How to identify and resolve double-NAT problems
The digital world is all about IP (internet protocol) addresses. Every device needs an IP in order to communicate on the internet or within a private network. Given there’s not enough public IP addresses out there for every internet-connected device (at least with IPv4), this little thing called NAT becomes extremely important. It stands for network address translation (NAT) and is a function provided by routers to enable multiple devices to access the internet via a single public IP address.
Behind each public IP, there can be hundreds of devices with their own private IP addresses, thanks to NAT. And almost all equipment that provides the NAT function includes a firewall to protect the private IPs and devices from public IPs and devices on the internet. Other network services are also typically offered, like DHCP (dynamic host control protocol) to give out the private IP addresses to devices that connect to the local network.
How double NAT happens
Having more than one device performing NAT on a private network, however, can cause issues with that network. Some users may never notice, making it a non-issue for them. But others can run into headaches with certain applications, services, and situations. So, it’s always a good idea to eliminate double NAT if you have it.
Having more than one NAT device usually happens when you connect your own router to a gateway installed by your internet service provider (ISP) that also includes the NAT and routing functions. Some ISPs install only a simple modem that lacks the NAT and routing, which eliminates the problem altogether. But most ISPs assume you don’t their customers have routers, however, so they’ll provide you with a combo device whether you want it or not.
If you’re unsure what the ISP has given you, take a look at the box. If there’s only one Ethernet port, it’s likely a simple modem (aka a broadband gateway). But if there’s multiple Ethernet ports or if it supports Wi-Fi connections, it’s likely performing NAT and routing as well.
The problems double NAT can cause
When there’s double NAT on your network, you might run into issues with services that require UPnP (Universal Plug-and-Play) support or manual port forwarding. This would include online gaming on computers or consoles, remote desktop into your computers, connecting to a VPN server, or accessing security camera feeds. Services like these sometimes require certain ports to be opened in the router’s firewall and directed to a particular computer or device on the network.
This screenshot shows how I’ve configured my router for port forwarding, so that I can use remote SSH (Secure Shell) on a server on my local network. I can’t do that if my gateway is also performing NAT (network address translation).
The problem with double NAT is that if the first router on your network doesn’t have the port forwards configured, incoming traffic will stop there even if you have the port forwards configured on the second router. Or even if the first router has the port forwards, it can’t forward the traffic to a device that’s connected to the second router. It might only forward traffic to computers and devices directly connected to that first router, which could be either a wireless or wired connection.
Double NAT can also complicate any manual or automatic quality-of-service (QoS) controls that prioritize traffic on your internal network to ensure lag-sensitive traffic (gaming, voice, or video) is given higher priority than data associated with file transers. This is especially the case if you have devices connected to both routers, both of which have different QoS controls.
This screenshot shows my router’s QoS (Quality of Service) controls, which I’ve configured to assign VoIP (Voice over Internet Protocol) top priority.
How to detect a double NAT situation
I already mentioned how to quickly tell if an ISP’s gateway has NAT and routing capabilities, but you might also want to see if double NAT is actually happening before spending time on the issue. Sometimes gateways will detect double NAT and automatically fix the issue for you. Or sometimes, if the ISP installers are knowledgeable, they might fix it when they come out to install the gateway and see that you have your own router.
For the two ways I’ll show you how to detect a double NAT situation, you’ll need to check your IP addresses and know if they’re private or public. This is easy: private addresses are usually in the 192.168.0.0 to 192.168.255.255 range, the 172.16.0.0 to 172.31.255.255 range, or the 10.0.0.0 to 10.255.255.255 range. Addresses outside of these ranges would be public (internet) addresses.
One quick way that usually shows if double NAT exists is a traceroute, which allows you to ping a server or device on the internet and see the path it takes between routers and servers. Open a Command Prompt (on a Windows PC that’s connected to the internet, click on the Start menu, type “cmd,” and hit Enter) and type “tracert 18.104.22.168“ to see the traceroute to Google’s DNS server. If you see two private IP addresses listed in the first two hops then you have double NAT. If you see only one private address and the second hop shows a public address, then you’re all good.
Another way to check for double NAT is to connect to your router’s web-based GUI and see if the WAN (internet) IP address is private or public. It should be a public address. If it’s a private address then you have double NAT.
How you can fix it
If you’ve confirmed you have double NAT, there are ways to fix it. One simple way is to unplug any additional router and only use your ISP’s gateway. If you’re a power-user and you can’t part with your fancier router, then this option probably isn’t for you.
If you’d like to keep your router, see if you can put the ISP’s gateway into bridge or passthrough mode. This will disable the gateway’s NAT, firewall, and DHCP functions and reduce it to a simple internet modem. Many gateways offer these settings, but not all. Log into the web-based GUI of the gateway and check for a NAT, passthrough, or bridge mode setting, but keep in mind sometimes it’s hidden. If you don’t see it, search the internet for details on your particular model, or call your ISP’s tech support.
If your ISP gateway doesn’t offer any bridging functionality, consider putting your router in the DMZ (demilitarized zone) of the gateway. If the gateway has a DMZ, it will basically give the router a direct connection to the internet, bypassing the gateway’s NAT, firewall, and DHCP so that your networked devices get those values directly from your router.
To utilize the DMZ, you’d log into the web-based GUI of the gateway, find the DMZ setting, and enter the private IP address that’s assigned to your router. Furthermore, you should also see if you can establish an IP address reservation for your router, so your gateway always gives the same private IP address to your router. If the gateway doesn’t support IP address reservations, you should log into the router’s web-based GUI and manually assign it a static private IP address (the same one you configure as the DMZ host) yourself for its WAN (wide area network; i.e., the internet) connection.
Another option for eliminating double NAT while keeping a ISP gateway and your router is to run an ethernet cable from the gateway to one of your router’s LAN ports instead of the router’s WAN (internet) port. This will basically turn your router into a switch, and any computers connecting through the router (either wired or wirelessly) will get NAT, firewall, and DHCP from the ISP’s gateway. This is a good option if you’re using a secondary router to get better Wi-Fi or because you need more ethernet ports. If, on the other hand, your desire for another router is for better port forwarding or improved QoS controls, this approach won’t help.