PeopleAreGeek
FR

Public IP vs Local IP

Paste a local IP and the public one websites see, then read what each is: IPv4 or IPv6, which range, routable or not, and the NAT boundary.

Public IP vs local IP is the gap that breaks half of all port forwards and firewall rules. Paste the local address your device shows and the public one the outside world sees, and this tool tells you what each actually is: IPv4 or IPv6, which range it falls in, whether it routes on the internet at all. It flags private RFC1918 space, link-local, documentation and multicast ranges, IPv6 unique-local, and the carrier-grade NAT block that quietly kills inbound connections. Then it reads the NAT boundary between the two, says which value belongs in a remote allowlist, and writes a copyable note for a port forward or a support ticket. Detection runs against a public IP provider straight from your browser.

100% in your browser. Nothing you type ever leaves this page.

NAT and address scope utility

Two IPs, and they almost never match. Paste the local one your device shows, paste (or detect) the public one websites actually see, and this thing tells you what each is: IPv4 or IPv6, which range it falls in, whether it's reachable from the internet at all. It flags NAT and carrier-grade NAT, then writes you a little note you can drop into a port forward, a firewall allowlist, or a support ticket.

A browser can't just go read every private address sitting on your device. So grab the local one yourself, off the router, the OS, the server panel, wherever, and line it up against the internet-facing one.

Public IP vs local IP, without the usual confusion

A local IP names an interface inside a network you're part of. The public IP is the address the outside world can reach, or at least see, somewhere along the path. Picture it at home. Your laptop sits on 192.168.1.42, but every website you hit sees a single public address that belongs to the router or your provider, not to the laptop. Offices get weirder. A server panel happily shows you a private address while a load balancer or some cloud gateway is the thing actually exposing the service, through a totally different public address.

And honestly that gap matters more than people give it credit for. It's the reason an allowlist wants one value and not the other. It's why a port forward points at some internal host. It's why your neighbour's network and yours can both be running 192.168.1.42 right now with zero conflict. Two houses, same address, nobody notices. It's also why support keeps asking for the IP that shows up from outside instead of the one your OS printed, which feels pedantic until you realise they're not the same number.

What this comparison is useful for

  • Figure out what a pasted interface IP actually is. Private, link-local, carrier NAT, unique local IPv6, or genuinely routable.
  • Hold a LAN address up against the public one your browser is exposing right now.
  • Catch a carrier-grade NAT clue early, before you blow twenty minutes on a port forward that was never going to receive inbound traffic anyway.
  • Pick the right IP for the job, whether that's VPN access or a hosting allowlist or a remote admin rule.
  • Hand a colleague (or a confused client) a copyable report instead of trying to explain scope out loud.

NAT changes the path, not the meaning of the addresses

NAT, Network Address Translation, is just the trick that lets a pile of private IPv4 devices share a much smaller pool of public addresses. Inside the LAN, your local address still does its job. Out on the internet, the public one is what remote services actually talk to. Both real, different scopes. People sometimes treat NAT like it's a firewall, and look, it isn't, not on its own. Your router, the host firewall, cloud security groups, whatever app auth you've got, that's the stuff deciding what's reachable.

Carrier-grade NAT stacks a second layer on top, this one run by your provider. If your router's WAN address lands inside 100.64.0.0/10, that's the tell: the ISP is probably sharing one chunk of public IPv4 across a bunch of customers, you included. And then classic inbound port forwarding just quietly fails, even though your router rule looks completely fine. Maddening to debug if you don't know to look for it. IPv6 flips the whole thing around. There the address can be globally routable on its own, and the firewall policy is still free to drop any inbound connection you didn't ask for.

Practical mistakes this tool helps avoid

  • Pasting a 192.168.x.x address into a remote SaaS firewall and wondering why nothing connects.
  • Forwarding a port to a local host, then watching DHCP hand that host a different address next week and break the rule.
  • Assuming anything that isn't RFC1918 is safe to expose, without ever checking the special-use ranges.
  • Treating public reachability like it tells you something about geolocation or identity. It doesn't.
  • Forgetting that a VPN or a proxy or the office gateway is the actual reason your visible public IP just changed.

Frequently asked questions

Can a website see my local IP?

A plain web request only really hands over the public address that carried the connection. Browsers do not go around offering up a tidy list of your private device addresses to whatever site you visit, so if you want to compare the local one, you have got to paste it in yourself.

Which IP should I use for a firewall allowlist?

Depends which firewall. A remote one almost always wants the public address as seen from that remote service side. But a rule on a firewall inside your own LAN will usually want a private subnet or a local host address instead. Different vantage points, different answer.

Does a public IP mean the device is exposed?

No, and this trips people up constantly. A globally routable address only tells you the scope, nothing more. What is actually exposed gets decided downstream by your firewalls, the NAT rules, security groups, whether anything is even listening, plus auth. Scope is not exposure.

Which IP ranges are private?

For IPv4 it is 10.0.0.0/8, then 172.16.0.0/12, plus 192.168.0.0/16. IPv6 has its own, fc00::/7. None of them route on the public internet, and that is exactly why the same ones get reused on basically every local network out there.

Why do all my devices share one public IP?

That is NAT doing its thing. Your router maps all those private addresses onto the single public IP, and it keeps track of every outbound connection so the replies find their way back to whichever device asked. One address out front, a whole house behind it.

What is CGNAT and how does it affect me?

Carrier-grade NAT is when your ISP stretches a single public IP across loads of customers at once. The practical sting is that you cannot really host inbound services straight off your line. Usual fix is a relay, or a VPN that gives you a public endpoint of your own to point things at.