Double Trouble: How to Deal with Double NAT on Your Network

By Joe Moran

If something is good, then doubling it usually makes it even better (Double Stuf Oreos are one example that comes to mind). But when it comes to Network Address Translation (NAT), the mainstay of most home networks, double doesn’t necessarily equal better.

NAT is definitely a good thing; it allows multiple devices to share a single IP address (without it we would have run out of IP addresses long ago) and it helps limit a network’s exposure to the Internet. But depending on the type of Internet access equipment you have or have been given by your ISP, you may encounter a situation known as double NAT, which isn’t so good. While double NAT doesn’t generally have any ill effects on run-of-the-mill network connectivity — Web browsing, e-mail, IM, and so forth — it can be a major impediment when you need remote access to devices on your network (such as a PC, network storage device (NAS), Slingbox, etc.).

NAT vs. Double NAT

Before we delve more into what double NAT is, how to identify it, and how to correct or compensate for it, let’s first briefly review how NAT works.

In a typical home network, you are allotted a single public IP address by your ISP, and this address gets issued to your router when you plug it into the ISP-provided gateway device (e.g. a cable or DSL modem). The router’s Wide Area Network (WAN) port gets the public IP address, and PCs and other devices that are connected to LAN ports (or via Wi-Fi) become part of a private network, usually in the 192.168.x.x address range. NAT manages the connectivity between the public Internet and your private network, and either UPnP or manual port forwarding ensures that incoming connections from the Internet (i.e. remote access requests) find their way through NAT to the appropriate private network PC or other device.

By contrast, when NAT is being performed not just on your router but also on another device that’s connected in front of it, you’ve got double NAT. In this case, the public/private network boundary doesn’t exist on your router — it’s on the other device, which means that both the WAN and LAN sides of your router are private networks. The upshot of this is that any UPnP and/or port forwarding you enable on your router is for naught, because incoming remote access requests never make it that far — they arrive at the public IP address on the other device, where they’re promptly discarded.

One example of a likely double NAT scenario is if you’ve ditched your landline phone in favor of Internet-based phone service (such Ooma or Vonage), and as a result have a VoIP adapter plugged in between your ISP-supplied equipment and your router. Another is when your ISP gives you a DSL/cable modem with an integrated LAN switch (i.e. more than one LAN port) and/or wireless access point, and you connect your own router to it.

The Remedy

To check for double NAT on your network, log into your router and look up the IP address of its WAN port. If you see an address in the 10.x.x.x or 192.168.x.x range (both of which are private) it means that the device your router’s WAN port connects to is doing NAT, and hence, you’re dealing with double NAT.

There are a several options available to correct — or circumvent — a double NAT situation. If the culprit is your ISP-supplied equipment, you may be able to access the device’s configuration interface via a browser and set it up to work in “bridge” mode. This will disable NAT on the device and essentially make it transparent on the network so your router will receive the public IP address and perform the NAT function on its own. Instructions on how to activate bridge mode for your specific device can usually be found on the ISP’s or device manufacturer’s support site, but if you can’t find the information or aren’t comfortable making the change, an ISP’s phone tech support will often do it for you on request (or at least walk you through it).

If, on the other hand, your double NAT is being caused by a third-party piece of equipment that needs to be connected in front of your router (the aforementioned VoIP adapters usually require/recommend this for quality-of-service reasons), eliminating double NAT really isn’t an option– but you can still get around it.

One way to compensate for double NAT is to set up separate port forwarding rules on each device so that incoming traffic is shepherded through both layers of NAT. So for example, on the first NAT device (the one closest to your Internet connection) forward the port(s) you need to the IP address of your router’s WAN port. Then on your router, forward the same port(s) to the address of the device you need to reach.

If you have a lot of ports to forward, doing them individually can get a bit cumbersome, so a simpler method is to configure the first NAT device to make your router’s IP address the DMZ. This will hustle all incoming traffic through the first layer of NAT no questions asked, but when it hits your router it will be filtered or forwarded as appropriate.

Leave a Comment