If you’ve ever wondered why ipconfig on your laptop says 192.168.1.10 but a website says your IP is 203.0.113.45, you’ve encountered the distinction between private and public IP addresses. They’re both real addresses, both assigned to your machine — but they serve completely different purposes and exist at different layers of the network.
This post explains the difference in depth, why this design exists, what it means in practice, and the common confusions that come up.
The Quick Version
A public IP address is unique on the global internet. Each public IP belongs to exactly one network at a time. Routers around the world know how to deliver traffic to it via BGP.
A private IP address is meaningful only inside a specific network. The same private IP — say, 192.168.1.10 — exists on millions of home networks worldwide, all referring to different machines. Routers on the public internet never see private IPs and don’t route to them.
Your laptop at home has both:
- A private IP assigned by your router (something like
192.168.1.10), used for local communication within your home. - A public IP assigned by your ISP to your router (something like
203.0.113.45), used for communication with the outside world. All your devices share this one public IP via NAT.
That’s the architecture. The rest is the details.
The Reserved Private Ranges
IPv4 has three ranges officially set aside for private use:
| Range | CIDR | Capacity |
|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16.7 million addresses |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1 million addresses |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,536 addresses |
Plus a few special-purpose ranges:
| Range | Purpose |
|---|---|
| 127.0.0.0/8 | Loopback (your own machine — localhost) |
| 169.254.0.0/16 | Link-local (auto-assigned when no DHCP available) |
| 100.64.0.0/10 | CGNAT (shared address space) |
These ranges will never appear as a public IP on the global internet. If you see one in your logs as a “client IP,” something is misconfigured (or your application is correctly logging internal traffic).
For more on how these get carved into subnets, see Subnet Mask and CIDR.
Why Two Addresses?
The “why two addresses” question goes back to the IPv4 exhaustion problem. 4.3 billion total IPv4 addresses, ~5 billion humans, dozens of devices each — the math never worked.
The solution was to declare some address ranges “internal use only” and let many networks reuse them simultaneously. Each home network can use 192.168.1.0/24 (or any other private range). NAT translates between the private IPs inside the network and the single public IP assigned to the network as a whole.
This was originally a workaround. In 2026 it’s the default architecture for most of the internet.
IPv6 was designed to make this unnecessary — there are enough IPv6 addresses for every device to have a globally unique one, no NAT required. But IPv4 networks aren’t going away tomorrow, so the public-vs-private distinction stays relevant.
How Your Device Gets Each Address
Private IP (from your local network)
When your laptop joins a network (home Wi-Fi, office Ethernet, café Wi-Fi), it asks for an address via DHCP:
- Laptop broadcasts: “Anyone have an address for me?”
- The local DHCP server (usually your router) responds: “Use
192.168.1.10. Your gateway is192.168.1.1. Your DNS server is192.168.1.1. Lease is for 24 hours.” - Laptop configures itself accordingly.
The private IP is valid only within this network. Walk into a different network, you’ll get a different private IP from a different DHCP server.
Public IP (from your ISP)
When your router boots up, it also requests an address via DHCP — but from your ISP rather than from itself.
- Router contacts the ISP’s DHCP server (over your DSL/cable/fiber line).
- ISP responds with a public IP (or a CGNAT IP if the ISP uses CGNAT).
- Router uses this address for all traffic to/from the public internet.
You can check your current public IP anytime — it’s whatever the world sees when your traffic exits your network.
What You Can Do With Each
With your private IP
- Communicate with other devices on the same local network (printer, smart TV, NAS).
- Access services running on those devices (
http://192.168.1.10:8080from another machine on the same network). - Set up local development environments (
http://localhost:3000, wherelocalhost=127.0.0.1).
With your public IP
- Be reached from anywhere on the internet (with caveats — see below).
- Show up in server logs and analytics.
- Be subject to geolocation — your public IP is what determines your apparent country.
- Be the address mail servers see when you send email, etc.
What you can’t do (without help)
- Reach a private IP from the public internet directly. No router on the public internet knows how to deliver traffic to
192.168.1.10— there are too many of them. - Be reached at your private IP from outside your network. Same reason.
When Public vs Private Matters
A few practical contexts:
Self-hosting a service
You want to run a web server on your laptop at home. People on your home network can reach it via your laptop’s private IP (http://192.168.1.10:3000). For anyone outside your home to reach it, you need to:
- Configure your router to port-forward incoming traffic on some external port to your laptop’s private IP.
- Use your public IP from the outside (
http://203.0.113.45:3000).
This works if your ISP gives you a real public IP. If you’re behind CGNAT, port forwarding doesn’t help — the CGNAT box is between you and the world. Alternatives: tunneling services like Cloudflare Tunnel, or just use a cheap VPS.
Remote desktop / SSH
Inside your home network: ssh user@192.168.1.10 works. From outside: you need either port forwarding to your public IP, a VPN into your home network, or a meshed networking tool (Tailscale, ZeroTier) that bridges the public/private gap.
Application logs
Your application logs the client IP for each request. If your app is on a public server, the IP is the user’s public IP (their home or work IP, possibly behind NAT). If your app is behind a load balancer or proxy, you’ll see the proxy’s IP unless you correctly parse the X-Forwarded-For header — which contains the original client IP (still their public IP, since the proxy is on the public internet).
You should virtually never see private IPs in your access logs from real users. If you do, it’s typically:
- A bug in your reverse proxy’s header handling.
- Your own internal traffic (health checks, internal services calling each other).
- A misconfigured client (rare in practice).
Firewall rules
Allowing access by IP works for both public and private:
- “Allow office network:
203.0.113.0/24” (public range — works for traffic from anywhere matching that range). - “Allow internal:
10.0.0.0/8” (private range — works for traffic from your internal network, which is on that range).
You won’t see traffic from 10.0.0.0/8 arriving from the public internet (it’d be filtered or rejected), so a private-range allowlist effectively scopes the rule to internal traffic only.
Geolocation
Public IPs can be geolocated. Private IPs cannot — they’re not associated with any particular location because they exist on millions of networks worldwide.
If your code is doing IP-based geo and the IP is in a private range, your geo data should treat it as “unknown location” — not “country = US” by some weird fallback.
How to Find Each Address
Your private IP
- macOS:
ifconfig en0 inet(or System Preferences → Network) - Linux:
ip addr show(orhostname -I) - Windows:
ipconfig(look for “IPv4 Address”) - Mobile: Settings → Wi-Fi → tap your network → look for IP Address
Your public IP
- In a browser: Visit what-is-my-ip.
- Command line:
curl ifconfig.meorcurl -s ipinfo.io/ip - From a remote server: Look at the client IP in its access logs when you connect.
The two IPs will be different. If they’re the same, you’re directly connected to the public internet without NAT — uncommon outside of cloud servers and a few specific ISP setups.
Common Confusions
”My VPN gives me a private IP”
The IP your VPN client gets internally is private (within the VPN’s internal network — often something like 10.8.0.5). But your traffic exits the VPN’s gateway with the VPN’s public IP. From a service’s perspective, you appear to come from the VPN’s exit IP. See VPN detection for what services do with this.
”I have a public IP but I can’t be reached”
Even with a public IP, inbound connections to your machine require:
- Your router/firewall to forward the relevant port.
- No upstream filtering by your ISP (some block inbound ports 25, 80, 443 on residential).
- No software firewall blocking the port on your machine.
A public IP is necessary but not sufficient for inbound connectivity.
”My private IP changed”
DHCP leases expire. Devices that reconnect can get a different address. If your code relies on a device having a specific private IP (e.g., a NAS), give it a DHCP reservation or a static IP.
”Is my IP 127.0.0.1?”
127.0.0.1 is the loopback address — it always refers to your own machine, regardless of any other addresses you have. Useful for testing locally; not a real network address in any meaningful sense.
”Why am I being told my IP is 100.64.x.x?”
That’s the CGNAT range. It’s the address your ISP assigned to your modem, but it’s not a real public IP — you’re sharing a smaller pool of true public IPs with thousands of other customers. Most consumer ISPs don’t tell you this is happening; you discover it when you try to host something and port forwarding doesn’t work.
What About IPv6?
IPv6 eliminates the need for private addresses in most cases. Every device can have a globally routable address — there are enough to go around. Some implications:
- No NAT. Devices on an IPv6 network have their actual address visible to the world.
- Easier inbound connectivity. No port forwarding gymnastics — if the firewall allows, you’re reachable.
- More privacy-sensitive. Your IPv6 prefix tells anyone watching which ISP you use; the lower bits often correlate to a specific device. Modern OSes randomize the lower bits to mitigate this (RFC 7217 / 4941 privacy extensions).
- Different security model. With no NAT-as-firewall side effect, every device on the network needs its own firewall posture.
There are IPv6 equivalents to private addresses (fc00::/7 for Unique Local Addresses, fe80::/10 for link-local) but they’re less commonly used because IPv6 doesn’t have the address scarcity problem that drove private IPv4.
TL;DR
- Public IP: unique globally, used to communicate over the internet.
- Private IP: meaningful only within a specific network; the same private IP exists on millions of networks simultaneously.
- Most home/office devices have both — private for the local network, public for the world (shared via NAT).
- Reserved private ranges:
10/8,172.16/12,192.168/16, plus loopback and CGNAT special ranges. - You can’t be reached at your private IP from outside your network. Need port forwarding, a VPN, or a tunneling service.
- Your private IP changes when you change networks; your public IP changes when your ISP rotates it (or you change ISP).
- Geolocation only meaningful for public IPs.
- IPv6 doesn’t have the same scarcity-driven public/private distinction.
The mental model: private IP = your machine on its local block; public IP = the block’s external face. Most of the time you don’t need to think about it. When you do — debugging connectivity, setting up self-hosting, parsing access logs — knowing the distinction makes things obvious.
To see your own public IP and what the world thinks it knows about you, what-is-my-ip shows the IP plus geo data, ASN, and other metadata.