Double NAT. How can it be detected? (and why/how it should create issues?)
I have my airport mac thing complaining about double NAT.
My network looks fine indeed.
My question is a bit more on the security side:
How can a double NAT be detected?
In pricinple all devices should be network agnostic.
And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.
networking router security nat airport
add a comment |
I have my airport mac thing complaining about double NAT.
My network looks fine indeed.
My question is a bit more on the security side:
How can a double NAT be detected?
In pricinple all devices should be network agnostic.
And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.
networking router security nat airport
It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
– mariotti
Jan 29 at 22:46
I have found a kinda related document: sflow.org/detectNAT
– mariotti
Jan 30 at 0:24
Some more random info: forums.whirlpool.net.au/archive/2542622
– mariotti
Jan 30 at 0:34
Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
– Gordon Davisson
Jan 30 at 2:49
add a comment |
I have my airport mac thing complaining about double NAT.
My network looks fine indeed.
My question is a bit more on the security side:
How can a double NAT be detected?
In pricinple all devices should be network agnostic.
And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.
networking router security nat airport
I have my airport mac thing complaining about double NAT.
My network looks fine indeed.
My question is a bit more on the security side:
How can a double NAT be detected?
In pricinple all devices should be network agnostic.
And even if, why it should be an issue?
For this last question I admit there might be some configuration issues if you
administer one of the double NAT.
networking router security nat airport
networking router security nat airport
edited Jan 29 at 23:14
mariotti
asked Jan 29 at 22:27
mariottimariotti
12
12
It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
– mariotti
Jan 29 at 22:46
I have found a kinda related document: sflow.org/detectNAT
– mariotti
Jan 30 at 0:24
Some more random info: forums.whirlpool.net.au/archive/2542622
– mariotti
Jan 30 at 0:34
Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
– Gordon Davisson
Jan 30 at 2:49
add a comment |
It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
– mariotti
Jan 29 at 22:46
I have found a kinda related document: sflow.org/detectNAT
– mariotti
Jan 30 at 0:24
Some more random info: forums.whirlpool.net.au/archive/2542622
– mariotti
Jan 30 at 0:34
Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
– Gordon Davisson
Jan 30 at 2:49
It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
– mariotti
Jan 29 at 22:46
It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
– mariotti
Jan 29 at 22:46
I have found a kinda related document: sflow.org/detectNAT
– mariotti
Jan 30 at 0:24
I have found a kinda related document: sflow.org/detectNAT
– mariotti
Jan 30 at 0:24
Some more random info: forums.whirlpool.net.au/archive/2542622
– mariotti
Jan 30 at 0:34
Some more random info: forums.whirlpool.net.au/archive/2542622
– mariotti
Jan 30 at 0:34
Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
– Gordon Davisson
Jan 30 at 2:49
Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
– Gordon Davisson
Jan 30 at 2:49
add a comment |
1 Answer
1
active
oldest
votes
'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.
An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.
You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.
The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399853%2fdouble-nat-how-can-it-be-detected-and-why-how-it-should-create-issues%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.
An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.
You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.
The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
add a comment |
'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.
An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.
You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.
The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
add a comment |
'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.
An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.
You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.
The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.
'Tracert' (Trace Route) command will show if you have a double NAT. e.g. tracert 8.8.8.8. You will see more than one hop with a private IP address. Note that this assumes small office / home networks where every router applies NAT. Corporate networks may have more hops and you'd need to do more testing to figure out which hops apply NAT.
An example of something double NAT detectably breaks is UPnP (Universal Plug and Play) Port Forwarding. When a device on your network requests a temporary port forward rule from your router, it won't work right because the upstream router also needs to forward the port. The device will know something is wrong because the router replied that it granted to port open request, but the port still isn't open from the internet. The device can guess that you are in a double NAT situation.
You can also get IP address range overlaps in double NAT situation. It could be impossible for the inner and outer network to communicate with each other because they use the same IP ranges and are thus indistinguishable. Internet may still work on the inner network depending on how smart the inner router is.
The major reason double NAT is not desirable is devices in the outer network cannot initiate a connection to devices in the inner network. Actual routing (e.g. static routes) allows bidirectional communication.
edited Jan 29 at 23:18
answered Jan 29 at 23:12
AndyAndy
973310
973310
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
add a comment |
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
Thanks! I mean it. But "traceroute" (I use the unix version) will show actually the trace. Making hypothesis on the network topology will not really detect a double NAT. I will have to match the results with the defined private network addresses. And make the assumption I am on a double NAT. I will wait for more answers.
– mariotti
Jan 29 at 23:22
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
I would keep uPnP out of this issue for the moment. Because somehow it assumes the first question is answered, And its protocol should assume we are exactly on the same network. So no wander if it does not work with NAT. The security restrictions of this protocol are a bit out of this question. But lets keep an eye open on the answers.
– mariotti
Jan 29 at 23:27
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
IP overlap should not happen. If every NAT is well configured.
– mariotti
Jan 29 at 23:30
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
The last paragraph: This might be a required feature. I do not want external things calling randomly my airCrap. And this is the start of my suspects. Why my AirPlay complains about double NAT?
– mariotti
Jan 29 at 23:35
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
Airplay seems to use Bonjour discovery protocol, which relies on multicast traffic. Do you have more than one Airplay on your network? Is your phone on the same network? They won't be able to find each other in a double-nat situtation.
– Andy
Jan 29 at 23:40
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399853%2fdouble-nat-how-can-it-be-detected-and-why-how-it-should-create-issues%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It is clear to me that if, at every NAT, we do filter some connections, ports, protocols, we get a degraded communication. But I would like to get first an answer to the main question. Then I would avoid answers that are like: it depends on your ISP. I think double NAT is not an issue, I want you to prove me wrong.
– mariotti
Jan 29 at 22:46
I have found a kinda related document: sflow.org/detectNAT
– mariotti
Jan 30 at 0:24
Some more random info: forums.whirlpool.net.au/archive/2542622
– mariotti
Jan 30 at 0:34
Are you talking about an AirPort base station, or AirPlay? They (and how they relate to NAT) are quite a bit different.
– Gordon Davisson
Jan 30 at 2:49