What’s the single quickest way to tell if I have double NAT?

Look at your router’s WAN IP and compare it to your visible public address; if the WAN is private/100.64.0.0–100.127.255.255 or doesn’t match your egress, you’ve likely got another translator upstream—check your public address with a fast What Is My IP Address page, then match it.

Does bridge or passthrough mode turn off the ISP box’s Wi-Fi and firewall?

Yes; those modes hand the public IP to your router and disable routing features on the gateway, so plan for Wi-Fi to move to your own gear and re-create forwards/UPnP there.

If I’m stuck on CGNAT, is port forwarding possible at all?

Not on IPv4 from your home router, because it doesn’t hold the public address; ask the ISP for a public/static IPv4 or use tunnels/relays, and enable IPv6 after a quick IPv6 Test to see if dual-stack helps your use case.

Is a DMZ/exposed host as good as real bridge mode?

It’s a solid workaround that forwards all unsolicited ports to your downstream router, restoring most gaming and inbound use, but an upstream NAT layer still exists so it’s not as clean as bridging.

How does WebRTC help me diagnose NAT layering?

WebRTC’s STUN call reveals your reflexive public address; if that differs from your router’s WAN, you’ve got translation upstream—run a quick WebRTC Leak Test to confirm.

Can traceroute alone prove double NAT?

No; private addresses can appear as intermediate hops even when your WAN is public, so treat traceroute as a hint and always check the WAN IP against your visible public address.

What’s the safest way to use UPnP in this setup?

Keep UPnP enabled only on the one true router and disable it everywhere else; audit its active mappings after you consolidate to a single NAT.

How do I verify the fix worked?

Your router shows a public WAN or delegated IPv6, consoles no longer warn about double NAT, and an outside test can reach a temporary forwarded service from cellular.

Double NAT Problems: How to Detect and Fix Them Quickly

Double NAT happens when two routers in the same path both perform network address translation, which breaks direct inbound reachability and makes peer-to-peer flows unreliable; you’ll feel it as “Strict/Moderate NAT” in games, flaky VPNs, and smart devices that won’t talk from outside. The fastest fix is to pick one device to route and make the other behave like a bridge or access point; when the upstream is carrier-grade NAT, you usually need your provider to assign a public IPv4 or lean on IPv6 where supported.

NAT itself is fine at the edge: it maps private addresses to a public one so multiple devices can share connectivity. Problems start when translation happens twice, because stateful firewalls and port mappings now live in two places and often disagree on timeouts or address/port reuse, especially with symmetric NATs common upstream.

How to Detect Double NAT Correctly

Check your router’s WAN/Internet IP first; if it’s in private space (10.0.0.0/8, 172.16.0.0–172.31.255.255, 192.168.0.0/16) you’re behind another NAT, and if it’s in 100.64.0.0/10 you’re in carrier-grade NAT (CGNAT). Those ranges are reserved for non-public use, which explains why inbound IPv4 fails until you remove a NAT layer or get a public IP.

Compare that WAN IP to the egress address seen from the public internet; if they don’t match, something upstream is translating (CGNAT or a provider gateway in router mode). Mismatch is a strong signal but not absolute proof—intermediate routers may reply from private addresses, so treat traceroute as a hint and weigh it together with your WAN IP check.

On consoles, an Xbox may show “Double NAT detected” when it sees two translators; even without that banner, “Strict/Moderate NAT” usually indicates restricted inbound reachability through upstream NAT.

Why Double NAT Breaks Games, VPNs, and Smart Devices

Peer-to-peer games and voice/video rely on predictable NAT hole-punching; two layers, particularly a symmetric upstream NAT, make those mappings fail or expire. Site-to-site IPSec struggles when an extra NAT tampers with embedded addresses. Smart cameras often use outbound relays, but local discovery and hairpin traffic get messy across two separate subnets and firewalls. These aren’t speed problems—they’re reachability and state problems.

Clean Fixes: Reduce to One Router

Your guiding principle is simple: one routing domain, one NAT, one DHCP server. Decide which device should be the edge router and convert every other routing-capable device into a simple bridge or access point so clients land on a single subnet with a single default gateway.

Put the ISP Gateway in Bridge/Passthrough

If your provider’s modem/router supports “Bridge,” “IP Passthrough,” or “DMZplus,” enable it so your own router receives the public IP and does all NAT/firewall duties; expect Wi-Fi and DHCP on the ISP unit to disable in this mode, and power-cycle both boxes so the lease cleanly moves.

Or Demote Your Router to Access Point

Prefer your provider gateway instead? Switch your downstream router or mesh to access point mode, which disables its NAT/DHCP and routes traffic through the upstream router while keeping Wi-Fi and switching. Connect LAN-to-LAN, not LAN-to-WAN, and leave only one DHCP server on the network.

Use a DMZ/Exposed Host When You Can’t Bridge

If true bridging isn’t available, set the ISP gateway’s DMZ/Exposed Host to the WAN IP of your downstream router; that forwards all unsolicited inbound ports to it and usually restores gaming and inbound services, though a NAT layer still exists upstream. Reserve the DMZ target’s address so it doesn’t change and disable Wi-Fi on the gateway to keep clients on one subnet.

Eliminate Hidden DHCP and NAT

Ensure only one box is handing out addresses. On any device you demote to access point, disable DHCP completely. If the network still fragments, look for secondary NAT features like guest SSIDs, parental controls, or “security” modes that silently create separate subnets.

Special Case: CGNAT Upstream

With CGNAT, your WAN lives in 100.64.0.0/10 and you share a public IPv4 with other customers; traditional port forwarding can’t work because the rule has to live on the device that holds the public address—your ISP’s translator—not your router. Remedies include requesting a public/static IPv4, using a provider plan that opts you out of CGNAT, or tunneling via a relay. Dual-stacking with IPv6 often helps for services that accept IPv6 peers.

IPv6 Can Bypass the Translation Problem

IPv6 assigns globally routable addresses end-to-end and does not require NAT; a stateful firewall protects inbound just as with IPv4. If your ISP delegates IPv6, enable it on the router and clients so compatible apps/games can connect directly even if IPv4 sits behind CGNAT.

Step-by-Step Playbooks

Pick the scenario that matches your setup and follow the steps exactly; the goal in every case is to make one device the authoritative router and to verify that clients obtain addresses and a default route from that device only.

ISP Gateway + Your Router (You Want Your Router to Route)

1) Log into the ISP gateway and enable bridge/IP passthrough; 2) Reboot gateway, then your router; 3) Confirm your router’s WAN shows a public IPv4 or delegated IPv6; 4) Re-create port forwards/UPnP only on your router; 5) Verify from an outside network that inbound reaches your test host.

Mesh Behind an Existing Router (You Want the ISP Router to Route)

1) Switch the mesh to access point/bridge mode in its app or web UI; 2) Move the uplink from mesh WAN to a LAN port; 3) Turn off mesh DHCP; 4) Leave only the upstream router doing NAT and DHCP; 5) Reboot clients to acquire the correct subnet.

DMZ Workaround (No Bridge Mode)

1) Reserve the downstream router’s WAN IP on the ISP gateway; 2) Set that IP as the DMZ/Exposed Host; 3) Disable gateway Wi-Fi; 4) Keep all forwards and UPnP on the downstream router; 5) Test from cellular to confirm inbound reachability.

Verification Checklist

Your chosen router’s WAN shows a public IPv4 or an IPv6 prefix, consoles report open NAT or at least no “Double NAT detected,” traceroute’s second hop is no longer a private address from your ISP box, and your external test host responds from outside the LAN.

Reference Address Ranges

Private: 10.0.0.0/8, 172.16.0.0–172.31.255.255 (/12), 192.168.0.0/16; Shared CGNAT: 100.64.0.0–100.127.255.255 (/10). Seeing any of these as your router’s WAN indicates you’re not directly on the public internet.