Every time you open a page, your device and a server on the other side of the world exchange data that has to know where to go. That only works because every point on the network has an address. Behind that simple idea sit three pieces —the IP address, the subnet and NAT— that almost no one sees but that decide, quite literally, how the internet finds you.
What an IP address is
Let's start with the basics: no address, no delivery. An IP plays the same role for data that a postal address plays for a letter.
An IP address is the unique identifier of a device within a network: it lets data know where to go and where it came from. Without it, a packet has no destination.
IPv4 is 32 bits: four numbers from 0 to 255 separated by dots, like 192.168.1.10. They ran out —the world has more devices than addresses— which is why IPv6 exists, at 128 bits, with vastly more available combinations.
There's a distinction worth fixing right away: not all IPs are equal. A public address is the one the internet sees —unique and routable across the entire global network—. A private address only makes sense inside your own local network and never travels outward. We'll come back to this, because it's where the single most common confusion is born.
Subnets: divide to organize
A large pool of addresses with no division would be chaos: all traffic mixed together, with no borders and no control. The subnet is the tool that brings order.
A subnet groups a range of addresses that share the same network section. The mask —or its short form, CIDR notation like /24— defines how many addresses fit in that range and where the network ends and the host begins.
A /24, for example, reserves the first 24 bits for the network and leaves the rest for devices: around 254 usable addresses in that block.
Why bother segmenting? For three reasons that reinforce each other:
- Organization. Each area, floor or type of equipment lives in its own range, and the topology becomes readable instead of a flat mass of addresses.
- Security. Splitting into subnets lets you set rules between them: which range can talk to which. Isolation is the basis for containing a problem.
- Traffic control. When the network is segmented, local traffic stays in its subnet and doesn't go where it shouldn't, which cuts noise and exposure surface.
Private IPs and NAT
This is where the trick that holds up everyday internet fits in. Because IPv4 ran out,
there are private ranges —10.x,
172.16–31.x and 192.168.x— reserved for internal use and
reused across millions of different networks at once. Your
192.168.1.10 and your neighbor's are the same address on two networks that
never cross.
But if those addresses repeat everywhere, they can't travel across the internet as-is: they wouldn't be unique. That's where NAT comes in.
- Your device has a private IP assigned within your local network (for example,
192.168.1.10). - As it goes out to the internet, the router applies NAT and replaces your private IP with the network's public IP —the only one the internet can see and route—.
- The router remembers that translation so that, when the response arrives, it returns it to the correct device inside your network.
The effect is direct: your entire home or office —dozens of devices— reaches the internet through a single shared public IP. The internet doesn't see your phone, your laptop and your TV separately; it sees one door, your router's, and NAT takes care of sorting out what comes in and goes out on the inside.
The default gateway
One piece is missing to close the circuit: how does a device decide whether the destination is inside its network or outside it? That's where the default gateway steps in.
The default gateway is your network's way out. When a packet's destination is not in your subnet, your device doesn't know how to reach it directly, so it hands it to the gateway —usually the router—, which routes it outward.
The logic is simple: if the destination falls inside your subnet, traffic is delivered directly between neighboring devices. If it falls outside, it's sent to the gateway and it decides the next hop. It's the boundary between "I'll handle this myself" and "this leaves the network".
Common mistakes
"My IP is 192.168.1.5." That's your private IP, the one you have inside your local network. What the internet sees is your router's public IP, shared by every device in your home. Look it up with a simple "what is my IP" and you'll see it looks nothing alike.
- Confusing public with private. It's the root of almost everything else: if you believe your private IP is the one the internet sees, everything you infer afterward will be off.
- Static vs. dynamic IP. The public IP your provider gives you usually changes over time, unless you pay for a static one. Don't assume today's is tomorrow's.
- Believing an IP identifies a person. An IP identifies a network exit, not someone: behind that single public IP there can be dozens of devices and several people thanks to NAT.
The banking angle
In banking, addressing isn't an infrastructure detail: it's a security decision. How IPs are handed out and how subnets are drawn determines which system can even attempt to talk to which.
- Segmentation by subnets to isolate environments. The public DMZ lives in its own subnet; the internal back-office, in another; databases, in their own subnet with no direct exit to the internet. Each zone with its own rules.
- NAT and firewall at the perimeter. What goes out and comes in passes through a controlled point where it's translated, filtered and logged. Nothing crosses the border by accident.
- Controlled addressing. Static IPs for critical services and IP allow-lists between institutions: only expected addresses can connect, and everything else is dropped up front.
In banking, who can talk to whom is decided in the addressing, not afterward. The subnet, the static IP and the allow-list are the first border —the one drawn before the first packet arrives—, and that's why network design weighs as much as the code running on top of it.