NAT and address scope utility
Two IPs, and they almost never match. Paste the local one your device shows, paste (or detect) the public one websites actually see, and this thing tells you what each is: IPv4 or IPv6, which range it falls in, whether it’s reachable from the internet at all. It flags NAT and carrier-grade NAT, then writes you a little note you can drop into a port forward, a firewall allowlist, or a support ticket.
A browser can’t just go read every private address sitting on your device. So grab the local one yourself, off the router, the OS, the server panel, wherever, and line it up against the internet-facing one.
Public IP vs local IP, without the usual confusion
A local IP names an interface inside a network you’re part of. The public IP is the address the outside world can reach, or at least see, somewhere along the path. Picture it at home. Your laptop sits on 192.168.1.42, but every website you hit sees a single public address that belongs to the router or your provider, not to the laptop. Offices get weirder. A server panel happily shows you a private address while a load balancer or some cloud gateway is the thing actually exposing the service, through a totally different public address.
And honestly that gap matters more than people give it credit for. It’s the reason an allowlist wants one value and not the other. It’s why a port forward points at some internal host. It’s why your neighbour’s network and yours can both be running 192.168.1.42 right now with zero conflict. Two houses, same address, nobody notices. It’s also why support keeps asking for the IP that shows up from outside instead of the one your OS printed, which feels pedantic until you realise they’re not the same number.
What this comparison is useful for
- Figure out what a pasted interface IP actually is. Private, link-local, carrier NAT, unique local IPv6, or genuinely routable.
- Hold a LAN address up against the public one your browser is exposing right now.
- Catch a carrier-grade NAT clue early, before you blow twenty minutes on a port forward that was never going to receive inbound traffic anyway.
- Pick the right IP for the job, whether that’s VPN access or a hosting allowlist or a remote admin rule.
- Hand a colleague (or a confused client) a copyable report instead of trying to explain scope out loud.
NAT changes the path, not the meaning of the addresses
NAT, Network Address Translation, is just the trick that lets a pile of private IPv4 devices share a much smaller pool of public addresses. Inside the LAN, your local address still does its job. Out on the internet, the public one is what remote services actually talk to. Both real, different scopes. People sometimes treat NAT like it’s a firewall, and look, it isn’t, not on its own. Your router, the host firewall, cloud security groups, whatever app auth you’ve got, that’s the stuff deciding what’s reachable.
Carrier-grade NAT stacks a second layer on top, this one run by your provider. If your router’s WAN address lands inside 100.64.0.0/10, that’s the tell: the ISP is probably sharing one chunk of public IPv4 across a bunch of customers, you included. And then classic inbound port forwarding just quietly fails, even though your router rule looks completely fine. Maddening to debug if you don’t know to look for it. IPv6 flips the whole thing around. There the address can be globally routable on its own, and the firewall policy is still free to drop any inbound connection you didn’t ask for.
Practical mistakes this tool helps avoid
- Pasting a 192.168.x.x address into a remote SaaS firewall and wondering why nothing connects.
- Forwarding a port to a local host, then watching DHCP hand that host a different address next week and break the rule.
- Assuming anything that isn’t RFC1918 is safe to expose, without ever checking the special-use ranges.
- Treating public reachability like it tells you something about geolocation or identity. It doesn’t.
- Forgetting that a VPN or a proxy or the office gateway is the actual reason your visible public IP just changed.
Common questions
Can a website see my local IP?
A plain web request only really hands over the public address that carried the connection. Browsers don’t go around offering up a tidy list of your private device addresses to whatever site you visit, so if you want to compare the local one, you’ve got to paste it in yourself.
Which IP should I use for a firewall allowlist?
Depends which firewall. A remote one almost always wants the public address as seen from that remote service’s side. But a rule on a firewall inside your own LAN? That’ll usually want a private subnet or a local host address instead. Different vantage points, different answer.
Does a public IP mean the device is exposed?
No, and this trips people up constantly. A globally routable address only tells you the scope, nothing more. What’s actually exposed gets decided downstream by your firewalls, the NAT rules, security groups, whether anything’s even listening, plus auth. Scope is not exposure.
Which IP ranges are private?
For IPv4 it’s 10.0.0.0/8, then 172.16.0.0/12, plus 192.168.0.0/16. IPv6 has its own, fc00::/7. None of them route on the public internet, and that’s exactly why the same ones get reused on basically every local network out there.
Why do all my devices share one public IP?
That’s NAT doing its thing. Your router maps all those private addresses onto the single public IP, and it keeps track of every outbound connection so the replies find their way back to whichever device asked. One address out front, a whole house behind it.
What is CGNAT and how does it affect me?
Carrier-grade NAT is when your ISP stretches a single public IP across loads of customers at once. The practical sting: you can’t really host inbound services straight off your line. Usual fix is a relay, or a VPN that gives you a public endpoint of your own to point things at.
