Double NAT. How can it be detected? (and why/how it should create issues?)












0















I have my airport mac thing complaining about double NAT.



My network looks fine indeed.



My question is a bit more on the security side:



How can a double NAT be detected?



In pricinple all devices should be network agnostic.



And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.










share|improve this question

























  • It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.

    – mariotti
    Jan 29 at 22:46











  • I have found a kinda related document: sflow.org/detectNAT

    – mariotti
    Jan 30 at 0:24











  • Some more random info: forums.whirlpool.net.au/archive/2542622

    – mariotti
    Jan 30 at 0:34











  • Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.

    – Gordon Davisson
    Jan 30 at 2:49
















0















I have my airport mac thing complaining about double NAT.



My network looks fine indeed.



My question is a bit more on the security side:



How can a double NAT be detected?



In pricinple all devices should be network agnostic.



And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.










share|improve this question

























  • It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.

    – mariotti
    Jan 29 at 22:46











  • I have found a kinda related document: sflow.org/detectNAT

    – mariotti
    Jan 30 at 0:24











  • Some more random info: forums.whirlpool.net.au/archive/2542622

    – mariotti
    Jan 30 at 0:34











  • Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.

    – Gordon Davisson
    Jan 30 at 2:49














0












0








0








I have my airport mac thing complaining about double NAT.



My network looks fine indeed.



My question is a bit more on the security side:



How can a double NAT be detected?



In pricinple all devices should be network agnostic.



And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.










share|improve this question
















I have my airport mac thing complaining about double NAT.



My network looks fine indeed.



My question is a bit more on the security side:



How can a double NAT be detected?



In pricinple all devices should be network agnostic.



And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.







networking router security nat airport






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 29 at 23:14







mariotti

















asked Jan 29 at 22:27









mariottimariotti

12




12













  • It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.

    – mariotti
    Jan 29 at 22:46











  • I have found a kinda related document: sflow.org/detectNAT

    – mariotti
    Jan 30 at 0:24











  • Some more random info: forums.whirlpool.net.au/archive/2542622

    – mariotti
    Jan 30 at 0:34











  • Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.

    – Gordon Davisson
    Jan 30 at 2:49



















  • It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.

    – mariotti
    Jan 29 at 22:46











  • I have found a kinda related document: sflow.org/detectNAT

    – mariotti
    Jan 30 at 0:24











  • Some more random info: forums.whirlpool.net.au/archive/2542622

    – mariotti
    Jan 30 at 0:34











  • Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.

    – Gordon Davisson
    Jan 30 at 2:49

















It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.

– mariotti
Jan 29 at 22:46





It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.

– mariotti
Jan 29 at 22:46













I have found a kinda related document: sflow.org/detectNAT

– mariotti
Jan 30 at 0:24





I have found a kinda related document: sflow.org/detectNAT

– mariotti
Jan 30 at 0:24













Some more random info: forums.whirlpool.net.au/archive/2542622

– mariotti
Jan 30 at 0:34





Some more random info: forums.whirlpool.net.au/archive/2542622

– mariotti
Jan 30 at 0:34













Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.

– Gordon Davisson
Jan 30 at 2:49





Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.

– Gordon Davisson
Jan 30 at 2:49










1 Answer
1






active

oldest

votes


















0














'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.



An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.



You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.



The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.






share|improve this answer


























  • Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

    – mariotti
    Jan 29 at 23:22











  • I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

    – mariotti
    Jan 29 at 23:27











  • IP overlap should not happen. If every NAT is well configured.

    – mariotti
    Jan 29 at 23:30











  • The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

    – mariotti
    Jan 29 at 23:35











  • Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

    – Andy
    Jan 29 at 23:40













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399853%2fdouble-nat-how-can-it-be-detected-and-why-how-it-should-create-issues%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.



An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.



You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.



The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.






share|improve this answer


























  • Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

    – mariotti
    Jan 29 at 23:22











  • I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

    – mariotti
    Jan 29 at 23:27











  • IP overlap should not happen. If every NAT is well configured.

    – mariotti
    Jan 29 at 23:30











  • The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

    – mariotti
    Jan 29 at 23:35











  • Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

    – Andy
    Jan 29 at 23:40


















0














'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.



An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.



You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.



The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.






share|improve this answer


























  • Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

    – mariotti
    Jan 29 at 23:22











  • I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

    – mariotti
    Jan 29 at 23:27











  • IP overlap should not happen. If every NAT is well configured.

    – mariotti
    Jan 29 at 23:30











  • The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

    – mariotti
    Jan 29 at 23:35











  • Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

    – Andy
    Jan 29 at 23:40
















0












0








0







'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.



An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.



You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.



The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.






share|improve this answer















'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.



An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.



You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.



The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 29 at 23:18

























answered Jan 29 at 23:12









AndyAndy

973310




973310













  • Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

    – mariotti
    Jan 29 at 23:22











  • I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

    – mariotti
    Jan 29 at 23:27











  • IP overlap should not happen. If every NAT is well configured.

    – mariotti
    Jan 29 at 23:30











  • The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

    – mariotti
    Jan 29 at 23:35











  • Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

    – Andy
    Jan 29 at 23:40





















  • Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

    – mariotti
    Jan 29 at 23:22











  • I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

    – mariotti
    Jan 29 at 23:27











  • IP overlap should not happen. If every NAT is well configured.

    – mariotti
    Jan 29 at 23:30











  • The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

    – mariotti
    Jan 29 at 23:35











  • Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

    – Andy
    Jan 29 at 23:40



















Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

– mariotti
Jan 29 at 23:22





Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.

– mariotti
Jan 29 at 23:22













I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

– mariotti
Jan 29 at 23:27





I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.

– mariotti
Jan 29 at 23:27













IP overlap should not happen. If every NAT is well configured.

– mariotti
Jan 29 at 23:30





IP overlap should not happen. If every NAT is well configured.

– mariotti
Jan 29 at 23:30













The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

– mariotti
Jan 29 at 23:35





The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?

– mariotti
Jan 29 at 23:35













Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

– Andy
Jan 29 at 23:40







Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.

– Andy
Jan 29 at 23:40




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399853%2fdouble-nat-how-can-it-be-detected-and-why-how-it-should-create-issues%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Aardman Animations

Are they similar matrix