Public IP vs Private IP Address — What’s the Difference?

The core definitions

A public IP address is globally unique and routable on the Internet. When a server in Virginia sends a packet back to your laptop, it addresses the packet to your public IP and trusts the global routing system to deliver it. Public IPs are owned by Internet Service Providers and data center operators, who receive blocks from the Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC).

A private IP address is reserved for use inside a local network (LAN). Private IPs are not globally unique — millions of home networks use the exact same 192.168.1.1 for their router. They work only within the walls of their own network because Internet backbone routers explicitly drop packets destined for private ranges.

The RFC 1918 private ranges

RFC 1918, published in February 1996, formally reserved three address ranges for private use. Any organization can use these without coordinating with anyone:

10.0.0.0/8 — the big one

The 10.x.x.x range covers 16,777,216 addresses. Large corporations, universities, and cloud providers favor it because it gives enormous headroom for subnetting. AWS VPCs default into this range. If your work laptop’s IP starts with 10., you’re almost certainly on a corporate network.

172.16.0.0/12 — the middle one

This covers 172.16.0.0 through 172.31.255.255, about 1,048,576 addresses. Docker’s default bridge network picks subnets from here (172.17.0.0/16). Many corporate VPNs and smaller enterprise networks also use this range. It’s the most common range for “I know it’s private but I never remember exactly which one”.

192.168.0.0/16 — the home-router default

At 65,536 addresses, this is the smallest of the three — and by far the most familiar. Virtually every consumer router ships with a default gateway of 192.168.0.1 or 192.168.1.1. If you open a browser and type one of those into the URL bar right now, you’re likely looking at your router’s admin page.

169.254.0.0/16 — APIPA (the unwanted one)

Technically defined in RFC 3927, not RFC 1918. The 169.254.x.x range is Automatic Private IP Addressing — your device self-assigns an address here only when DHCP fails. Seeing a 169.254 address in ipconfig almost always means your router isn’t reachable or your DHCP lease is broken. It’s useful for troubleshooting because it tells you immediately that something upstream is wrong.

How NAT lets many share one

Network Address Translation (NAT) is the reason a single public IP can serve a house with a dozen phones, laptops, smart TVs, and IoT gadgets. Here’s what happens when you open a website:

1. Your laptop (private IP 192.168.1.42) sends a packet to the web server. Source: 192.168.1.42:54321. Destination: the server’s public IP on port 443.
2. The packet hits your router. The router rewrites the source to its own public IP (say 203.0.113.7) and picks an outbound port, say 61001. It records the mapping in a translation table: 203.0.113.7:61001 ↔ 192.168.1.42:54321.
3. The server receives a packet from 203.0.113.7:61001 and replies to that address.
4. Your router sees the incoming packet, looks up port 61001 in its table, rewrites the destination back to 192.168.1.42:54321, and forwards it to your laptop.

Multiply this by every simultaneous connection on every device and you get modern home networking. The translation table is the entire trick.

Why you can't reach 192.168.1.1 from the Internet

ISPs and Internet backbone routers enforce bogon filtering. Any packet destined for an RFC 1918 address that appears on a public interface is dropped immediately. This is intentional: if backbones honored private addresses, routing tables would be chaos. Millions of networks claim the same 192.168.0.0/16 — which one should a packet actually reach?

The practical consequence: you can never point a friend’s browser at your private IP. To expose a service at home, you need to combine your public IP with port forwarding in your router, or use a tunnel service (Cloudflare Tunnel, Tailscale Funnel, ngrok) to bridge the gap.

Carrier-Grade NAT (CGNAT)

CGNAT is NAT applied one level higher. Your ISP runs a huge NAT of its own and places your entire household behind a shared public IPv4. The range 100.64.0.0/10 (RFC 6598) is reserved specifically for this “between router and ISP” segment.

The catch: if you’re on CGNAT, you can’t do traditional port forwarding because you don’t own the public port space. Self-hosted game servers, home security cameras, IP phones, and VPN servers all break or require workarounds like a VPS proxy or an IPv6 bypass. To check if you’re behind CGNAT, compare the WAN IP on your router’s status page to the public IP our tool shows. If your router’s WAN IP is in 100.64.0.0/10 (or another RFC 1918 range), you’re behind CGNAT.

How to check both addresses

• Private IP (your device): ipconfig on Windows, ifconfig or ipconfig getifaddr en0 on macOS, ip addr on Linux, Wi-Fi settings on mobile.
• Public IP (what the Internet sees): our checker, or any web-based IP tool. A server always sees your public IP because NAT rewrites outbound traffic.
• Router’s WAN IP: log into your router admin panel (usually 192.168.1.1) and look at the WAN or Internet status page. This should match your public IP unless you’re behind CGNAT.

When the distinction matters

For everyday browsing, most people never think about this. It starts mattering when you:

• Set up port forwarding for game servers or Plex — you forward external traffic from your public IP to an internal private IP.
• Run VoIP or video conferencing behind a symmetric NAT — some configurations break without STUN/TURN servers to traverse the NAT boundary.
• Host anything from home — a dynamic public IP and a CGNAT ISP are the two most common reasons home hosting fails.
• Need firewall allowlists — corporate services sometimes want your public IP added to an allowlist, and a private IP won’t help.