Double NAT vs Single NAT 101: ISP Gateway's Best Tips

Double NAT vs Single NAT 101: ISP Gateway’s Best Tips

Posted on

This post helps you deal with the situation where you want to improve your home Wi-Fi network yet can’t (or don’t want to) get rid of your ISP-provided gateway (or any existing router.) It’s a question of Single NAT vs double NAT.

If those “NAT” terms seem scary, you’re reading the right post. You’ll know how to handle them as comfortably as the next guy when you’re through. And there’s a chance you won’t have to deal with them at all.

In any case, before going further, make sure you’re comfortable with handling a home Wi-Fi router. Done? Let’s dive in!

Dong’s note: I first published this piece on December 30, 2018, and updated it on November 16, 2021, with additional relevant information.

Double NAT vs Single NAT: Here’s a Wi-Fi router (left) and a Cable Internet gateway. The former has a WAN port, and the latter has a coaxial connector for the service line.
By themselves, each creates a single NAT (standard) network. If you connect the router’s WAN port to a LAN port of the gateway, you now have a double NAT setup by default.
Double NAT is when you use a router on top of — or behind — another router.

How to best deal with that ISP-provided gateway you can’t replace

Ideally, you should use just one router for your home network. That’s a standard way to have any local network.

A gateway is a single hardware box containing a Wi-Fi router and an Internet terminal device, such as a Cable modem or a Fiber-optic ONT, on the inside. In this article, you can look at an ISP-provided gateway as a router.

In this case, you have a single NAT configuration, which is generally implied — there’s no need to mention “NAT”.

But since we’ll have to deal with double NAT later, let’s find out what NAT is.

What is NAT?

NAT stands for network address translation, one of the major functions that define a router.

A Single NAT Diagram
You have just one set of private IP addresses in a single NAT setup, and your router connects to the Internet directly. The Internet terminal device (modem or ONT) receives the Internet WAN IP address and passes it to the sole router of the network.

Single NAT

NAT allows the router to use a single WAN IP address (provided by the broadband provider) to deliver Internet access to many connected devices by creating a separate set of local IP addresses.

Each router has a NAT function. So when you use a single router (or a gateway) for a local network, you’re in the single NAT setup. Again, in this case, the “NAT” notion is implied. There’s no need to talk about it.

Double NAT

But sometimes, you don’t have a choice, such as when you have to keep that ISP-provided gateway and yet want to expand or upgrade your system.

Other times, you might want to keep your current router and put another on top.

A Double NAT Diagram
In a double NAT, devices of the first set of private IP addresses can’t talk to those of 2nd set at the local level, and your router doesn’t connect to the Internet directly — it does so via the gateway (or the first router.)

And that’s when you have a double NAT setup.

That said, a double NAT setup is non-standard and can be a pain. But sometimes, it’ll work fine, and you might not even notice it. We’ll talk more about this below.

To continue, let’s assume you have a gateway your Internet provider (ISP) has put in your home that you can replace. And now you want to get the best network out of it. We’ll go through different scenarios and figure out the best way to improve your Wi-Fi network.

Extra: The benefits of using an ISP-supplied gateway

While it’s clear that it’s best to use your equipment, there are some benefits to using a gateway provided by your Internet provider.

Here are a few examples:

  • Ease of use: You don’t need to do anything. The provider will set up the home network work for you and manage the hardware, including firmware updates, troubleshooting, etc.
  • Less cluttering: You only have one hardware box instead of two. (A retail gateway applies, too.)
  • Hassle-free hardware replacement: If the gateway dies, call the provider, and you’ll get a replacement pronto — all free of charge. The provider also upgrades the equipment when need be.
  • Easy management: With some providers, you can manage certain aspects of your home network, like changing the Wi-Fi password, via your online account. (That is if you’re OK with the potential privacy risks.)
  • Unlimited data cap: Some providers, such as Comcast Xfinity, give you half the cost ($25 vs $50) of an unlimited monthly data cap when you use their gateway.

In short, using ISP-proved equipment is not all bad. The benefits are enough to justify the monthly “rental” fee for some.

Making the most of an ISP-provided gateway: The Single NAT approach

Many modern gateways are advanced routers with lots of networking options. If so, some customization will give you a much better home network.

In this case, we have two main scenarios.

In the first scenario, you live in a home small enough for the gateway’s Wi-FI coverage — you won’t need additional hardware. In the second, you need to add more hardware to extend the Wi-Fi coverage.

The single-box scenario

If you’re happy with the gateway’s Wi-Fi coverage, you only need to make a few changes.

The idea is that you shouldn’t use the gateway with the default settings left by the technician. You should further configure it for a better network.

1. Change the default access to the gateway

All ISP-provided gateway comes with default admin access.

For example, a Comcast gateway’s default password is almost always highspeed — anyone with that knowledge can log into its interface when being part of the network.

For security, you should change the password to something else.

Change Password
Changing a Comcast gateway’s admin password is easy via the link at the interface’s top right corner.

To do that, log in to the gateway’s web interface by pointing a browser to its IP address and log in with the default password (or access code). You can generally find this information on the side or bottom of the device.

Once you’ve logged in, navigate the interface to the area where you can change the password and create a new, more secure one.

2. Make a meaningful Wi-Fi network

By default, each gateway has a default Wi-Fi network, of which both the name and password are hard to remember or type in, especially when you need to do that on a small screen or via a remote control.

You can give your Wi-Fi network a personalized name and a password that you can remember.

Again, you can do this via the web interface and follow these guidelines regarding passwords to keep your system secure.

3. Customize the gateway’s advanced settings

This part is optional, but most gateways have a decent set of features and settings that you can use — the amount varies from device to device.

Examples include port-forwarding, Dynamic DNS, separating the 2.4GHz Wi-Fi network from the 5GHz, etc. Again, you can use the interface to customize these.

In short, just because you don’t use a standard off-the-shelf router doesn’t mean you can’t make your network with specific advanced settings. Dig into your gateway’s web interface; you might get surprised by how much you can get out of it.

The more-hardware-needed senario

This scenario applies when your gateway’s Wi-Fi coverage is insufficient for the entire home.

In this case, you will need additional broadcasters to extend the coverage. The idea is that you want more Wi-Fi while keeping your home network in a single NAT configuration.

In most cases, you only need a single extender or access point. But if your place is large, a whole new Wi-Fi mesh system is in order.

Getting an access point

Get an access point if you can run a long network cable from the gateway to it.

Using an AP would be my first choice since it delivers much better performance than an extender.

There are many options for APs, and most of them work similarly. It’s best to use one of the same or better Wi-Fi standards than the existing router, but any will work.

You can also turn an old router into an access point or pick one of these — check out their review for more.

You can make the AP’s Wi-Fi network (SSID) with the same name and password as the existing router. In most cases, that’d give you somewhat of a mesh system. Some access points, such as those in the TP-Link Omada family, can work as a robust enterprise system when you add a controller.

Getting an extender

An extender can quickly extend your Wi-Fi without you having to run a network cable.

Note, though, that using extenders means you get convenience at the expense of performance. Sometimes, the performance gets so bad the convenience is not even worth it. Also, be mindful of the virtual MAC address issue.

Asus RP-AX56 AX1800 Dual-Band Wi-Fi 6 Repeater in AP modeTP Link RE715X Wi Fi 6 Range Extender in action
The Asus RP-AX56u and TP-Link RE715X are excellent Wi-Fi 6 extenders for those with modest bandwidth needs.

Generally, Wi-Fi 6 extenders, such as the Asus RP-AX56, work better than their Wi-Fi 5 counterparts. Still, if you have fast Internet or use real-time communication applications, such as Voice over IP or video conferencing, no extender will cut it.

You’ll need to run network cables or get a mesh system.

Getting a new mesh system (or router)

In this case, you need an entirely new mesh system or a more powerful router on top of the gateway.

Specifically, you’ll connect the new hardware’s WAN port to the gateway’s LAN port.

In this case, to maintain the single NAT configurations, you have to do one of two things:

  • Either turn the gateway into bridge mode, effectively making it work simply as a terminal device (a modem or an ONT). Or
  • Put your new mesh system (or router) into AP mode.
Internet or Wi-Fi Speed Test: Netgear CM600 Cable Modem
A standard Single NAT setup: The Internet goes into a terminal device (a cable modem pictured here,) which connects to a router.
If you have a gateway in the place of the modem, you should either put the gateway in the bridge mode or the router in the AP mode.
Gateway-to-router WAN IP forward

Depending on the gateway you use, the configuration for this varies.

With some, like cable gateways, all you need to do is put it in the Bridge mode. In this mode, a gateway is, in effect, a modem — you’ll get no other features or network settings from it, including Wi-Fi.

With others, like DSL gateways, you need to configure the IP Pass-through and map that to the local IP address of the router.

Again, the objective is to make your router take over the WAN IP, not the gateway’s local (private) IP.

You can turn a Comcast Xfinity gateway into Bridge Mode using the web interface.
Using the web interface, you can turn a Comcast Xfinity gateway into Bridge Mode.

Another option is to use the gateway’s DMZ setting, if applicable, to allow the upper-level router to get unfiltered Internet access. This method is not the same as passing the WAN IP, but it does enable specific services/applications to work.

And that’s it. You now have a home network almost the same as one built with a modem and a router.

Turning your new mesh system or router into an Access Point

Most router and Wi-Fi systems can work as an access point (AP) — you can switch the mode via the web interface. If you use a mesh system, putting the primary router in the AP mode will turn the entire system into this mode.

The only mesh systems I’m aware of that can’t work in the AP mode — as a system — are the variants of the Google (Nest) Wifi.

If your router does not have an AP mode, you can manually turn it into an AP mode by connecting it to the gateway using one of its LAN ports (and not its WAN port — leave this port alone.)


You might want to configure the router’s Wi-Fi network before turning it into an access point. It’s a bit hard, though not impossible, to access its web interface afterward — you’ll need to figure out its IP address via the router unit.

In the AP mode, the hardware — your new router or mesh system — only extends the network hosted by the gateway. You will not be able to take advantage of its other settings and features.

Making the most of an ISP-provided gateway: The Double NAT approach

The double NAT approach is much easier in terms of the hardware setup.

All you have to do is connect the WAN (Internet) port of the new router — or the primary router unit of your mesh — to a LAN port of the gateway (or the existing router).

Now configure your new router to your liking, and you’re all set.

Extra con setting up a router on top of another

A different local IP address for each router is required

This part applies when connecting the new router to the existing gateway for the first time. The two must have different local IP addresses.

Default Gateway IP
You can change the router’s IP via its web interface, shown here as the Default Gateway IP.

It’s relatively rare that you have to worry about them having the same IP — chances are they are already different by default. Many routers are smart enough to automatically change their IP (from the default) when connected to a router (or gateway) that already uses the same one.

If the two share the same IP address — which tends to happen if the new router and the existing one are from the same manufacturers — you’ll note that devices connected to the new router won’t have Internet. There can be other issues, too.

In any case, you can always change a router’s IP using the web interface. It’s in the router’s interface’s LAN (or DHCP) area. This IP is often 192.168.x.1 or 10.0.x.1 — change x to a different digit.

Double NAT: What works well

Generally, if all you need is a connection to the Internet, a double NAT configuration will work well, and you’ll run into no issues.

Also, a double NAT setup makes the top-level NAT network — the one hosted by your new router — more secure.

That’s because devices in this network are behind two layers of firewalls and NATs. They are also invisible to those connecting to the lower-level NAT.

That said, double NAT is an excellent setup if you want a particular group of devices to be isolated from another group. It’s better than using Guest Wi-Fi networks.

Double NAT: What doesn’t work (well)

The primary problem with double NAT is that devices belonging to one NAT will not communicate locally with those of the other NAT.

That is because each router has its own private IP address shielded from the outside.

Specifically, suppose you have a computer that connects to the gateway’s network and a printer that connects to your new router’s network. In that case, the computer can’t print to the printer via your local network.

The two don’t “see” each other. You’ll also have issues with local services like data sharing, media streaming, network backup, etc.

Another thing is advanced network settings, such as VPN, port-forwarding, etc., of your new router will not work as expected, if at all. 

Pro tips on using double NAT
  • You can still use port-forwarding, but it takes more work. Specifically, you need to program that twice, first on the port in question at the gateway (lower NAT) to the router’s IP address and then at the router (upper NAT) to the IP address of the destination device.
  • To access the top-level NAT router’s interface over the Internet, set that up as a server port-forwarding entry at the first-level NAT (the gateway) — make sure the two use different ports for remote management.
  • A device of the upper-level NAT can still access another of the lower-level NAT if you use the former’s IP address (instead of its name). The other way around is much harder, if possible at all.
What to do in a double NAT setup

Now that you’re aware of double NAT and still want to use it, there’s just one thing you need to do: make sure you are aware of which network (which NAT, that is) you’re using and connect devices accordingly.

If you want to use the new router (the top-level NAT), then:

  • Turn off Wi-Fi on the first router/gateway (you can do this via its web interface) and use only the Wi-Fi of your top-level router.
  • Connect all wired devices to the top-level router (and not the gateway) for them to see one another locally.

Mission accomplished.

Alternatively, you can use both networks for security or isolation purposes. For example, you can keep the gateway’s Wi-Fi network as a guest network. In this case, make sure it has a different Wi-Fi name (SSID) from the one you use for yourself.

If using a double NAT proves too much trouble — as it can be for many homes — you should opt for the traditional single NAT route.

The takeaway

No matter your Internet situation, you can still customize your home network to your liking. It just takes a bit of work.

In my experience, having to keep the ISP-provided gateway is the most popular situation and double NAT, while easy, is also commonplace. Keep that in mind the next time you troubleshoot your home or office network.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *