Ports are the transport layer’s "multiplexer," and NAT turned it into the internet’s biggest hack. The essence of NAT traversal tools like STUN/TURN/ICE is: establishing a predictable path between the external mapping and the internal address.
Overview
NAT traversal is the biggest compromise in the current internet architecture — IPv4 address exhaustion forces billions of devices to share public IPs, making "direct connections" the exception. Behind NAT, two devices cannot communicate directly (unless via relay or hole punching). STUN helps devices discover their public mapping, TURN provides relaying when traversal fails, and ICE automatically selects the optimal path (direct > hole punching > relay). Tailscale encapsulates these technologies into a user-transparent mesh VPN.
Ephemeral Ports
The port automatically selected by the client in TCP/UDP connections, with a range managed by the kernel:
Exhaustion risk: High-concurrency short-lived connections (each connection consumes one ephemeral port + 60s during TIME_WAIT) → ports run out → connect() returns EADDRNOTAVAIL
NAT filtering behavior (firewall side): Similar to mapping; Endpoint-Independent → most permissive; Address+Port-Dependent → most strict.
If the NAT is Endpoint-Independent Mapping + Address-Dependent Filtering (most common home router), then STUN is effective. If Symmetric (most mobile networks), TURN or port prediction is required.
STUN (RFC 8489)
TURN (RFC 8656)
STUN is ineffective for Symmetric NAT — external ports are unpredictable. TURN acts as a relay:
ICE (RFC 8445): Candidate Gathering and Connectivity Checks