I agree that I am not the typical home Internet user, so this complaint does not apply to 99% of ISP customers, but man, the remaining 1% should speak up. I absolutely hate when an ISP does not allow you to put their modem/router combo in bridge mode. Not that it’s something you cannot deal with anyway, but it’s annoying. And it’s not only a home vs business connection thing, in certain cases you are not allowed to put it in bridge mode ever.
Of course, this only applies to you if you want to use your own router instead of the one provided by your ISP, but I suspect this is becoming more common nowadays. Well, I actually suspect that most users decide to go for another modem/router combo, rather than a router alone, even when they are not happy with the ISP equipment, but still. Oh anyway, rant over, let’s move on to discussing how to deal with the biggest annoyance introduced by this: double NAT.
Personally, I like to keep things separate and have one network device for each network function, if possible. This means a modem, a router, a switch and an access point in my case. For my home environment, I decided to go for an Ubiquiti EdgeRouter Lite 3 as my main router. The problem here is that, because my ISP router cannot be put in bridge mode, it will keep acting as a router, and there is no way to make it work as a modem alone, so there is an extra layer of NAT in my network which I would have happily lived without.
This means that if you have anything inside your network which you want to access from the outside (for example, a Web Server or a VPN server), it won’t be enough to configure port forwarding on your edge router (the one closes to your ISP connection), but you will have to do this on each router in your network. So, double NAT -> double port forwarding.
Let’s make a practical example. Suppose that you are dealing with this configuration:
- The Web server that you want to access from the Internet is inside your internal network with IP address 192.168.1.100
- Your ISP router has IP address 192.168.200.1
- Your internal router has IP address 192.168.1.1
Ultimately, you want traffic coming into your network and destined to port 80 to go to your Web server at IP address 192.168.1.100. However, you cannot simply configure this on your edge router, because if you try to add 192.168.1.100 address as your port forwarding destination, you will get an error message saying that this cannot be done because the destination is outside the NAT range for your router (which, again, is on the 200 subnet).
So what you have to do in order to make your traffic go to the correct destination in a scenario where double NAT is present is this:
- On your ISP router, configure port forwarding to your internal router
- On your internal router, configure port forwarding to your Web server
Using the example data above, you need to create a port forwarding rule on your ISP router to 192.168.1.1 (your internal router) on port 80. Then, on your internal router, you need to configure another port forwarding rule to destination 192.168.1.100 (your Web server) on port 80.
Of course, this works for any services, so replace the port number with whatever service you are trying to access from outside.