If something is good, then doubling it usually makes it even better (Double Stuf Oreos are one example that comes to mind). But when it comes to Network Address Translation (NAT), the mainstay of most home networks, double doesn’t necessarily equal better.
NAT is definitely a good thing; it allows multiple devices to share a single IP address (without it we would have run out of IP addresses long ago) and it helps limit a network’s exposure to the Internet. But depending on the type of Internet access equipment you have or have been given by your ISP, you may encounter a situation known as double NAT, which isn’t so good. While double NAT doesn’t generally have any ill effects on run-of-the-mill network connectivity — Web browsing, e-mail, IM, and so forth — it can be a major impediment when you need remote access to devices on your network (such as a PC, network storage device (NAS), Slingbox, etc.).
NAT vs. Double NAT
Before we delve more into what double NAT is, how to identify it, and how to correct or compensate for it, let’s first briefly review how NAT works.
In a typical home network, you are allotted a single public IP address by your ISP, and this address gets issued to your router when you plug it into the ISP-provided gateway device (e.g. a cable or DSL modem). The router’s Wide Area Network (WAN) port gets the public IP address, and PCs and other devices that are connected to LAN ports (or via Wi-Fi) become part of a private network, usually in the 192.168.x.x address range. NAT manages the connectivity between the public Internet and your private network, and eitherUPnPor manual port forwarding ensures that incoming connections from the Internet (i.e. remote access requests) find their way through NAT to the appropriate private network PC or other device.
By contrast, when NAT is being performed not just on your router but also on another device that’s connected in front of it, you’ve got double NAT. In this case, the public/private network boundary doesn’t exist on your router — it’s on the other device, which means that both the WANandLAN sides of your router are private networks. The upshot of this is that any UPnP and/or port forwarding you enable on your router is for naught, because incoming remote access requests never make it that far — they arrive at the public IP address on the other device, where they’re promptly discarded.
One example of a likely double NAT scenario is if you’ve ditched your landline phone in favor of Internet-based phone service (such Ooma or Vonage), and as a result have a VoIP adapter plugged in between your ISP-supplied equipment and your router. Another is when your ISP gives you a DSL/cable modem with an integrated LAN switch (i.e. more than one LAN port) and/or wireless access point, and you connect your own router to it.
The Remedy
To check for double NAT on your network, log into your router and look up the IP address of its WAN port. If you see an address in the 10.x.x.x or 192.168.x.x range (both of which are private) it means that the device your router’s WAN port connects to is doing NAT, and hence, you’re dealing with double NAT.
There are a several options available to correct — or circumvent — a double NAT situation. If the culprit is your ISP-supplied equipment, you may be able to access the device’s configuration interface via a browser and set it up to work in “bridge” mode. This will disable NAT on the device and essentially make it transparent on the network so your router will receive the public IP address and perform the NAT function on its own. Instructions on how to activate bridge mode for your specific device can usually be found on the ISP’s or device manufacturer’s support site, but if you can’t find the information or aren’t comfortable making the change, an ISP’s phone tech support will often do it for you on request (or at least walk you through it).
If, on the other hand, your double NAT is being caused by a third-party piece of equipment that needs to be connected in front of your router (the aforementioned VoIP adapters usually require/recommend this for quality-of-service reasons), eliminating double NAT really isn’t an option– but you can still get around it.
One way to compensate for double NAT is to set up separate port forwarding rules on each device so that incoming traffic is shepherded through both layers of NAT. So for example, on the first NAT device (the one closest to your Internet connection) forward the port(s) you need to the IP address ofyourrouter’s WAN port. Then on your router, forward the same port(s) to the address of the device you need to reach.
If you have a lot of ports to forward, doing them individually can get a bit cumbersome, so a simpler method is to configure the first NAT device to make your router’s IP address the DMZ. This will hustle all incoming traffic through the first layer of NAT no questions asked, but when it hits your router it will be filtered or forwarded as appropriate.
Eric Geier
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity, providing a cloud-based Wi-Fi security service; Wi-Fi Surveyors, providing RF site surveying; and On Spot Techs, providing general IT services.
Sure, let's dive into the concepts mentioned in the article and expand on them:
Network Address Translation (NAT)
NAT is a fundamental process in networking that allows multiple devices within a private network to share a single public IP address. Without NAT, the depletion of available IP addresses would have occurred far earlier. It works by managing connectivity between the public Internet and private networks, assigning private IP addresses to devices within the local network and translating them to the public IP address when communicating externally.
Double NAT
Double NAT occurs when Network Address Translation is being performed not only on the primary router but also on another device connected in front of it. In this scenario, both the WAN and LAN sides of the router are within private networks. It becomes problematic when trying to enable remote access to devices within the network because incoming connections get trapped or discarded at the intermediary device performing NAT before reaching the router.
WAN and LAN
Wide Area Network (WAN) refers to the external network interface of a router that connects to the Internet, receiving the public IP address. Local Area Network (LAN) encompasses the private network created by the router for internal devices, usually in the 192.168.x.x or 10.x.x.x address range.
Port Forwarding and UPnP
Port Forwarding and Universal Plug and Play (UPnP) are methods used to direct incoming connections from the Internet to specific devices within a private network. Port forwarding involves manually configuring router settings to direct incoming traffic to a designated device or service, while UPnP automates this process by allowing devices to set up port forwarding themselves.
Bridge Mode
Bridge mode is a configuration setting that disables the NAT functionality on a device, effectively making it transparent on the network. When the primary router receives the public IP address and performs NAT independently, it resolves the double NAT issue.
DMZ (Demilitarized Zone)
The DMZ feature allows all incoming traffic to be directed to a specific device within the network. Setting the router's IP address as the DMZ on the primary NAT device can help streamline incoming traffic through both layers of NAT.
Double NAT Remedies
The article suggests several remedies for double NAT:
- Bridge Mode: Configure the ISP-supplied device to operate in bridge mode to disable its NAT functionality.
- Port Forwarding: Manually set up port forwarding rules on each NAT device to allow incoming traffic to pass through both layers.
- DMZ Configuration: Direct incoming traffic to a specific device (e.g., the router) by setting its IP as the DMZ on the primary NAT device.
The author, Eric Geier, not only explains the technical aspects but also provides practical solutions based on specific scenarios, drawing on his expertise as a freelance tech writer and founder of tech service companies dealing with networking, Wi-Fi security, and general IT services.
