As the ISP-provided modem was generating pretty weak WiFi signal I've disabled its WiFi function, bought an Apple AirPort Extreme and connected it's WAN port to the modem. Now everything works just perfectly, but the AirPort configuration utility keeps complaining (yes, I know how to turn it off, but I am curious) about double NAT and demands me to reconfigure the modem to bridge mode. Why should I? What problems can double NAT cause?
Asked
Active
Viewed 8.4k times
28
-
3Added latency? probably not even a couple ms. Your setup is no different than many vitual machine setups. – Chad Harrison Dec 18 '12 at 14:18
5 Answers
21
Anything that automagically open up holes in your firewall (for instance, as BitTorrent client might use uPNP to get a port opened for itself without direct user intervention) is going to fail, because it can't access the 'outer' NAT.
Otherwise, it's a bit of added latency (not likely to be significant) and you're paying to power two devices instead of one.
Michael Kohne
- 3,968
- 2
- 22
- 34
-
3You should be able to get around the uPNP problem by simply setting DMZ on the modem ("outer device") to point to the "inner" Apple Airport. – Hengjie Apr 07 '15 at 22:21
-
3@Hengjie - at that point you're not doing double-NAT, you're doing single NAT with the inner airport in the DMZ. So really a different situation. Which would in fact solve the uPNP issue, but the OP was asking what issues arise from double-NAT, not alternate network topologies. – Michael Kohne Apr 08 '15 at 10:39
-
4you would still be double NAT'ting because both router will run NAT. It's just that the outer router will DMZ pointed the outer router's DHCP negotiated address for the inner router. So you will continue to incur the cost of two network translations, _but_ using DMZ simply fixes uPNP for the inner router. – Hengjie Apr 09 '15 at 10:58
-
1To add to the accepted answer sometimes you need to double NAT if you have special hardware like VOIP router and you do not want to use it for all your network services. One configuration that I have home is fritz box with VOIP as modem with DMZ pointing at a time capsule which is the real network router and wifi poa. Both routers, if set in bridge mode, do not work properly (one refuses to service as VOIP box, the other as backup server), therefore I run double NAT. – Daniele Bernardini Apr 22 '15 at 14:03
-
I had some problems with a similar configuration years ago resulting in a lot of dropped packets and a very slow connection but otherwise I am running similar configuration in multiple offices and apartments since years with negligible latency impact and no problem whatsoever. – Daniele Bernardini Apr 22 '15 at 14:03
-
You would have a little more work to do if you want to set up port forwarding, since you have to forward through both routers. That's not very complicated though, and in fact, it's my setup at home. The cable modem from my ISP has built-in NAT, and I have my own NAT router behind it. As for network connectivity, I haven't noticed any problems with that setup. – Charles Burge Dec 23 '16 at 21:15
-
If the ISP router has the AirPort as the DMZ host then you have NAT but not PAT in play - all ports on the outside interface are mapped directly to ports on the inside. This will get rid of the uPNP problem because the device on the inside of the airport will get mapped to a port on the outside of the airport and the same port will be used on the outside of the ISP router. – kbro Aug 25 '21 at 20:11
10
I had tried double and triple NAT-ing setups for fun. For most intents and purposes, double NAT-ing doesn't affect simple browsing/mail experiences. (adds less than 1ms of latency)
However, if you want remotely access your home network (or services) from internet. It would be a lot more complicated to set that up. That's the only disadvantage I can think of.
whoiskai
- 309
- 1
- 4
4
Problems arise mainly because the NAT tables on one device fill up or lose track of a particular connection, this type of configuration will cause issues with peer-to-peer technologies that are unable to effectively trace back the network path, MTU path discovery may not function or break and gaming/media services that use uPnP probably will not work unless reforwarding these services manually. [Source]
Solution
Reconfigure the second, inside router as a layer 2 switch, by disabling its DHCP server.
Serge Stroobandt
- 2,055
- 1
- 28
- 25
4
One major problem would be that with Double Nat'ing you also create 2 private networks.
Private Network 1: You did turn off the Provider's WiFi, but are potentially with your in-house wiring still attached to the Provider supplied router.
Private Network 2: Your own WiFi Router, which is also wired to the Provider supplied router, will have again it's own network setup for anything attached to the wired ports, or WiFi.
Assuming that this will all work well, Devices on Private Network 2 might consider devices on Private Network 1 to be on another network (based on the network mask provided).
This appears to be the case for my Remote App on my iPhone for my Wired Receiver not wanting to connect to the receiver, although I can actually Airplay to it. Once I connect to the Providers Wifi with my iPhone (Private Network 1) - then the remote app also works.
YoYo
- 179
- 2
- 9
2
I see nothing wrong with double NAT except (as you've noticed) that an Apple Airport router device will complain about it. There may also be some applications (games for one) that may have trouble with double NATing. I used double NAT on my airport device and I told it not to bug me with double-NAT warnings. Everything I do works fine. I do not notice any slowdown. I have a web server, an SMTP server and both work fine. Besides that I do regular browsing, ftp'ing, etc. I wish I could tell my airport to warn me about problems, but to not consider double NATing a problem.
Marnix A. van Ammers
- 2,144
- 1
- 13
- 15