I installed an Airport Extreme router and got a warning about "Double NAT". Why is that bad?

I installed an Airport Extreme router and got a warning about "Double NAT". Why is that bad?

I've got a relatively complex home office/small office network -- I use two NAT (Network Address Translation) routers/firewalls to provide a DMZ (DeMilitarized Zone) for a cheap sacrificial web server. Basically, I don't want compromise (a.k.a. pwnage) of the web server to easily allow access to the PCs on the private network. Here's a simple diagram of how I have things set up:

Asked by: Guest | Views: 356

Total answers/comments: 2

Comments display order:

Guest [Entry]

"I actually had an analogous error occur in my setup recently when I reconfigured it due to a gear swap.

The double-NAT message is designed as a warning of a possible pathological network setup, but I think it's irrelevant, especially as you say you've been running this setup for a while. In fact, many ISPs are using NAT these days on their DSL or cable modems, where each customer is already ""behind the router"", so to speak, even with a single device connected directly to the modem. As soon as the customer adds a wireless router for their home, they are in a double-NAT situation. And that seems to be working just fine for most people, obviously.

According to my research, it seems as though there are some applications, largely industrial-grade VPNs and other applications that manipulate data at the lower layers of the OSI stack that might hiccup if they start poking around inside the packets. A particular Cisco VPN + Firewall setup is one example I came across. As another example, the reliability of certain implementations of VoIP in a double-NAT environment seemed to be a matter of some debate.

As you point out, it will almost certainly will introduce some small amount of additional latency due to the extra hop and the work being done by each router, but unless you're a competitive gamer... meh.

Edit: As Kevin points out below, UPnP is also likely to freak out in a double-NAT scenario, but the Airport Extreme which prompted the question doesn't support UPnP anyway."

Guest [Entry]

"It is very difficult for home class devices to be able to handle this type of scenario because it is effectively changing out the addresses at each router.

I would recommend reconfiguring your network into several logical segments instead of trying to maintain the same address space.

So for your external address going to the net, use whatever your ISP assigns to you. For your network between the two devices use a subnet that is not in use on your private lan.

An example would be use no NAT between the two devices. Use real private addresses. For instance configure each router on the 172.16.1.1 for the outside router's inside interface and use 172.16.1.2 for the internal router's outside interface.

Then configure the two devices to route to one another taking sure to correctly specify the next hop.

The outside router needs to know how to reach the inside of your network and the inside needs to know where to route packets going to the outside. You can still use NAT but you want to not use NAT between the two devices themselves.

I hope this helps some"