15
1
I have a common home network consisting of a wireless router with many devices connected to it. I understand that because of NAT, all devices attached to the router connect to the outside of it via its IP address, with varying NAT ports.
Is the router's IP address really public? Or is there another level of NAT in my ISP's network? Is there a way to determine this?
MPA95
Posted 2019-05-27T02:43:20.020
Reputation: 161
25
A router has multiple IPs. Its public IP is, of course, public. That is the address that you give to any website you connect to so the server knows where to send a reply. A router also has a gateway IP, which is typically the address on your LAN which other devices behind the router see. This IP is private in that it does not exist on the public internet, but it is not secret (most people use the same range).
My question is, is the router's IP really public?
It is public, but you don't have to worry about it. Knowledge of an IP address is typically not a problem unless you need anonymity. You don't have to worry about being hacked or tracked down based on IP. I explained in another answer why there's no need to worry about having a public IP address. If the address wasn't public, then you wouldn't be able to hear a response from any site you connect to!
Or is there another level of NAT in my ISP's network?
Some ISPs have another level of NAT called Carrier-Grade NAT, or CGN. If your public address as seen by the router (not by websites that check your IP) is in the range of 100.64.0.0/10 (see RFC 6598), then you are most definitely using CGN. If you have any doubts, call your ISP and ask them.
forest
Posted 2019-05-27T02:43:20.020
Reputation: 607
@PedroLobito While there are edge cases like improperly configured routers exposing the web interface to the world, the typical user does not need to worry about the privacy of their IP address. Unless your adversary has legal privileges and can demand subscriber information from your ISP, you can't be (accurately) located based on IP alone. That doesn't mean that there are never reasons to hide your IP. – forest – 2019-05-28T01:04:54.193
11-1 for "You don't have to worry about being hacked or tracked down based on IP." – Pedro Lobito – 2019-05-27T12:57:08.940
9You can't be tracked personally with just a public IP. It will point to your city/town but an attacker can never get your exact location without the help of the ISP. Also, assuming no port forwarding is enabled, there is no way to "hack" someone with just their public IP as only the router can be reached, not the machine of the user itself. – Echo – 2019-05-27T14:15:05.660
10"Its public IP is, of course, public." it usually is but not always as demonstrated in your last paragraph. – zakinster – 2019-05-27T14:24:52.297
13"Some routers have another level of NAT" - that's not really a property of the router? It would be more accurate to say, "Some ISPs have another layer of NAT", right? – Blorgbeard is out – 2019-05-27T15:21:03.393
@Blorgbeard Good point. I'm not sure how that got in there. I've fixed that. – forest – 2019-05-28T01:02:38.283
31
If both match, your router's IP is indeed public, and there is no other level of NAT.
If the two addresses don't match, then there is another level of NAT done by your ISP, something called "Carrier-Grade NAT" (CGNAT).
Whether CGNAT is used depends a lot on ISPs. Mobile/wireless ISPs use it a lot. Fixed-line (DSL, Cable, etc.) ISPs use it less, but this can vary a lot from country to country and ISP to ISP.
jcaron
Posted 2019-05-27T02:43:20.020
Reputation: 986
There is also the option that you are connected via IPv6 and the provider NATs to a limited IPv4 pool. (DSlite) the described procedure will detect this, too. – eckes – 2019-05-28T10:51:55.807
3
Yes, your IP is public. Most ISPs that I've seen, the IP address rotates rarely. In other words, your IP is public, every website you visit can see it, and it almost never changes.
You can check your IP address by googling "What is my IP" or https://whatismyipaddress.com/. You can see, there, what every other website sees.
Your phone number is also public. Most people you call can see your number. Anyone can call your number.
Jonathan
Posted 2019-05-27T02:43:20.020
Reputation: 131
1A difference between phone numbers and IP addresses is that you can have a whole phone conversation where one side (the callee) doesn't know the other side (the caller)'s phone number. This isn't possible for IP-based communication. – Gilles 'SO- stop being evil' – 2019-05-27T05:39:35.090
2The phone number is a bad analogy here. – schroeder – 2019-05-27T12:10:02.193
1
Command traceroute (tracert on Windows) may help.
Run traceroute www.google.com, if you get
1 192.168.x.1 (your router's LAN IP)
2 100.x.x.x (ISP's NAT)
3 x.x.x.x (some public IP)
4 x.x.x.x (some public IP)
......
If ISP has another level of NAT, it ususally gives you an IP 100.x.x.x (100.64.0.0/10)
Bob Johnson
Posted 2019-05-27T02:43:20.020
Reputation: 121
I like this approach, but exactly in what range should the second's hop IP be? Should it be in a CIDR block or could it be another? – MPA95 – 2019-05-27T15:21:20.030
2The second hop when using CGN is, as this answer mentions, in 100.64.0.0/10. – forest – 2019-05-28T01:06:15.617
4Not a security question, depends on ISP. Most have another level of NAT and charge extra for public IP where I live, but that may vary. You can check by comparing your router IP it thinks it has with your actuall IP. If there is another level of nat, the router will have a local IP. – Peter Harmann – 2019-05-27T03:13:24.583
@PeterHarmann If the question is about internet privacy, then it's on-topic, but I agree this one is iffy. – forest – 2019-05-27T03:20:04.793
if you want to reduce your visibility you could use a vpn – Viktor Mellgren – 2019-05-27T14:09:41.967
1@PeterHarmann it really depends on location and infrastructure. Here in France you almost always have a public IP directly on the router (wether it is xDSL, cable or FTTH) but it's usually dynamic (changes at each session) and you may have to pay for a static one. – zakinster – 2019-05-27T14:12:12.843
Even if you do have another NAT layer (such as with IPv4 over native IPv6 on fiber in large parts of Europe), or IP-per-reconnect dynamic IPv4 address, the address still obviously is public in general, and public pointing at your router the moment you connect to a server (or do a DNS lookup for that matter). It cannot be any different, or traffic couldn't find its way towards you. Also, even if your address changes, it is usually logged very pedantically who had which IP address assigned at which point in time. Law enforcement (and, terror laws) usually requires that to be the case. – Damon – 2019-05-27T18:56:29.017
For CGNAT, the IP address should not be an internet address but a class A/B/C private address. (Usually A). Port forwarding and DMZ are defeated by this. You will generally have to VPN back to a point where a public IP address is available. – mckenzm – 2019-05-28T04:40:06.323