Public IP vs Private IP — What's the Difference?

A public IP address is a globally unique, routable address assigned to your internet-facing connection by your Internet Service Provider (ISP). It is the address that external servers on the internet see when you make a connection — whether you are loading a website, sending an email, or streaming video. Every packet leaving your home network carries your public IP as the source address, and every response comes back to that address.

Public IP addresses are allocated by IANA (Internet Assigned Numbers Authority) to Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC), which in turn allocate blocks to ISPs and large organizations. An ISP might own a block like 198.51.100.0/24 — a /24 contains 256 addresses — and assign individual addresses from that pool to their subscribers.

Most residential ISP customers receive a dynamic public IP, meaning the address changes periodically — sometimes at every reconnection, sometimes after days or weeks. The ISP recycles addresses from a pool using DHCP with lease times. Business customers can pay extra for static public IPs that never change, which is necessary for hosting servers, configuring remote access, or any service that requires a stable, predictable address.

A private IP address is a non-routable address used within a local network (LAN). RFC 1918, published in 1996, reserved three address ranges specifically for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These ranges are never used on the public internet — any router encountering a packet destined for a private IP address drops it rather than forwarding it, preventing accidental routing of internal traffic.

Your home router assigns private IP addresses to devices on your network using DHCP. The most common default gateway and subnet are 192.168.1.1/24 or 192.168.0.1/24, meaning devices receive addresses like 192.168.1.100, 192.168.1.101, and so on. The router itself has two IP addresses: the private gateway address (e.g., 192.168.1.1) facing your local network, and the public IP assigned by your ISP facing the internet.

Because private address ranges can be reused in any number of separate networks simultaneously, they allow millions of home and business networks to use the same address space without conflict. Your 192.168.1.50 does not conflict with your neighbor's 192.168.1.50 because neither address is routed on the public internet — they exist only within their respective local networks.

Network Address Translation (NAT), standardized in RFC 3022, is the mechanism that allows multiple devices with private IP addresses to share a single public IP address. When a device on your home network (e.g., 192.168.1.50) makes a request to an external server (e.g., a web server at 93.184.216.34), your router rewrites the source IP in the outgoing packet from 192.168.1.50 to your public IP, and records the mapping in a NAT table: {internal_ip:port ↔ public_ip:port}.

When the web server responds, it sends traffic back to your public IP and the corresponding port. Your router looks up the NAT table, finds the matching entry, rewrites the destination to the original private IP and port, and forwards the packet to the correct device on your internal network. This translation is transparent to both the client device and the external server — neither is aware that NAT is occurring.

The most common form of NAT in home routers is NAPT (Network Address Port Translation), also called PAT (Port Address Translation) or masquerade. It uses different source ports to distinguish multiple simultaneous connections from different internal devices all sharing the same public IP. A router can track thousands of concurrent connections this way. Port forwarding is a manual NAT rule that maps an external port to a specific internal device, allowing inbound connections to reach a server behind NAT.

The 10.0.0.0/8 range (also written as 10.x.x.x) is the largest private range, containing over 16 million addresses. It is most commonly used in large enterprise networks, data centers, and cloud virtual networks (AWS VPCs, Azure VNets default to this range). The flexibility of a /8 block allows network architects to divide it into whatever subnet sizes the organization needs.

The 172.16.0.0/12 range spans 172.16.x.x through 172.31.x.x and contains about 1 million addresses. It is less commonly used in home networks and more common in medium-sized enterprise environments. Docker's default bridge network uses 172.17.0.0/16 from this range, which occasionally causes routing conflicts for users on corporate VPNs that also use 172.16.0.0/12.

The 192.168.0.0/16 range is by far the most familiar to home users — virtually every consumer router defaults to either 192.168.1.0/24 or 192.168.0.0/24. It contains 65,536 addresses organized in 256 /24 subnets. Beyond the RFC 1918 ranges, 169.254.0.0/16 (APIPA) is assigned automatically when DHCP fails — addresses in this range indicate a network configuration problem. The 127.0.0.0/8 loopback range is device-internal and never transmitted on any network interface.

A dynamic public IP address changes over time as your ISP reassigns addresses from their pool. Most residential broadband customers have dynamic IPs that change when their router reconnects, when the DHCP lease expires, or when the ISP performs network maintenance. Dynamic IPs are assigned using DHCP at the ISP level — your router sends a DHCP request when it connects to the ISP's network, and the ISP's DHCP server assigns an available address from its pool.

A static public IP address is permanently assigned to a specific customer connection and does not change. Static IPs are essential for hosting services like web servers, mail servers, VPN gateways, game servers, or security cameras accessible from outside your network. Without a static IP, you would need to update DNS records, VPN configurations, and client-side bookmarks every time your IP changes. Static IPs typically cost $5–$15 per month extra from residential ISPs and are standard with business internet plans.

Dynamic DNS (DDNS) is a middle-ground solution for users who cannot get a static IP but need a consistent hostname. DDNS services maintain a DNS record that is updated automatically whenever your dynamic public IP changes — your router runs a DDNS client that notifies the service. Popular DDNS providers include No-IP, DynDNS, and Duck DNS. The DNS record may have a TTL of 60 seconds or less to ensure rapid propagation of IP changes.

Carrier-Grade NAT (CGNAT), defined in RFC 6598, is an additional layer of NAT deployed by ISPs to cope with IPv4 address exhaustion. With CGNAT, multiple customers share a single public IP address at the ISP's network level — even before traffic reaches the customer's own router. The CGNAT address range reserved for this purpose is 100.64.0.0/10 (100.64.0.0 through 100.127.255.255).

For most web browsing, CGNAT is transparent. However, it breaks certain use cases: hosting services behind your router becomes impossible because the port forwarding rules on your home router can only map ports on the ISP's CGNAT gateway, not on your home router. Peer-to-peer applications, VoIP services, online gaming with host-based matchmaking, and remote access setups are all impacted by CGNAT.

To determine whether you are behind CGNAT, compare the WAN IP address shown in your router's admin interface with the public IP shown by ${siteConfig.name}'s What Is My IP tool. If they are different — particularly if your router's WAN IP falls in the 100.64.x.x range — you are behind CGNAT. Contact your ISP to request a dedicated public IP or upgrade to a business plan if you need to host services or use port forwarding.

Your public IP address is the address that external servers see when you access the internet — it is the IP assigned to your router's WAN interface by your ISP. You cannot find your public IP using ipconfig or ifconfig on your computer, because those commands only show your private local network addresses. To see your public IP, visit VSPIC's What Is My IP tool, which displays the exact IP address your request arrived from.

Your public IP may be IPv4 (e.g., 203.0.113.45) or IPv6 (e.g., 2001:db8::1), or both if your ISP provides dual-stack connectivity. The What Is My IP tool shows both versions if available. You can also find your public IP by querying a DNS-based service: nslookup myip.opendns.com resolver1.opendns.com on Windows or macOS returns your public IP through a DNS TXT record mechanism.

Your public IP changes when: your router reconnects to the ISP, your DHCP lease expires and the ISP assigns a different address from its pool, you move to a different network (mobile data vs. home broadband), or you connect through a VPN (which substitutes the VPN server's IP as your apparent public IP). Monitoring your public IP over time is useful for troubleshooting connectivity issues and verifying VPN behavior.

Your private IP address is assigned by your router via DHCP and is visible only within your local network. On Windows, run ipconfig in Command Prompt and look for the IPv4 Address under your active adapter (typically 'Ethernet adapter' or 'Wireless LAN adapter'). On macOS, use System Settings > Network > your connection > Details, or run ipconfig getifaddr en0 in Terminal. On Linux, use ip addr show or hostname -I.

The VSPIC Private IP Finder tool uses browser APIs to detect your local network address (where supported by the browser) and shows it alongside your public IP, making it easy to see both simultaneously. This is particularly useful for understanding your network topology or debugging connectivity issues.

Your private IP is typically in the 192.168.x.x range for home networks, but may be in the 10.x.x.x range if you are on a larger enterprise or office network, or 172.16-31.x.x in some corporate environments. Your router's gateway IP (usually the router itself) is the same as your private IP's network with .1 at the end — 192.168.1.1 if your device is 192.168.1.100. You can access your router's admin interface by navigating to the gateway IP in a web browser.

Your public IP address reveals information about you to every website and server you connect to. IP geolocation databases can map your IP to an approximate geographic location — typically accurate to the city level for broadband connections, and sometimes more precise for mobile IPs. Your IP also reveals your ISP, which can narrow down your location further. Websites use this data for content localization, fraud detection, and advertising targeting.

Law enforcement can subpoena ISP records to associate a public IP address with a specific customer account, which is why dynamic IPs do not meaningfully enhance privacy for serious concerns — ISPs log which customer was assigned which IP at what time, and those records can be obtained with appropriate legal process. VPNs shift this association to the VPN provider, which is why no-log VPN policies matter.

Websites can track you across sessions using your IP address even if you clear cookies. While a dynamic IP changes periodically, the same IP may be used for days or weeks. Combined with browser fingerprinting (screen resolution, timezone, installed fonts, WebGL fingerprint), IP address is one of many signals used to create a persistent tracking profile. Tools like ${siteConfig.name}'s VPN Detection show how effective your current IP masking strategy is against these identification techniques.

If you want to host a web server, game server, or home security camera accessible from outside your local network, you need port forwarding. Because NAT translates your private IP to your public IP for outbound connections, inbound connections have no automatic path to reach your internal server — the router does not know which device should receive unsolicited incoming traffic on port 80 or 443.

Port forwarding creates a static NAT rule: traffic arriving at your public IP on a specific port is forwarded to a specific private IP and port on your local network. For example, a rule forwarding external port 8080 to 192.168.1.100:80 means that anyone connecting to your-public-ip:8080 is transparently redirected to your local web server. Most consumer routers have a port forwarding section in their admin interface.

Use the ${siteConfig.name} Port Checker to verify that a port forwarding rule is working correctly — it tests from an external perspective whether a given port on your public IP is open and accepting connections. Remember that port forwarding requires a stable internal IP for the target device; configure a DHCP reservation (also called a static DHCP lease) in your router so that the device always gets the same private IP address.

IPv6 fundamentally changes the public/private IP dynamic. With 128-bit addresses providing an effectively unlimited address space, IPv6 eliminates the need for NAT. Every device on an IPv6-enabled network receives a globally unique, publicly routable IPv6 address. There is no private IPv6 equivalent to RFC 1918 for the internet — though Unique Local Addresses (fc00::/7) serve an analogous role for internal networks that should not be routed externally.

This means that with native IPv6, every device in your home — your laptop, phone, smart TV, refrigerator — has its own directly routable public IPv6 address. For users accustomed to NAT as an implicit firewall barrier, this sounds alarming, but modern operating systems and routers configure stateful firewalls by default that block unsolicited inbound IPv6 connections. The security posture is equivalent to NAT when firewalls are correctly configured.

The transition to IPv6 makes concepts like port forwarding unnecessary — external clients can connect directly to a device's IPv6 address, subject to firewall rules. It also simplifies services like VoIP, online gaming, and peer-to-peer applications that struggle with NAT traversal. Check your IPv6 connectivity using the ${siteConfig.name} IPv6 Test tool — if you have an IPv6 address, understanding its structure and visibility becomes as important as understanding your public IPv4 address.