Voozh

Stop me if you've heard this already, but we ran out of public IPv4 addresses years ago. Yet, the internet didn't grind to a halt, and the explosive growth of internet-connected devices didn't slow down. What did happen was a combination of things, including IPv6 for essentially endless IP address space, and Network Address Translation (NAT). which translates public IP addresses on the internet to private IP addresses on your home network, and vice versa.

It was a fix that was sorely needed at the time, and still is for many networking uses, but it's also a pain when things go wrong. Anyone who's played online multiplayer games in the last couple of decades knows the pain of being behind the wrong NAT type, and a double NAT situation is even worse. What's more, other users on your network might not even notice, because it affects certain online activities far more than normal browsing.

What is double NAT, and why is it terrible

Plus a quick primer on what NAT is and how your ISP uses it

If you're unable to rid yourself of the ISP router for any reason, you might still have decided you wanted more control and picked up an awesome Wi-Fi router to provide your internal network with connectivity. Maybe you went further and added a Linux router with attached access points for Wi-Fi, or stuck with a trusted name like OPNsense. Whatever you choose to supplement, the ISP router might be causing an invisible problem for your home network, at least if you didn't change some settings first.

That's because each of those routers is still working in router mode, meaning they're also both performing Network Address Translation at the same time. The ISP router is on one network block, while the supplementary router is on another, both handling NAT, and that's an extra layer of complication for all traffic that has to enter or exit your network. This makes packets travel through private, private, and public addressing domains, a situation called NAT444, which is one form of CGNAT that ISPs use for their addressing.

At best, this double translation layer delays packets of data by a few milliseconds each time. At worst, you could have internet connectivity issues, be unable to play multiplayer games, or access other devices on your home network. It's not a desirable situation for the majority of home networks, and it's better to remove the possibility rather than extra configuration to leverage the extra translation.

What about CGNAT?

Whatever you might think about CGNAT (Carrier-Grade NAT), without it, we wouldn't have the wide-ranging cellular networks or home internet we do now. Whether it uses NAT444 with the ISP's private network between your home and the public internet, or Dual-Stack Lite, which uses IPv6 on the carrier network, so only two IPv4 addressing domains are needed, or another form, CGNAT maximizes the IPv4 space.

But it's still a form of double NAT, and even though the ISPs are better at minimizing the issues, it's not without them. Port forwarding is often impossible for ISP customers, as CGNAT is usually implemented by mapping ports through the ISP network. It might also mean your connection is banned from services due to a misbehaving user on the shared public address. Technically, if you add another router behind the ISP router in this scenario, you're running triple NAT, and are likely to run into issues.

Problems caused by double NAT

Depending on what you're doing online you might not even notice

When your network is set up in a double NAT situation, you could get a range of effects, starting with no change at all, to not being able to connect to websites or devices on your network. Especially if you've got two Wi-Fi networks set up and roam between them, you might not be able to reach devices that are connected to the other network. While you could add firewall rules (or remove the internal firewall entirely), it's still better to have a simpler setup without the hassle of two NAT devices.

The most common things that will have issues with double-NAT situations are:

Online gaming
VoIP applications
Port forwarding
DDNS connections
Self-hosting and remote access

Web browsing might not be affected at all, and in that case you might not notice anything is wrong with your setup. A few more milliseconds of delay when loading a website could be caused by many factors and you wouldn't immediately think about NAT. But if you're a gamer, your console or PC will likely tell you if you're behind a double NAT so you can do something about it.

How do we avoid double NAT situations

Time to stop one router from doing any routing

A quick traceroute is the fastest way to figure out if you're behind a double NAT situation. Open Command Prompt and type the following command:

tracert 8.8.8.8

It will show you a series of hops to the Google DNS server, eight in my case, but it could be fewer or more. Only the first and second hops are relevant to checking for additional NAT layers, and you want to look for specific IP ranges.

Private IP address ranges that indicate NAT presence include:

192.168.0.0 to 192.168.255.255 (most common in home networks)
172.16.0.0 to 172.31.255.255 (enterprise and ISP networks)
10.0.0.0 to 10.255.255.255 (large network deployments)
100.64.0.0 to 100.127.255.255 (CGNAT reserved range)

Single NAT configurations will have the home router's IP address as the first hop, then subsequent hops will all be public addresses. You could also log into your router and look for the WAN IP address. If that's on a private IP range, you have another NAT device in your network stream.

Once we've tested, we can remove the problem

Fixing double NAT can be done in a number of ways, and most of them involve ensuring only one device is handling NAT on your network. You could put your ISP router into bridge mode, which turns the router into a simple modem, and then the internal router handles NAT and other duties. This is the easiest way, but not every ISP lets you do this. You could get rid of the ISP router if you're able to, and then use your own equipment, which is my preferred suggestion.

I don't suggest setting your network and devices up to only use IPv6, because while it will remove the need for NAT, it'll break your internet experience. There are too many services using IPv4 to even think about fully changing over at this time. Some routers will let you turn off NAT while still using the other features, but these are going to be on the more premium side, and you could use a DMZ to expose the gaming console or other device that is complaining about double NAT to the internet directly, but that's a security risk and I wouldn't advise that either.

Double NAT is the bane of online gamers and self-hosters everywhere

Double NAT will continue to be an issue going forward. IPv6 would make it unnecessary, but adoption has been slowed, and it's not clear at this point if we will ever get a full IPv6 internet or if it will be a dual-stack with additional translation layers forever. Many legacy devices don't support IPv6 at all, and unless those are removed, turning off IPv4 and NAT would be a disaster. Until then, knowing what causes double NAT and how to fix it if affected are our best weapons against inconsistent internet experience.

URL: https://www.xda-developers.com/double-nat-is-networking-pain/

⇱ Double NAT: The networking problem plaguing online gamers