This article gives some background information about NAT and double NAT.
What is NAT?
NAT in the context stands for Network Address Translation and is a function that your router or gateway performs to create your network. When accessing the Internet, the addresses on your LAN are substituted for a single WAN IP address your internet service provider (ISP) assigns to you. This lets your computers share one IP address from your ISP. Given there is not enough public IPv4 addresses out there for every internet-connected device, NAT becomes extremely important. Thanks to NAT, there can be hundreds of devices behind each public IP address. It also makes your network more secure, since traffic to and from the Internet now goes through your router's address substitution process, blocking direct access to your local IP addresses. Unless you use Port Forwarding, port triggering, or a DMZ, your computers are not directly reachable from the Internet.
And what is Double NAT?
This NAT - Network Address Translation - is done by your router connected to the WAN / Internet. You have a double NAT when you are connecting one router to another router and both routers are doing Network Address Translation.
Is it bad?
It seems that double NAT is bad by definition because it is not standard. But other than that, in many cases, it will work fine, and you might not even notice it. For most people, a double Network Address Translation (NAT) configuration doesn't create a noticeable effect on network performance either.
The primary problem with double NAT is that devices belonging to one NAT will not communicate locally with those of the other NAT because each router has its own private set of local IP addresses shielded from the outside.
The picture above shows two routers connected where the first router on the left provides access to the WAN and Telephony functionality. The second router, here DD-WRT based router, is the main router for the internal network. A computer connected to the first router has no access to a computer connected to the second router. This is not necessarily a problem, it could be intended.
In cases where you use port-forwarding you need to set up the forwarding entry twice:
- At the first-level (first router) NAT, map the forwarded port to the IP of the router on the upper (second router) NAT
- At the top-level (second router) NAT, map the forwarded port to the IP address of the destination device.
To forget either of the forwarding rules is probably the most common mistake administrators make in double NAT networks.
There may also be some applications (games for one) that may have trouble with double NAT.
How to avoid Double NAT
Avoid double NAT when possible. One option is to run the first router in modem mode. That means this router does not provide router functionality but just acts as a modem. But with that you may loose other functionality your (first) router provides, such as Telephony.