Double NAT – What Happens When You Install a Personal Router with a Cable or DSL Modem?

double natOn SoHo (small office/home office) networks, a common configuration error is double NAT. What usually happens is the ISP, for whatever reason, supplies its own pre-configured ADSL router/modem. The ISP router/modem is required since they must configure its end of the Internet WAN link on the ISP’s device. They also do not give away passwords or allow access to the device, which again is reasonable – after all, they do not want people messing with the configuration on ADSL links.

Take a course at and learn networking an NAT as a beginner.

The problem with ISP configurations is that they leave the customer with usually only one Ethernet port to work with, and this causes problems when you want to build a small home network.

This setup causes issues when you want to build a network and need Wi-Fi access for portable devices and local access for desktops. You might, like many SoHo customers, have an iPad, a Kindle, and a Wi-Fi notebook along with an Ethernet laptop and desktop PC. In order to accommodate all these Wi-Fi only devices as well as the two Ethernet devices, you trot off down to your local store and buy your own Wi-Fi access point and a little eight port Ethernet switch thinking that your purchases will solve the connectivity issue. You are correct, or rather would be, if you had bought a Wi-Fi access point, but you likely buy a Wi-Fi router.

Why does buying a router instead of an access point cause a problem? At first it doesn’t seem like a problem. The router is plugged in and works for a while, and then everything starts to work. For a while, you and other connected devices can access the Internet, but if you take notice, the router causes duplicate IP addresses.

What happens is that by plugging a new router into the back of the ISP’s modem/Gateway, the network has been segmented and double NAT is introduced.

What happens is a layer of unnecessary equipment and complexity is added to the network. You should have bought a layer-2 Wi-Fi access point, which is a local area network device. If a Wi-Fi access point is connected to the newly acquired Ethernet switch and the switch connected to the ISP LAN port, you would transparently connect all the Wi-Fi devices to the LAN and then Internet.

Instead, by attaching a router, you place an unwanted lump between yourself and the Internet. To compound the problem, both routers are presently contesting each other to hand out DHCP IP addresses causing occasional IP conflicts due to duplicate IP addresses.

Learn more about TCP/IP and home networking with a course at

Consider the table below to visualize the problem.


The Ideal Topology & Configuration (this was what was envisaged)
InternetISP RouterHome LAN with Ethernet Switch/Access Point
<——–   NATDHCP —>—->


The Actual Topology with Double NAT Introduced
InternetISP RouterNew WiFi RouterHome LAN with Ethernet Switch/ AccessPoint
ßà (1)NAT(1)    DHCP –>(1)    F/W ßà<—->    (2) NAT —>(2)   DHCP —>(2)   F/W ßà—> double NAT  breaks remote access2 x DHCP address server, 2 pools2 x layer of firewalls
InternetPublic IPPrivate NAT Address for RouterNAT done again for Private address/Private address for LAN& DHCP conflicts


From the table above, the installation of the second Wi-Fi router that is plugged into the LAN port of the ISP router. The result is the router is given the private address from the ISP DHCP address range. Because it is a router and configured as such, it offers DHCP IP leases to its connected hosts on its own LAN. It provides NAT for private IP/private IP NAT translation totally unnecessarily.

The Solution

Before considering any potential solution there are certain restrictions;

  1. The ISP router password is unknown
  2. The ISP route cannot be switched out as the configuration for the ADSL WAN link is unknown
  3. Similarly, the DHCP on the ISP router cannot be changed as there is no access to the router

Potential Solution No 1

Then consider the next steps;

1)      Unplug the new Wi-Fi router from the LAN port on the ISP Gateway/ADSL modem

2)      Connect the Ethernet switch by an RG45 cable to the ISP router’s LAN port

3)      Connect the desktop, laptop etc and check DHCP and the Internet

4)      Connect a laptop directly to the Wi-Fi router and configure on admin port

5)      Enter the login password for new Wi-Fi router

6)      Switch of DHCP & Firewall

The next stage is to reduce the functionality of the new Wi-Fi router to a simple layer-2 device by switching off NAT, DHCP and configure layer-2 bridging.

7)      Switch off layer-3 routing

8)      Configure for layer-2 mode bridging (pass-through)

9)      Connect Wi-Fi router (access point now) to the Ethernet switch and power up

10)   Connect Wi-Fi devices to the new beacon

11)   Check the Internet through browser


The Proposed Solution with Double NAT, DHCP & F/W Removed
Internet    ISP RouterNew WiFi Router & Home LAN with Ethernet Switch—->  L-2 Bridge, switch off NAT, F/W & DHCP192.168.1.0/24—> Private LAN
<—— (1)NAT(1)    DHCP –>(1)    F/W
InternetPublic IP/Private


The final test is to try and connect through the ISP router/modem using the remote access application as now the double NAT is gone, as is the double DHCP and the twin firewalls.

Learn more about IP addressing, NAT and router configurations at