Setting up NAT on Airport Extreme

My Airport Extreme is set up in DHCP + NAT mode. It is distributing IP addresses on my LAN in the 10.0.x.x range. It is connected to the internet via an ADSL modem. This modem performs the necessary NAT functions for the networks to connect.

The AirPort is providing NAT service...and....you say that the modem provides NAT service as well. What you have described is a network error known as Double NAT, since you only want one device on a network providing NAT service.

You can often get away with Double NAT on a simple home network, but it is best to avoid the error if possible.

Soon I'm changing to a different ISP and will connect to the internet via cable. The modem/router that will be provided is distributing IP addresses in the 192.168.x.x. range. This modem is hardly configurable, e.g. the distributed IP address range cannot be changed.

Now things will be even more complicated. The AirPort Extreme is providing DHCP and NAT. So too, will the modem router be providing DHCP and NAT. In addition to a Double NAT condition, you will have two devices both providing DHCP services. In effect, you will have two devices both trying to perform routing services on a network. You only want one device to provide routing services on a network.

It is possible to put this modem/router in Bridge Mode.

I would like to keep my LAN set up in the 10.0.x.x IP address range. My solution would be to put the new modem/router in Bridge Mode and let the Airport Extreme provide the necessary NAT.

Good plan, if "bridge mode" on the modem/router will really convert the device to act as a simple modem. That would be something that you need to find out from your ISP or the modem/router manufacturer.

In "bridge mode", DHCP and NAT are turned off.

Things would be much simpler and much better if your ISP could simply provide you with a simple modem....Not a modem/router.

Does anyone know how to set up the NAT portion of an Airport Extreme for this particular situation?

If the AirPort Extreme is doing DHCP and NAT as you state, then you are all set. No adjustments will be needed.

The Airport Extreme will be connected to the WAN side via an IP address in the 192.168.x.x range

No, this is not correct. A 192.168.x.x address is a "private" LAN side IP address. When you configure the modem/router correctly in bridge mode to act as a simple modem, the WAN port on the AirPort Extreme will receive a "public" IP address, which is what you want.

Remember, in "bridge mode", DHCP and NAT are turned off, so your "modem/router" will not be providing DHCP or NAT services at all.

The public IP address is dynamic....unless your ISP provides you with a "static" IP address. The public IP address could be virtually anything.....but it will never be 192.168.x.x or 10.0.x.x

while the DHCP part of the Airport Extreme needs to distribute IP addresses to the LAN in the 10.0.x.x. range.

Since you have the AirPort Extreme configured to provide DHCP and NAT, and the default setting for the AirPort is to use the 10.0.x.x range, devices on your "private" network will always receive an IP address in the 10.0.x.x range.

Do I need to do anything with the Airport Utility > Network > Network Options... settings, i.e. the check box at Enable NAT Port Mapping Protocol and the checkbox and entry atEnable default host at ?

No

Do you know the make and model of the modem/router that your ISP will be providing?

Unfortunately, "Bridge Mode" can mean different things to different manufacturers. So, unless you are very lucky, expect some challenges with bridge mode on the modem/router.

Ultimately, if it is not possible to configure the modem/router as a true simple modem, then the AirPort Extreme is the device that will need to be configured to operate in bridge mode.

Do the check boxes need to be checked or not?

Not unless you need to enable Port Mapping and/or a Default Host.

It does not hurt to enter a check mark next to Enable Port Mapping Protocol, but it won't help either. Leave the Default Host area blank unless you need to set up a Default Host, which other manufacturers call a DMZ.

Apparently, there is a choice of models that the installation guy will bring. I'll discuss it upon installation and pick the most applicable one.

Since you have the make and model numbers handy, it would be a good idea to download the Setup Guide or Installation Manual for your "short list" and try to find out whether one of them talks about conversion to simple bridge mode modem operation. The fact that a modem/router might be able to turn off DHCP and NAT does not necessarily make it function as simple modem.

Next, you'll want to confirm with the ISP that things will be supported if you modify the modem/router.....before....you try to reconfigure the device. You may be told by your ISP that they do not offer support that type of installation, so there will be no help in the event of Internet connection problems.

A simple modem....if the ISP will support it......will just make life tons easier, since you won't have to fool with trying to reconfigure a device that was probably never designed to function just as a modem.

I guess if worse comes to worse, you could think about running a Double NAT setup with two routers, but normally you would want to avoid this if possible, since Double NAT can be unpredictable on a network. And, if you plan to add an online gaming console, or need to set up port mapping for other devices, Double NAT will basically destroy things.

Good luck, let us know how things turn out.

All works fine. I get only one (expected) warning: Double NAT. But I think I can safely disregard that. Or should I switch the Airport Extreme's Router Mode to DHCP? I can't find anything in the Cisco setup related to NAT.

The DHCP "only" mode on the AirPort was intended to be used where your ISP has provided you with multiple Public IP addresses that you want to distribute to clients on the local network. This mode would not be what you would want to use in this configuration.

I'm surprised that the Cisco was not more versatile from an Administrator's perspective as all of the ones I have dealt with are quite accomodating. Maybe it is because your ISP has restricted any customer administration for the devices that they provide.

All works fine. I get only one (expected) warning: Double NAT. But I think I can safely disregard that.

Well, if all works fine, then maybe you can disregard the Double NAT warning and get away with it.

But, if you try to connect an online gaming console or configure port mapping on the AirPort, then things will not work correctly with a Double NAT error on the network.

I am not familiar with the particular Cisco model that you have, but if it is really a gateway as described, then it is providing DHCP and NAT services for the network. If that is the case, and you find that the Double NAT error is creating some problems on the network, then you can solve the Double NAT issue by setting up the AirPort Extreme to operate in Bridge Mode.

This thread is the one of the Most helpful I've ever run across in Apple discussions forums. The initial and follow-up questions were detailed and clear, and the answers were also. Thank you to both the OP and those who provided such clear answers with explanations as to the "why"! If only Apple "help" articles were as good!