Double NAT explained and possible solutions

Graeme Noble
Jan 29, 2017 · 7 min read

Double NAT is probably the most common networking misconfiguration I see in my IT consulting travels, mainly because it actually works. Someone who doesn’t understand technology (or pretends to understand) is faced with the problem of connecting a new device to their network.. and just want it to work… Of course for some magical reason ticking the enable NAT checkbox fixes everything!

Unfortunately what the user doesn’t realise is that they’re adding unnecessary complexity and segmenting the local network, of which 99% of the time the user doesn’t want, need and is unaware this is occurring. What was interesting while researching this issue is the number of pompous tech people saying Double NAT is not an issue and that if it’s not working or causing issues it is just highlighting bugs in networking equipment… While technically true it strikes me as an extremely lazy attempt or excuse for not fixing and/or optimising a network design to maximise performance and minimise possible issues.

Don’t get me wrong if you’re designing your network to use Double NAT, that is 100% fine with me (even if I think there is ALWAYS a better solution). I’m targeting this post on explaining and solving Double NAT configurations for those who didn’t realise and don’t need this kind of setup… Hopefully solving some kind of frustrating networking issue.

So what is NAT and why is it bad? Well NAT isn’t bad, it is a solution to for the limited number of IP addresses that exist for the internet (roughly 4 Billion) and allows ISP’s to assign just 1 public IP address for each connection instead of 1 public IP address for each device/computer/laptop/phone on your local network. What occurs is everything behind the NAT device shares the same singular public IP address and all devices on the local network use a reserved range of private IP addressing.

So here is a quick diagram visualising NAT, basically the modem/router is configured to get a single IP address from the ISP and then has an internal private IP address range where the modem/router is configured to automatically assign these IP addresses via DHCP to all devices in the local network. (I’m including DHCP in the diagram because this may require reconfiguration in the solutions section)

So Single NAT is necessary for most configurations and allows multiple devices on a local network to share the same connection via the same public IP address, how is this different from Double NAT?

Basically what occurs is that another network device has been added to the local network (A wireless router perhaps?) and is also performing NAT along with the original device. This works because the second device has a WAN/Internet port configured to accept and use the DHCP IP address from the first device, but also by default has NAT turned on and has its own private network which is also distributing IP addresses via DHCP.

Lets say a device similar to the one below, the current ADSL/Cable modem is connected directly into the blue Internet/WAN port and all other devices connect wirelessly or are directly connected to the yellow switchports.

Everything technically works because static and dynamic NAT’s occur on each device which hops data across each device, the network is segmented at a layer 3 level so layer 2 protocols like DHCP do not conflict.

Problems arise mainly because the NAT tables on one device fill up or lose track of a particular connection, this type of configuration will cause issues with peer-to-peer technologies that are unable to effectively trace back the network path, MTU path discovery may not function or break and gaming/media services that use uPnP probably will not work unless reforwarding these services manually.


This is the grey area, everyone’s network is different… I’m going to try my best to explain each solution in a generic way and hopefully you can apply the required fix to your own network. So lets start off with a fairly obvious fix. Purchase an ALL-In-One Device:

This is probably what most people end up doing after giving up trying to solve the issue themselves, for the cost of getting a tech out to have a look at the issue you can probably buy a new device that includes ADSL/Cable modem and if the goal is just to add wireless to your network this removes any possible Double NAT issues because there is only one device terminating everything on your network.

Now I understand you’re reading this post because you don’t want to spend the money to buy a new device, I’m just listing as an option because it does solve this particular issue.

Turn on and configure bridge mode on the Cable/ADSL modem:

I’m not a fan of this method mainly because of my background working at an ISP, this solution will eliminate the ability to remotely manage the Cable/ADSL modem and will most likely require a direct connection to reconfigure in future.

Using this method the Cable/ADSL modem is turned into a dumb device which passes information transparently to the second device, the WAN/Internet port is configured into PPPoE mode and all the ISP information is configured as it was on the Cable/ADSL modem.

If you were using any ports on the Cable/ADSL modem to connect a PC it will probably no longer work and need to be connected into the second device.

Turn off NAT on the second device and configure routing:

You might be thinking by now “Well if the problem is Double NAT, just turn one NAT off”. Well you can, but the problem is if you are still using the WAN/Internet port it is acting as a Layer 3 switch/router so additional routing will need to be setup on your network for this configuration to work.

Another consideration is that the ADSL/Cable modem will need perform NAT for both IP ranges, some devices might do this automatically, some might need to be configured and the rest won’t support it at all (It will depend on the device).

The second device will need to be assigned a static IP address for the WAN/Internet interface in the first private range, with the Default Gateway set to the Cable/ADSL modem’s internal IP address (and NAT turned off obviously).

The Cable/ADSL modem will need a static route configured for second private range which will be routed to the static IP address configured on second device. (You can leave DHCP on or turn it off as required) Once this is completed any traffic from the internet will be NAT’ed on the Cable/ADSL modem then forwarded to the second device and finally to the end user device.

Use additional Public IP’s in your network:

This solution is not for everyone, it involves your ISP providing you with additional public IP addressing. In my case, working for ISP managing business grade services, we managed the edge device (Cable/ADSL modem) and the client managed their own network. Sometimes this involved a corporate firewall which requires direct access to the public Internet.

A /30 public IP range is routed to the Cable/ADSL modem which provides 2 usable public IP addresses to the connection, the first is assigned to the inside of the Cable/ADSL Modem and the second is assigned to the WAN/Internet port of the client device (this is really what the WAN/Internet port is for when NAT is turned on).

Layer 2 Switch Trick:

This is my recommended solution, I didn’t see this mentioned at all in my research and it’s quite a simple solution… which is why I like it. Effectively what you are doing is turning the wireless router/network device into a switch which removes any routing or natting issues. I also like it because if you are trying to troubleshoot network issues eliminating as many possible causes to the problem will simplify and isolate the issue.

If you can spare one switchport (one of the yellow ports from my example picture) basically instead of pluging the Cable/ADSL modem into the WAN port of the second device, connect it directly into one of the switchports.

You should configure a static IP address on the second device in the same local IP address range so you can continue to manage it (but it does not need a Default Gateway) and turn off DHCP off on this device. Technically either device can be configured for DHCP but it is important that only one device does it (and it’s probably easier if the Cable/ADSL modem does it).

Once this is done hopefully everything just work.

I hope if you’re still reading this you have found a solution to your issue, or at least have something to try.

Graeme Noble

Written by

I'm not actually wearing a santa hat.. you need to clear your cache.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade