6 Replies Latest reply: Dec 3, 2012 11:34 PM by Ivan H
fullpint1759 Level 1 Level 1 (0 points)

hello, i just upgraded my cable modem (rogers d3). it comes with a built-in router but i plugged the ethernet 1 port into the time capsule. the internet works fine (since i am typing this) but my time capsule is blinking yello and when i open up airport utility is says "double NAT"


And thoughts?







  • LaPastenague Level 8 Level 8 (46,065 points)

    Just bridge one or the other.. Cable modem depends on the brand and type but you can usually bridge or turn off NAT..


    In the TC go to connection sharing and select off bridge mode.


    Stick to one router in the network. The double NAT will not stop browsing but it messes up interactive connections.. and causes lots of strange issues.

  • Ivan H Level 1 Level 1 (5 points)

    Double NAT used to be a problem.  The latest Time Capsule firmware 7.6.1 and AirPort Utility v6.1 has it resolved.


    1.     Open AirPort Utility v6.1 (from Mac), the Time Capsule should be blinking amber (yellow), according to your situation.


    2.     Double click on the Time Capsule, then on the status, you'll see Doublen NAT has a blinking amber dot.


    3.     Click the "Double NAT", you'll see "Ignore" and "Edit...".


    4.     Click "Ignore" and you'll see a check mark next to it.


    5.     Wait for a minute, then the blinking amber dot next to the "Status: double-NAT", as well as the indicator light of the Time Capsule, will turn to green.

  • LaPastenague Level 8 Level 8 (46,065 points)

    Ignoring the problem doesn't make it go away.. sorry.. you have always been able to select ignore..


    The fact is using double NAT will kybosh most interactive connections.

  • Ivan H Level 1 Level 1 (5 points)

    Not always.  I didn't see this option in the last version, to my memory.  Besides, double-NAT, is a necessity, not a problem in real world.  I would say in many situations, we need cascading-NAT, triple-NAT, or individualized-NAT.  The problem on Time Capsule was that Apple thought double-NAT is a network implementation mistake and thus dis-allowed it.  Now, Apple recognizes multiple-level-NAT is a demanding feature and thus gives an option for us to ignore the outdated design.


    Having said that, LaPastenague, you may still be right.  Time Capsule firmware 7.6.1 may only give a work-around to it's double-NAT handling method, but it may not be a designer-feature.  So, there may still be problems on Time Capsule / AirPort Express / AirPort Extreme when double-NAT is encountered, e.g. slowness, disconnection, duplicate IP address, or unable to provide DHCP server, making NAT un-selectable.


    I talked to AppleCare Support a couple of minutes ago (Case 381133469) and they could not guarantee that after double-NAT is ignored, can the Time Capsule provide DHCP as well.  The consultant said that in some hotels providing a single IP address to each hotel room, and that wall-socket, when Time Capsule is connected, will only allow a single device to go to Internet, i.e. only Bridge mode would be allowed.  He did not mention how it happened.

  • LaPastenague Level 8 Level 8 (46,065 points)

    If you are forced to use double-nat.. then put the TC in the dmz of the first router.. otherwise any incoming packets.. that do not connect to outgoing.. which will happen all the time in double NAT.. can be connected. But it is always a poor substitute since you have doubled up NAT.. no upnp or apple equivalent NAT-PMP will work.. that means no ports can be opened automatically.. and most interactive internet connections will stop working.. upnp is vital aspect of today..


    The solution btw will be ipv6 where everyone is assigned a block of public IP addresses unlike the present situation with ipv4 where most of us have one public IP.. once IPv6 takes off. you will not need NAT.. that is what we need.

  • Ivan H Level 1 Level 1 (5 points)

    Yes, double-NAT has constraints.


    I don't think I can control where to put the TC because I don't have ownership of the upper level router.  In some situations, the technical support staff (hotline) can't tell if their router control is the top level.  e.g. their service is only a package deal of a larger service provider and under Cisco environment, many netwrok configurations can happen out of imagination.


    I have hesitation to allow ports opened automatically.


    I am not pursuade that ipv6 will resolve the issue.  The whole spectrum of ipv6 is just not enough to identify the stars, not to mention their planets.  When the vision is looked further, there will always be limitation of the current design.