{ "slug": "nat_traversal", "term": "NAT & Port Forwarding", "category": "networking", "difficulty": "intermediate", "short": "NAT maps multiple private IPs to one public IP — understanding NAT explains why ngrok is needed for local webhook testing and how Docker port mapping works.", "long": "NAT (Network Address Translation): a router with one public IP maps multiple private devices (192.168.x.x, 10.x.x.x) by tracking source IP:port to destination. Port forwarding: manually map public_ip:port → private_ip:port for inbound connections. NAT traversal: WebRTC uses STUN to discover public IP and TURN as a relay when direct P2P fails. For PHP developers: ngrok creates a tunnel bypassing NAT so Stripe can reach localhost:8000.", "aliases": [ "NAT", "port forwarding", "ngrok", "STUN", "TURN" ], "tags": [ "networking", "devops" ], "misconception": "NAT provides security by hiding internal IPs — NAT is primarily an IP conservation mechanism, not a security feature; it does not replace firewalls.", "why_it_matters": "Testing webhooks locally requires exposing localhost to the internet — without understanding NAT, developers cannot explain why Stripe cannot reach 192.168.1.100.", "common_mistakes": [ "Relying on NAT as a security boundary", "Not using ngrok for local webhook development", "Hard-coding private IPs in configuration — not routable on internet", "Docker: forgetting -p host:container to publish ports" ], "when_to_use": [], "avoid_when": [], "related": [ "ipv6_basics", "http_request_response_cycle", "cloud_vpn_networking" ], "prerequisites": [ "tcp_ip_model", "ipv6_basics", "dns_resolution" ], "refs": [ "https://www.cloudflare.com/learning/network-layer/what-is-nat/" ], "bad_code": "// Stripe webhook URL: http://192.168.1.100:8000/webhook\n// Problem: 192.168.1.100 is a private IP\n// Stripe cannot reach this from the internet — webhook never fires", "good_code": "// Use ngrok for local webhook testing:\n// Terminal 1: php -S localhost:8000\n// Terminal 2: ngrok http 8000\n// ngrok output: https://abc123.ngrok.io -> localhost:8000\n// Stripe webhook URL: https://abc123.ngrok.io/webhook\n\n// Docker: expose port to host:\n// docker run -p 8000:80 myapp\n// nginx on port 80 inside container → localhost:8000 on host", "quick_fix": "Understanding NAT explains why webhooks must be publicly accessible — your PHP app behind NAT cannot receive inbound connections without port forwarding or a tunnel; use ngrok for local webhook development", "severity": "info", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/nat_traversal", "html_url": "https://codeclaritylab.com/glossary/nat_traversal", "json_url": "https://codeclaritylab.com/glossary/nat_traversal.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[NAT & Port Forwarding](https://codeclaritylab.com/glossary/nat_traversal) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/nat_traversal" } } } }