Double NAT. How can it be detected? (and why/how it should create issues?)
Solution 1
'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.
An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.
You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.
The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.
Solution 2
The only time I've seen double NAT is when you connect a home router to a second home router - this can be done if you route an ethernet cable from the first routers output into the WAN input of the second router.
Generally, you don't want to be on a double NAT because it requires a second jump to get out to the WAN. Also, it can affect UPNP which allows video games and other applications to automatically port forward which improves performance.
To detect double NAT, you should use the trace route command. Open PowerShell and run this command
tracert google.com
If the first two hops start with 192, then you have a double NAT.
To get rid of this second NAT in this scenario, you'll want to turn the second router onto "Bridge Mode", which basically turns off DHCP. This way, you wont have two separate entities issuing IP addresses, and your local network will be one network.
If you have a need to separate your local network into sub-networks, you will need a router that supports VLAN (Virtual Local Area Network). You'll likely need a commercial grade router to do this; a lot of home routers do not support this feature. They don't expect the average consumer to be network engineers.
Related videos on Youtube
06 : 47
03 : 12
06 : 37
17 : 53
02 : 04
Comments
-
mariotti over 1 year
I have my airport mac thing complaining about double NAT.
My network looks fine indeed.
My question is a bit more on the security side:
How can a double NAT be detected?
In pricinple all devices should be network agnostic.
And even if, why it should be an issue? For this last question I admit there might be some configuration issues if you administer one of the double NAT.
-
mariotti over 5 yearsIt is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
-
mariotti over 5 yearsI have found a kinda related document: sflow.org/detectNAT
-
mariotti over 5 yearsSome more random info: forums.whirlpool.net.au/archive/2542622
-
Gordon Davisson over 5 yearsAre you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
-
mariotti about 3 yearsA personal update. Now I moved out from any Air* device. I have indeed neatgear and asus. And of course the main router. But I think that the question is not yet fully answered. How and why would you need to detect a double NAT?
-
-
mariotti over 5 yearsThanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
-
mariotti over 5 yearsI would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
-
mariotti over 5 yearsIP overlap should not happen. If every NAT is well configured.
-
mariotti over 5 yearsThe last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
-
Andy over 5 yearsAirplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
-
mariotti about 3 yearsthat should be fine, They are all on the same network. That's actually my point: I do put them on the same network, and on the second router I put other services.
