Double Nat

A "double NAT" is typical when you have two or more NAT routers in series with each having NAT enabled. Normally, you would want the downstream router reconfigured as a bridge. If that is your 802.11ac AirPort Extreme that would be the device that would need to be reconfigured.

To do so you would use the AirPort Utility, as follows:

• Run the AirPort Utility.
• Select the AirPort Extreme, and then, select Edit.
• Select the Network tab.
• Change Router Mode to: Off (Bridge Mode)
• Select Update and allow the Extreme to restart.

This message might show up if , in between the internet and the Airport Extreme there is another router in place so that the Airport Extreme is using a private IP address on the wan port of the Extreme ( you can see this by using Airport Utility, going to Internet Tab and looking at Internet IPv4 Address) ...

(source http://en.wikipedia.org/wiki/Private_network )

private addresses are any of the following:

192.168.xxx.xxx where x is any digit 0-9

10.xxx.xxx.xxx

172.16.xxx.xxx

While the default of the Airport Extreme is to make a yellow status light and warning, sometimes this is a desirable thing ... and you might just want the light to stay green and only turn yellow if something else is wrong. To do this, in the Airport Utility, touch the Extreme device so that the information screen comes up where the edit button is. ( Don't push the edit button ) Click on the "Double NAT" message next to status ... and a pull down menu appears. You can click 'ignore' from here and your extreme light should go back to green.

Reasons you might want a private address on the Internet side are many - especially network security related reasons .

For example, one reason I have my extreme configured this way, is that I have a router device in between the internet and my airport extreme which I use to replace all DNS server requests being sent out from my network to go through the OpenDNS servers - forcing use of OpenDNS irrespective of what address the client computer might have configured for their DNS server. OpenDNS then provides both reporting and filtering these DNS requests to avoid things like advertisements , phishing , malware and ****. (This is a parental control function that the Extreme is lacking at the moment)

If this is not the case in your situation, than you may have to look into what settings you want for your Wan port on the airport extreme ... (for example setting to DHCP provided to you by your Internet Service Provider or using a static routable address that may have been provided to you by your ISP )

Tesserax,

You always have great advice, so I am hoping you can explain a little further. I changed ISP today and now have issues with my airport extreme (AE) and a double NAT error. I used to have a plain modem, the AE was the router, and life was good. Verizon made me switch to their modem/router Actiontec MI424WR, which puts my AE downline. Of course the AE set itself up as bridge mode.

The problem is I have 4 wireless IP cameras, which were very happy on the AE. I cannot get them to work with the new configuration. When in bridge mode, I can't get the port mapping to work. I have read conflicting things about the double NAT error (some say it is bad and other say it is not a problem). If I change the AE back to DHCP & NAT, which causes the double NAT error, am I setting myself up for problems?

I do not want the Actiontec wireless portion turned on; I just want the AE for the wireless. I had issues in the past with two different wireless routers causing network issues. I bought the AE because the other Internet things I have are Apple products. As they say, "it just works." I don't want to mess this up by having to add another point of failure to the network.

Any advice?

When in bridge mode, I can't get the port mapping to work.

That's correct as when any router is in bridge mode they are no longer providing basic routing functions. Primarily NAT & DHCP. Port forwarding/mapping is only effective when a router has NAT enabled.

That would mean you would need to configure the upstream router, your new Actiontec, for port mapping to the IP cameras.

If I change the AE back to DHCP & NAT, which causes the double NAT error, am I setting myself up for problems?

Potentially yes. If the AirPort has these feature enabled, you would effectively need to configure port mapping on both the Actiontec and the AirPort to reach the IP cameras. This both "messy" and not effecient. I would recommend against it.

I do not want the Actiontec wireless portion turned on; I just want the AE for the wireless.

If you are able to administer the Actiontec it may be possible to disable its wireless radios so that you can achieve your goal with just using the AirPort to provide your Wi-Fi network.

I changed ISP today and now have issues with my airport extreme (AE) and a double NAT error. I used to have a plain modem, the AE was the router, and life was good. Verizon made me switch to their modem/router Actiontec MI424WR, which puts my AE downline. Of course the AE set itself up as bridge mode.

In addition to th comments from Tesserax.....a few suggestions......

1) Ask Verizon if they can supply you with a simple modem.....like you had before with your previous ISP. That would be the simplest solution.

2) If that is not possible, then the next thing to ask Verizon is whether the Actiontec modem/router can be reconfigured to act as as simple modem. Not quite as simple as 1), but it achieves the same goal.

Note.....Simply turning off the wireless on the Verizon device does not make it a modem....it makes it a wired router, and you still have the NAT issues to deal with.

3) If 1) or 2) is not possible, check with Verizon to see if your installation type is one that might allow you to bypass the Verizon modem/router and not use it all. Even if this might be possible, the ISP is likely going to be very reluctant to talk about this, as you might imagine.

4) If none of the options above are possible, then you will need to set up the port forwarding / port mapping services on the Verizon modem/router and let the AirPort operate in the correct Bridge Mode setting.

If you do it this way, you could turn off the wireless on the Actiiontec device and have the AirPort provide the wireless service for your network.

If you just want to get your setup up and running while you sort out if you can swap out your hardware to avoid double nat, than this will work to have you up and running:

put your Extreme's WAN (internet) port's ip address into the DMZ on your ActionTec router.

This way, it will be wide open and you will only have to manage firewall rules on your Extreme, and not on your ActionTec

Follow the steps in the below link to have your ActionTec device create a DMZ ... and use the IP address that is configured on the Internet port of your Extreme modem:

http://www.verizon.com/support/residential/internet/fiosinternet/networking/setu p/gaming+devices/121134.htm

... now, your setup will work like it did in your old setup as far as rules are concerned ... and you can choose to either just ignore the DoubleNAT error following the steps i outlined above, or swap out hardware.

good luck

Thank you, everyone. I really appreciate the help.