You're sitting at your desk. You open your laptop. You type google.com. The page loads. But what the hell actually just happened under the hood?
Let's dissect this entire chain — from ARP to NAT, subnet masks, CGNAT, UPnP, and even tools like Tailscale — to see how the magic unfolds.
🧠 Step 1: You Want to Talk to Google
Your laptop needs to send a request to google.com. But Google is a domain name, not an IP address.
DNS Resolution
- Your machine uses DNS to resolve
google.com→ e.g.142.250.192.14 - This happens via your configured DNS server (usually your router or your ISP's DNS)
🌐 Step 2: Subnet Mask Decides: "Is This Local or Not?"
Your IP: 192.168.1.100
Your subnet mask: 255.255.255.0 (i.e., /24)
Subnet logic:
- Your PC says: "Is 142.250.192.14 in my subnet?"
- Bitwise AND comparison fails → definitely not local
Conclusion: "I need to talk to the gateway (router)."
📦 Step 3: ARP — Finding the Router
Since the router is your next hop, your PC needs its MAC address.
ARP Flow:
- Your PC broadcasts: "Who has IP 192.168.1.1?"
- Router replies with its MAC
- Your PC stores this in its ARP cache and builds an Ethernet frame to send to the router
🔁 Step 4: Router Applies NAT
- Your local IP (
192.168.1.100) is private and not routable on the internet - The router swaps your private IP with its public IP
- It keeps a mapping table so it knows how to route responses back to you
This is NAT (Network Address Translation).
🌍 Step 5: You’re Behind CGNAT? Even More Translation
If your ISP is doing CGNAT (Carrier-Grade NAT):
- Your router’s public IP isn’t truly public — it’s shared among many users
- Your ISP does another layer of NAT at their edge
- They map outbound connections with source ports and track the session
Downside: You can't easily receive unsolicited incoming connections
🔌 Step 6: What About UPnP?
UPnP (Universal Plug and Play) is your router’s way of saying:
“Hey, if a local device wants to open a port, I’ll allow it — no manual config.”
Used by:
- Game consoles
- Torrent clients
- Remote access apps
Security risk if abused, but very handy.
🔐 Step 7: Want to Skip All That? Enter Tailscale
If NAT and CGNAT block inbound connections, Tailscale comes to the rescue:
- Uses WireGuard to create an encrypted mesh VPN
- Devices authenticate via the cloud but talk directly (via NAT traversal, relay, or hole punching)
- Doesn’t need port forwarding or public IPs
It bypasses CGNAT like a pro.
💥 Bonus: What Happens on the Way Back?
- Google replies to your router’s public IP
- Your router uses its NAT table to map the response back to
192.168.1.100 - Your PC receives the data and hands it off to the browser
If CGNAT was involved:
- The ISP’s edge NAT device maps the response back to your router’s IP and port
🧠 Summary of Protocols Involved
Layer Protocol/Tech Role Layer 1-2 Ethernet + ARP Local LAN delivery, MAC resolution Layer 3 IP, ICMP, Subnet Mask Determines routing path vs local Layer 4 TCP/UDP, NAT, CGNAT Transport, translation, sessions App Layer DNS, HTTPS Name resolution, data fetching Sidecars UPnP, Tailscale Port mapping, NAT traversal
🔁 Recap Flow (E2E)
- You type
google.com - DNS resolves to
142.250.192.14 - Subnet mask says: not local → use gateway
- ARP resolves MAC of router
- Ethernet frame sent to router
- Router NATs and sends to ISP
- ISP (maybe via CGNAT) sends to Google
- Response returns the same path in reverse
- NAT mapping used to get data back to you
If UPnP/Tailscale is used → special rules or tunnels applied
💡 Final Thoughts
It’s not magic. It’s just well-stacked abstractions:
- Subnet mask decides local vs routed
- ARP gets you to the next-hop MAC
- NAT lets you play on the internet without a real public IP
- CGNAT makes it worse
- UPnP tries to help
- Tailscale just ignores all of it and tunnels like a boss
Now when you hit Google, you’ll hear the subnet mask whisper, see the ARP shout, and nod at the NAT table juggling packets like a magician.
Welcome to the inner circle.