This chapter covers the critical distinction between private and public IP addresses, a fundamental networking concept tested on the CompTIA A+ 220-1101 exam. Understanding these address types is essential for grasping how devices communicate within local networks versus across the internet. Expect 2-3 exam questions directly related to private vs public IP addressing, often combined with NAT or routing concepts.
Jump to a section
Think of a large company with one public phone number (the public IP address) and 200 employees, each with an internal extension (private IP address). When an employee calls out, the switchboard operator (NAT) records the employee's extension and the external number being called, then replaces the employee's extension with the company's public number. When the external party returns the call, the operator checks the log and routes the call to the correct extension. From outside, callers can only dial the company's public number; they cannot directly reach an employee's extension. If the operator misplaces the log, the return call fails. Similarly, if the NAT table is full or misconfigured, return traffic cannot be delivered. This is exactly how NAT works: internal hosts use private IPs, but all outbound traffic appears to come from the public IP, and the NAT router maintains a translation table to forward return packets to the correct internal host.
What Are Private and Public IP Addresses?
IP addresses are unique identifiers for devices on an IP network. Public IP addresses are globally unique and routable across the internet. Private IP addresses are reserved for use within private networks and are not routable on the public internet. The Internet Assigned Numbers Authority (IANA) reserved three blocks of IPv4 address space for private networks in RFC 1918:
10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
These addresses can be used by anyone within their own network without coordination with IANA or ISPs. Because they are not globally unique, packets with private source or destination addresses are typically dropped by internet routers.
Why Private Addresses Exist
The explosive growth of the internet led to IPv4 address exhaustion. Private addressing, combined with Network Address Translation (NAT), allows many devices to share a single public IP address. This conserves public IP addresses and provides a basic layer of security by hiding internal network structure from the internet.
How Private and Public Addresses Work Together
When a device with a private IP wants to communicate with the internet, the router performs NAT. The router replaces the private source IP with its own public IP and records the mapping in a NAT table. Return packets are translated back to the private IP. Without NAT, private addresses cannot communicate directly with public addresses.
Key Characteristics
Private IPs: Not unique; can be reused across different private networks. Used for internal communication (LAN). Not assigned by an ISP. Typically assigned via DHCP from a local router.
Public IPs: Globally unique. Assigned by an ISP or RIR. Routable on the internet. Can be static or dynamic.
Special Address Ranges
In addition to RFC 1918, other special ranges include:
127.0.0.0/8: Loopback addresses (127.0.0.1 is localhost).
169.254.0.0/16: Link-local addresses (APIPA) used when DHCP fails.
224.0.0.0/4: Multicast addresses.
240.0.0.0/4: Reserved for future use (experimental).
Default Gateways and Subnet Masks
Devices with private IPs must have a default gateway (usually the router's private IP) to reach the internet. Common private subnet masks:
10.0.0.0/8: subnet mask 255.0.0.0
172.16.0.0/12: subnet mask 255.240.0.0
192.168.0.0/16: subnet mask 255.255.0.0
In home networks, the typical subnet is 192.168.1.0/24 (subnet mask 255.255.255.0).
Verification Commands
On Windows:
ipconfig /allLook for "IPv4 Address" and "Subnet Mask". If the IP is in the ranges above, it's private.
On Linux/macOS:
ifconfigor
ip addr showTo see the public IP assigned by your ISP, visit a website like whatismyip.com or use:
curl ifconfig.meNAT and PAT
Network Address Translation (NAT) translates private IPs to public IPs. Port Address Translation (PAT) is a form of NAT that maps multiple private IPs to a single public IP using different source ports. The NAT table contains entries like:
| Private IP:Port | Public IP:Port | |-----------------|----------------| | 192.168.1.10:12345 | 203.0.113.5:54321 |
Interaction with DHCP
DHCP servers typically assign private IP addresses from a defined pool. The router's DHCP server hands out addresses like 192.168.1.100-200. The router itself has a private IP on the LAN side and a public IP on the WAN side.
IPv6 Considerations
IPv6 has a different model. Unique Local Addresses (ULA, fc00::/7) are analogous to private IPv4 addresses but are rarely used. Most IPv6 devices get a global unicast address (2000::/3) that is public, and NAT is not typically used. The exam focuses on IPv4 private addressing.
Exam-Relevant Details
Memorize the three RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Remember that 172.16.0.0/12 includes 172.16.0.0 through 172.31.255.255. The exam often tests the boundary at 172.31.255.255.
Private addresses are not routable on the internet; packets with private source IPs are dropped by ISPs.
NAT is required for private IPs to access the internet.
Link-local addresses (169.254.x.x) are not private in the RFC 1918 sense; they are used for automatic configuration when DHCP fails.
Common Misconfigurations
Assigning a public IP manually to a device without coordinating with the ISP can cause network conflicts if the IP is already in use elsewhere.
Using a private IP as a default gateway on the WAN interface will prevent internet access.
Overlapping private subnets in VPNs cause routing issues.
Summary
Private IPs are for internal use, public IPs are for internet communication. NAT bridges the two. Memorize the RFC 1918 ranges and understand that private IPs cannot be routed on the internet without NAT.
Device requests IP via DHCP
When a device connects to a network, it sends a DHCP Discover broadcast. The DHCP server responds with an Offer containing an IP address, subnet mask, default gateway, and DNS servers. In most home networks, the offered IP is from the private range, such as 192.168.1.10. The device sends a Request and the server acknowledges with an Ack, completing the lease. The DHCP server is typically the router, which also holds the public IP on its WAN interface.
Device initiates outbound communication
The device wants to access a web server at 8.8.8.8. It checks its routing table: the destination is not on the local subnet (e.g., 192.168.1.0/24), so it sends the packet to the default gateway (the router's private IP, e.g., 192.168.1.1). The source IP is the device's private IP, source port is a random high port (e.g., 12345), destination IP is 8.8.8.8, destination port 80.
Router performs NAT translation
The router receives the packet on its LAN interface. It checks its NAT configuration: outbound traffic must be translated. It creates a NAT table entry mapping the internal (private IP:port) to an external (public IP:port). The router replaces the source IP with its own public IP (e.g., 203.0.113.5) and changes the source port to a unique port (e.g., 54321). The packet is then forwarded out the WAN interface toward 8.8.8.8.
Response packet arrives at router
The web server sends a response packet with destination IP 203.0.113.5 and destination port 54321. The router receives this on its WAN interface. It looks up the destination port in the NAT table and finds the corresponding private IP and port (192.168.1.10:12345). It then rewrites the destination IP and port to the private values and forwards the packet to the internal device on the LAN.
Device receives response, communication complete
The internal device receives the packet as if it came directly from the web server. It processes the response and can continue communication. The NAT entry remains active as long as traffic flows; after a timeout (typically 60-300 seconds of inactivity), the entry is removed. If the device sends another packet, a new entry is created, possibly with a different public port.
Enterprise Scenario 1: Office Network with NAT
A company with 500 employees uses private IPs in the 10.0.0.0/8 range. The network is segmented into VLANs: 10.0.1.0/24 for IT, 10.0.2.0/24 for HR, etc. Each VLAN routes through a core switch to a firewall that performs NAT. The firewall has a single public IP from the ISP. All outbound internet traffic appears to come from that public IP. Problem solved: the company needs only one public IP for 500 users. Misconfiguration: If the firewall's NAT table fills up (default limit often 4096 or 65536), new connections fail. Engineers monitor NAT table usage and may implement multiple public IPs or increase table size.
Enterprise Scenario 2: Cloud Migration with Overlapping Subnets
A company acquires another company and needs to connect their networks via VPN. Both companies use 192.168.1.0/24 internally. This overlap prevents routing because the same IP appears in both networks. Solution: Use NAT on the VPN gateway to translate one side's private IPs to a different range (e.g., 10.0.0.0/24). This is called NAT traversal or overlapping subnet NAT. Misconfiguration: If NAT is not applied correctly, traffic destined for 192.168.1.10 might go to the wrong host. Engineers must carefully plan IP addressing to avoid overlaps or deploy NAT with proper rules.
Performance Considerations
NAT adds latency because the router must process each packet's header and maintain a translation table. High-performance firewalls use hardware acceleration for NAT. In large enterprises, multiple public IPs are used (NAT pool) to spread the load and avoid port exhaustion. Carrier-grade NAT (CGNAT) is used by ISPs to share one public IP among many customers, using RFC 6598 addresses (100.64.0.0/10).
What the 220-1101 Exam Tests
Objective 2.1 requires you to "Compare and contrast TCP and UDP ports, protocols, and their purposes" but also includes understanding of IP addressing concepts. Specifically, you must know private vs public IP addresses, the RFC 1918 ranges, and when to use each. Expect questions that ask you to identify which IP is private, or which scenario requires NAT.
Common Wrong Answers
Choosing 169.254.x.x as a private IP: Candidates often confuse APIPA (link-local) with RFC 1918 private addresses. APIPA addresses are not private in the sense of being routable within a private network; they are only used for automatic configuration when DHCP fails. The exam will test this distinction.
Thinking all 172.x.x.x addresses are private: The private range is 172.16.0.0/12, which includes 172.16.0.0 through 172.31.255.255. Addresses like 172.32.0.1 are public. Many candidates memorize only the first octet and get this wrong.
Believing private IPs are unique on the internet: Some think private IPs are assigned by ISPs. In reality, they are not globally unique and cannot be routed on the internet.
Confusing public IP with static IP: A public IP can be dynamic (DHCP from ISP) or static. The exam may test that public IPs are routable, not necessarily static.
Exam-Relevant Numbers
RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
APIPA range: 169.254.0.0/16.
Loopback: 127.0.0.0/8.
Subnet masks: 255.0.0.0, 255.240.0.0, 255.255.0.0.
Edge Cases
A device with a public IP assigned manually but not registered with the ISP will not be reachable from the internet.
Using private IPs on a public-facing server requires NAT or a public IP assigned to that server.
IPv6 does not use private addresses in the same way; the exam focuses on IPv4.
How to Eliminate Wrong Answers
If a question asks which IP is private, immediately check if the IP falls into one of the three RFC 1918 ranges. If it's 169.254.x.x, it's link-local, not private. If it's 172.32.x.x, it's public. If the question involves internet access from a private IP, the answer must involve NAT.
Memorize the three RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Private IPs are not routable on the public internet; NAT is required for internet access.
APIPA addresses (169.254.x.x) are not private; they are link-local and used when DHCP fails.
The loopback address 127.0.0.1 is not a private address; it's used for local testing.
172.16.0.0/12 includes 172.16.0.0 through 172.31.255.255; addresses above 172.31 are public.
Public IPs can be static or dynamic; both are routable on the internet.
NAT translates private source IPs to a public IP, enabling multiple devices to share one public IP.
IPv6 uses global unicast addresses; private addressing is handled differently with ULA (fc00::/7).
These come up on the exam all the time. Here's how to tell them apart.
Private IP Address
Not globally unique; reused across networks.
Not routable on the internet without NAT.
Assigned by local DHCP or manually.
Free to use without coordination.
Examples: 10.0.0.1, 172.16.0.1, 192.168.1.1
Public IP Address
Globally unique; no two devices share the same public IP.
Routable on the internet.
Assigned by ISP or RIR.
May incur cost or require registration.
Examples: 8.8.8.8, 203.0.113.5
Mistake
192.168.x.x is the only private range.
Correct
There are three RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. 192.168.x.x is just one of them.
Mistake
All 172.x.x.x addresses are private.
Correct
Only 172.16.0.0 through 172.31.255.255 are private. Addresses like 172.32.0.1 are public.
Mistake
Private IP addresses are unique across the internet.
Correct
Private IPs are not globally unique; they can be reused in different private networks. They are not routable on the internet.
Mistake
169.254.x.x is a private IP range.
Correct
169.254.0.0/16 is the link-local (APIPA) range, not RFC 1918 private. It is used for automatic configuration when DHCP fails.
Mistake
A device with a private IP cannot communicate with any internet host.
Correct
It can, if a router performs NAT. The private IP is translated to a public IP for outbound traffic.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The private IPv4 ranges are defined in RFC 1918: 10.0.0.0/8 (10.0.0.0 – 10.255.255.255), 172.16.0.0/12 (172.16.0.0 – 172.31.255.255), and 192.168.0.0/16 (192.168.0.0 – 192.168.255.255). These addresses are for internal use only and are not routable on the internet. On the CompTIA A+ exam, you must be able to identify which IP addresses fall into these ranges.
Yes, but only if a router or firewall performs Network Address Translation (NAT). The router replaces the private source IP with its own public IP. Without NAT, packets with private source IPs are dropped by internet routers. The exam often tests this concept: private IPs require NAT for internet access.
A private IP is used within a local network and is not globally unique. A public IP is globally unique and routable on the internet. Private IPs are free to use, while public IPs are assigned by ISPs. The exam expects you to know the RFC 1918 ranges and that private IPs cannot be used on the internet without NAT.
No. 169.254.0.0/16 is the link-local range used for Automatic Private IP Addressing (APIPA) when DHCP fails. It is not part of RFC 1918 private ranges. The exam may ask you to distinguish between APIPA and private IPs.
The subnet mask is 255.240.0.0. The /12 prefix means the first 12 bits are network bits. This range includes addresses from 172.16.0.0 to 172.31.255.255. The exam may test your ability to identify the subnet mask or the valid address range.
Private IP addresses conserve the limited supply of public IPv4 addresses. They allow organizations to use any addressing scheme internally without coordination. Combined with NAT, many devices can share a single public IP. They also provide a layer of security by hiding internal network structure.
The loopback address is 127.0.0.1 (127.0.0.0/8). It is not a private address; it is used for testing network software on the local machine. Packets sent to 127.0.0.1 never leave the device. The exam may include it as a distractor in private IP questions.
You've just covered Private vs Public IP Addresses — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?