't enough IPv4 addresses for every device to have its own public one). It's been incredibly successful — virtually every home and business uses NAT.

The NAT Problem for Video Chat

NAT creates a fundamental problem for P2P connections:

Outgoing connections work fine — Your device sends a request to a server, the router remembers the mapping, and responses come back correctly. This is how you browse the web, watch YouTube, and use most internet services.

Incoming connections are blocked — When someone outside your network tries to send data directly to your device, your router doesn't know which internal device to forward it to. The connection is dropped.

For WebRTC video chat, both users need to send video to each other — but both are typically behind NATs that block incoming connections. This is the NAT traversal problem.

How NAT Traversal Works

Modern video chat platforms solve the NAT problem through several techniques, used together:

STUN-based Discovery

A STUN server tells each browser what its public IP and port are. When both browsers know their public addresses, they can attempt to connect. In many cases, if both users are behind basic NATs (cone NATs), the connection succeeds because outgoing packets create temporary holes in the NAT that incoming responses can use.

Hole Punching

Both browsers simultaneously send packets to each other's discovered public addresses. These outgoing packets create temporary entries in each router's NAT table. When the other peer's packet arrives moments later, the router recognizes it as a response to the outgoing packet and forwards it to the correct device.

This "simultaneous open" technique works for most NAT types and is the primary mechanism for P2P connectivity.

TURN Relay

When hole punching fails (typically with symmetric NATs), both browsers connect to a TURN server instead. The TURN server relays all media data between the peers. It's slower and more expensive, but it works universally.

Types of NAT

Not all NATs are equal. The difficulty of traversal depends on the NAT type:

| NAT Type | Traversal | Notes | |----------|-----------|-------| | Full Cone | Easy | Any external address can send to the mapped port | | Address-Restricted Cone | Moderate | Only addresses you've sent to can respond | | Port-Restricted Cone | Moderate | Only the specific address:port you sent to can respond | | Symmetric | Difficult | Different external port for each destination; STUN discovery won't help |

Symmetric NAT is the main adversary. It's common in corporate networks, universities, and some mobile carriers. When both peers are behind symmetric NATs, TURN relay is the only option.

NAT Traversal in Practice

On platforms like Glimr, NAT traversal is handled automatically by the ICE framework:

  1. Both browsers gather ICE candidates (local, STUN-discovered, and TURN relay addresses)
  2. Candidates are exchanged through the signaling server
  3. ICE tests all candidate pairs, starting with the most preferred
  4. The best working pair is selected for the media connection

This entire process typically completes in under 2 seconds. Users experience a brief "connecting" phase while ICE figures out the optimal path through both users' NATs.

The Future: IPv6

IPv6 addresses the root cause of the NAT problem — address exhaustion. With IPv6, every device can have its own globally routable address, eliminating the need for NAT entirely. However, IPv6 adoption remains partial, so NAT traversal will continue to be essential for video chat platforms for years to come.

Definition

The process of establishing direct network connections between devices that are behind NAT routers or firewalls, essential for peer-to-peer applications like video chat.

Category: Networking