How to Fix Double NAT on Your ISP Modem/Router Combo: Bridge Mode, IP Passthrough, and When It Matters
Double NAT happens when your ISP gateway and your own router both perform network address translation, causing Strict NAT, failed port forwarding, and VPN problems. Here’s how to detect it and fix it with bridge mode or IP passthrough.
If you own a third-party router but also have an ISP-supplied gateway (a combined modem and router), you almost certainly have a double NAT problem. Double NAT means two separate devices are each translating your private IP addresses to the public internet — and that hidden layer of extra translation breaks port forwarding, causes Strict NAT in games, and degrades VPN performance. The fix is straightforward once you know what to do.
What Is Double NAT?
Network Address Translation (NAT) is what allows many devices on your home network to share a single public IP address assigned by your ISP. Your router maintains a table that maps each device’s private IP (like 192.168.1.x) to your one public IP, translating packets in both directions.
Double NAT occurs when two routers each run their own NAT layer. The typical setup looks like this:
- ISP fiber or cable line → ISP gateway (acting as modem + router, assigning a private IP to its LAN)
- ISP gateway LAN port → Your router’s WAN port (your router gets a private IP like 192.168.0.2 from the gateway)
- Your router assigns yet another private subnet (192.168.1.x) to all your devices
The result: your devices sit behind two layers of NAT, two firewalls, and two separate routing tables. Traffic going out works fine, but traffic coming in — game servers, VPNs, remote desktop, port-forwarded services — can’t find its way through both layers.
How to Detect Double NAT
The fastest check: log into your own router’s admin panel and look at the WAN IP address (also called Internet IP or upstream IP). If that address starts with 10., 172.16.–172.31., or 192.168., it is a private address — meaning your router’s WAN port received a private IP from the ISP gateway, confirming double NAT.
A public WAN IP (anything outside those ranges) means you do not have double NAT, and the gateway is already passing through the real internet address.
You can also compare the IP shown on your router’s status page to the IP shown at a site like whatismyip.com. If they don’t match, you have double NAT.
Does Double NAT Actually Matter?
For most everyday use — streaming video, browsing, video calls — double NAT has little to no impact. Both NAT layers are transparent for outbound connections. You should care about fixing it if you experience any of the following:
- Strict or Moderate NAT type in games (PS5, Xbox, PC) that you can’t improve with port forwarding
- Port forwarding that doesn’t work even after setting it up correctly on your router
- VPN tunnels failing or dropping unexpectedly (IPsec and some WireGuard setups are especially sensitive)
- Remote desktop or self-hosted services that can’t be reached from outside your network
- UPnP not working reliably across the two layers
If none of those apply to you, you can safely ignore double NAT.
Fix 1: Enable Bridge Mode on the ISP Gateway (Best Solution)
Bridge mode disables the routing and NAT functions inside your ISP gateway, turning it into a pure modem. Your own router then connects directly to the internet and receives your real public IP address — eliminating the extra NAT layer entirely.
Before you start: write down your current WiFi name and password, and any custom settings. Bridge mode will disable the gateway’s WiFi and DHCP server. All devices must connect through your own router after the change.
Xfinity (Comcast) — xFi Gateway
- Open a browser and navigate to
10.0.0.1(the Xfinity gateway admin page). - Log in with your admin credentials (default username: admin, default password: password).
- Go to Gateway → At a Glance.
- Next to “Bridge Mode,” click Enable.
- Confirm the warning. The gateway will reboot and its WiFi will go dark.
- Connect an Ethernet cable from the gateway’s LAN port to your router’s WAN port and reboot your router.
AT&T Fiber — BGW210, BGW320, or similar
AT&T gateways do not offer a standard bridge mode toggle. Instead, use IP Passthrough, which assigns your public IP to one specific device (your router).
- Connect your router to a LAN port on the AT&T gateway via Ethernet.
- Open a browser and go to
192.168.1.254. - Navigate to Firewall → IP Passthrough.
- Set Allocation Mode to Passthrough.
- Set Passthrough Mode to DHCPS-fixed.
- In the Passthrough Fixed MAC Address dropdown, select your router’s MAC address.
- Click Save and reboot your router.
Spectrum
Spectrum modems are typically separate from a router, so double NAT may not apply. If you have a Spectrum-provided all-in-one gateway, call Spectrum support and ask them to enable bridge mode remotely — it cannot always be done from the admin panel. Alternatively, put your own router into access point mode (disabling its NAT) and rely solely on the Spectrum gateway, though this limits your router feature set.
Verizon Fios — G3100, CR1000A
Verizon Fios gateways do not have a traditional bridge mode. Verizon’s recommended approach is to keep the gateway on the network (it handles the fiber ONT handoff) but disable its WiFi and use your own router in access point mode behind it. For true IP passthrough, go to 192.168.1.1, navigate to Network → Broadband Connection (Ethernet/Coax) → IP Passthrough, and select your router’s MAC address.
Fix 2: Put Your Own Router in Access Point Mode
If your ISP won’t enable bridge mode and IP passthrough isn’t available, an alternative is to flip the equation: disable NAT on your router and let the ISP gateway handle all routing. Set your router to access point mode (sometimes called “AP mode”). Your devices get IPs from the ISP gateway, eliminating the second NAT layer. The downside: you lose features like QoS, advanced port forwarding, and VPN server that your router may offer.
Fix 3: Port-Forward on Both Routers (Workaround Only)
If you can’t change either device’s mode, you can work around double NAT for a specific port by forwarding it on the ISP gateway to your router’s WAN IP, and then forwarding the same port on your router to your device. This is tedious and breaks if your router’s WAN IP changes (use DHCP reservation on the gateway to prevent this). It does not fix NAT type for gaming in most cases.
After Fixing Double NAT
Once bridge mode or IP passthrough is active, verify the fix by checking your router’s WAN IP again — it should now show a public address matching what external sites report. On PlayStation, Xbox, or your game client, re-run the NAT type test; it should show Open or Type 1/2. Port-forwarded services should now be reachable from outside your network without the double-forward workaround.
For more help improving your connection, see our guide on how to fix high ping and our picks for the best gaming routers. If you’re not sure how fast your connection actually is after the change, run a speed test from the homepage.
Related Articles
How to Bridge Two Routers for Extended WiFi Coverage
Want to extend your WiFi coverage using an old router? This step-by-step guide covers wired and wireless bridging methods, DHCP settings, and how to avoid the most common mistakes.
How to Fix WiFi Not Working on TP-Link Deco Mesh Systems: Node Offline, Slow Wireless Backhaul, and Deco App Reconnection Fixes
TP-Link Deco node showing offline in the app or struggling with slow mesh speeds? These fixes cover satellite reconnection, wired backhaul setup, firmware updates, and Deco app re-pairing to restore your mesh network fast.
How to Fix WiFi Not Working on Ubiquiti UniFi Access Points: Controller Adoption, Inform URL, and SSH Factory Reset Fixes
UniFi access points stuck in “Pending Adoption,” “Adoption Failed,” or “Isolated” are frustrating but fixable. This guide walks through every fix — from SSH set-inform and inform URL corrections to physical and SSH-based factory resets.