1. Library
  2. Computer Networks
  3. IP Addresses
  4. Address Translation

What Is Double NAT and How to Fix It

Updated 18 minutes ago

Your multiplayer game won't connect. Port forwarding doesn't work no matter how many times you configure it. Your home VPN server is invisible to the outside world. The culprit might be sitting quietly in your network: two routers both trying to do the same job.

This is double NAT—and the strange thing is, neither router is broken. Each is doing exactly what it's supposed to do. The problem is that they're both doing it.

What Is Double NAT?

Network Address Translation (NAT) acts as a gatekeeper between your private home network and the public Internet. Every home network needs one gatekeeper. Double NAT means you have two.

Two separate devices are translating IP addresses independently. Your traffic passes through two security checkpoints, two routing decisions, two layers of translation. For data flowing out—browsing websites, streaming video—this works fine. For data trying to come in, it's a dead end.

How You End Up With Double NAT

The most common scenario: your Internet provider gave you a combination modem-router. You plugged your own router into it because you wanted better WiFi or more features. Both devices are performing NAT. You now have double NAT.

ISP Gateway Devices: Most Internet providers ship all-in-one boxes that combine a modem with a router. They're simplifying setup, but they're also making assumptions about your network. When you add your own router downstream, you've created two gatekeepers where you need one.

Carrier-Grade NAT (CGNAT): Some ISPs—especially mobile broadband and 5G home Internet providers—perform NAT before your traffic even reaches your home. They share one public IP address among dozens or hundreds of customers. If you see a 100.64.x.x IP address in a traceroute, that's CGNAT.

Network Appliances: Certain devices like NAS systems or security appliances can inadvertently add routing layers if misconfigured or operating in gateway mode rather than bridged mode.

Why Double NAT Breaks Things

Outbound connections work perfectly. Your device initiates the connection, and both NAT layers track the traffic flow. This is why basic Internet use feels normal.

Inbound connections are where everything falls apart.

Port Forwarding Fails: You configure port 8080 to forward to your home server. Traffic arrives at your ISP's gateway, which forwards it to your router's WAN port. But your router is sitting on a private IP address. The ISP gateway has no idea that your server lives two hops deeper. The connection dies at the first router.

Gaming NAT Types Degrade: PlayStation and Xbox classify your connection as "Moderate" or "Strict" NAT. This isn't cosmetic. Strict NAT prevents joining certain lobbies, causes voice chat failures, and increases matchmaking times. Some peer-to-peer games won't work at all.

VPN Servers Become Unreachable: Running a VPN server at home requires incoming connections to reach your server. With double NAT, those connections never make it through both layers.

UPnP Fails Silently: Applications expect to automatically configure port forwarding using Universal Plug and Play. UPnP can only communicate with the first router it encounters. Your applications think they've opened the necessary ports, but traffic still can't reach them.

Latency Accumulates: Each NAT layer introduces processing delay—usually just a few milliseconds. For real-time gaming or voice calls, those milliseconds add up.

Detecting Double NAT

Log into your router's admin interface. Find the WAN or Internet IP address—this is the address your router sees as "the Internet."

If that address falls into any of these private ranges, you have double NAT:

  • 10.x.x.x
  • 172.16.x.x through 172.31.x.x
  • 192.168.x.x
  • 100.64.x.x (indicates CGNAT)

Your router's WAN IP should be a public address. Visit whatismyipaddress.com to see your actual public IP. If the two addresses don't match and your router shows a private IP, you're looking at double NAT.

For CGNAT detection, run traceroute google.com from your command line. If you see 100.64.x.x addresses in the first few hops, your ISP is using carrier-grade NAT.

Fixing Double NAT

Bridge Mode (The Clean Solution)

Bridge mode disables NAT and routing on your ISP's gateway, turning it into a simple modem. Your router receives the public IP address directly. One gatekeeper, one translation layer, problem solved.

Log into your ISP gateway—typically at 192.168.0.1 or 192.168.1.1. Look for "Bridge Mode" in the advanced settings. Enable it. Your gateway will reboot, and your router will handle all routing and NAT functions.

Not all ISP gateways support bridge mode. Some carriers lock this feature.

Access Point Mode (The Trade-Off)

If your ISP gateway won't bridge, configure your own router as an access point instead. This disables NAT on your router, letting the ISP gateway handle all routing.

You'll lose some advanced router features—custom DNS, advanced firewall rules, detailed device management. But you'll eliminate double NAT.

Most modern routers have an "Access Point Mode" in their settings. Enable it, and your router becomes a WiFi access point and network switch while your ISP gateway handles the routing.

DMZ Configuration (The Workaround)

Some routers offer a DMZ (demilitarized zone) feature that forwards all incoming traffic to a specific device. Configure your ISP gateway to place your router's WAN address in the DMZ.

This doesn't eliminate double NAT—both devices still perform translation—but it bypasses the first layer for inbound traffic. Port forwarding and incoming connections will work. You'll still see double NAT warnings in diagnostics, but functionally, most issues disappear.

Replace the ISP Gateway

Ask your ISP for a simple modem instead of a gateway device. Or purchase your own compatible modem. This removes the routing layer entirely.

Not all ISPs allow this. Some require their specific gateway. But it's worth asking—using your own modem may also eliminate monthly equipment rental fees.

Dealing With CGNAT

If you've detected carrier-grade NAT (100.64.x.x addresses), the solutions above won't help. The extra NAT layer exists at the carrier level, beyond your control.

Request a Static Public IP: Many ISPs offer this as a paid add-on, typically $5-15 per month. This bypasses CGNAT entirely.

Business Internet Plans: Business-tier service often includes a public IP by default.

VPN Services With Port Forwarding: Some VPN providers offer port forwarding as a feature. This creates a publicly accessible endpoint that forwards traffic to your home network, working around CGNAT.

IPv6: If your ISP offers native IPv6 and your applications support it, IPv6 eliminates NAT entirely. Every device receives a globally routable address.

When Double NAT Doesn't Matter

If you're just browsing websites, streaming video, checking email, or scrolling social media, double NAT won't affect you. Outbound connections work perfectly through multiple NAT layers.

You only need to fix double NAT if you:

  • Host any server or service accessible from the Internet
  • Play online games and need optimal NAT type
  • Use port forwarding for specific applications
  • Run a VPN server at home
  • Remotely access devices on your home network
  • Use applications relying on UPnP

For many people, especially those on mobile broadband with carrier-grade NAT, the simplest solution is to do nothing. If your games connect and your smart home works, leave it alone.

The Fix Is Coordination, Not Configuration

Double NAT is a coordination problem disguised as a technical one. Two devices, each performing their function correctly, creating chaos because nobody told them to take turns.

The solution isn't smarter routers. It's making one of them step aside.

Frequently Asked Questions About Double NAT

Was this page helpful?

😔
🤨
😃