How to Fix Double NAT on Your Home Network: Detecting and Eliminating Double NAT When Using a Modem-Router Combo with a Second Router

Double NAT is one of the most common and least obvious home network problems. It occurs when two devices on the path between your devices and the internet both perform Network Address Translation — typically an ISP-supplied modem-router combo acting as the first NAT layer, and your own router acting as the second. The result is a working internet connection that silently breaks port forwarding, causes strict NAT types in games, disrupts VPN tunnels, and blocks peer-to-peer services. Run a speed test first to confirm your internet connection is up before beginning this diagnosis — double NAT does not usually cause slow speeds, just connectivity failures for specific services.

What Is Double NAT?

NAT (Network Address Translation) is the process your router uses to share a single public IP address among all the devices on your home network. Each router doing NAT creates its own private subnet. When two routers stack, each device on your network sits behind two separate private subnets before reaching the public internet.

The most common scenario: your ISP installs a gateway that functions as both a cable modem and a router (examples: Xfinity’s XB8, Cox’s Panoramic WiFi gateway, or an AT&T BGW320). You also have your own router — perhaps an ASUS, TP-Link, or Eero — plugged into that gateway’s LAN port. The ISP gateway assigns your router a private IP like 192.168.0.2. Your router then assigns your devices another private range like 192.168.1.x. That’s double NAT: your devices are being translated twice.

How to Detect Double NAT

The most reliable detection method is checking the WAN (internet-facing) IP address on your own router’s admin page.

1. Log in to your router’s admin interface (typically 192.168.1.1 or 192.168.0.1 in a browser).
2. Find the WAN or Internet status section.
3. Look at the IP address shown as your WAN IP.

If the WAN IP is a private address — starting with 10., 172.16–172.31, or 192.168. — your router is connected behind another NAT device and you have double NAT. A real public IP (e.g., 98.x.x.x, 73.x.x.x, 76.x.x.x) means you do not have double NAT.

A second method is to run a traceroute from your computer and look for two consecutive private-address hops at the start of the trace. The first private hop is your router; the second private hop is the ISP gateway. One private hop is normal; two indicates double NAT.

Symptoms of Double NAT

• Strict or Moderate NAT type in games: Xbox, PlayStation, and PC game launchers report NAT type based on UDP reachability. Double NAT makes it impossible for external peers to initiate a connection to your console, resulting in strict NAT and limited matchmaking pools.
• Port forwarding rules that don’t work: Rules configured on your own router only apply within the second NAT layer. Traffic arriving from the internet still hits the ISP gateway first and gets dropped there.
• VPN connection failures: Many VPN protocols (especially older IPsec and PPTP implementations) break under double NAT because the tunnel relies on a direct external IP that doesn’t exist from the outside.
• Remote access tools failing: Applications like Remote Desktop, Plex remote access, and security camera streams that rely on inbound connections will fail without proper port forwarding — which double NAT prevents.
• UPnP opening ports on the wrong router: UPnP on your router opens ports on the second NAT layer only, not on the ISP gateway, so the ports remain effectively closed from the internet.

Fix 1: Enable Bridge Mode on the ISP Gateway (Best Solution)

Bridge mode disables the NAT, DHCP, and routing functions on your ISP’s gateway, converting it into a pure passthrough device. Your own router then connects directly to the ISP’s network and receives a true public IP on its WAN port. This is the cleanest fix and eliminates double NAT entirely.

How to enable bridge mode varies by ISP:

• Xfinity (Comcast): Log in to 10.0.0.1 or your gateway’s admin interface. Go to Gateway → At a Glance and find the “Enable Bridge Mode” button. Alternatively, call Xfinity support and ask them to put the gateway into bridge mode remotely. Note: some Xfinity gateways do not support true bridge mode — the XB7 and XB8 support it, but older models may offer only “IP passthrough” instead.
• Cox (Panoramic WiFi): Bridge mode is not available on Cox Panoramic gateways without calling Cox support. Ask support to disable the gateway’s routing functions. Cox calls this “bridge mode” internally but may not advertise it to customers.
• AT&T (BGW320, BGW210): AT&T gateways do not support true bridge mode due to their fiber authentication requirements. Use the IP Passthrough method (see Fix 2 below).
• TP-Link modem-router combos: Log in to the admin interface, go to Advanced → Network → Internet, and switch the connection type to Bridge if your ISP type allows it.

After enabling bridge mode, connect your own router’s WAN port to the ISP gateway’s LAN port and reboot both devices. Your router should receive a public IP within 2–3 minutes. Verify by checking the WAN IP in your router’s admin interface — it should now be a non-private address.

Fix 2: Use IP Passthrough or DMZ (When Bridge Mode Is Unavailable)

If your ISP gateway does not support bridge mode — common with AT&T fiber and some cable providers — IP passthrough (also called DMZ or “exposed host”) is the next best option. This tells the ISP gateway to forward all inbound traffic to a single internal IP address (your router’s WAN IP) without inspecting or filtering it.

On AT&T BGW320/BGW210:

1. Log in to 192.168.1.254.
2. Go to Firewall → IP Passthrough.
3. Select Passthrough from the allocation mode dropdown and choose your router by MAC address from the device list.
4. Save and reboot the gateway.

IP Passthrough is not identical to bridge mode — the ISP gateway still technically performs NAT — but it forwards all traffic to your router so completely that the behavior is equivalent for nearly all use cases, including port forwarding and gaming NAT type. Your router’s WAN IP will still show a private address, but inbound connections will be correctly delivered.

Fix 3: Use Only One Router

The simplest fix of all is to remove one of the two NAT devices. If your ISP gateway includes a capable WiFi radio and you are satisfied with its coverage, disable or physically remove your own router and use the gateway’s WiFi directly. Alternatively, if you prefer your own router’s features, ask your ISP to provide a standalone modem (DOCSIS modem without a built-in router) rather than a gateway — then your router is the only NAT device. Our guide on best cable modems for Xfinity lists compatible standalone modems you can own outright, avoiding the modem-router combo entirely.

Fix 4: Port Forward on Both Devices (Targeted Workaround)

If you cannot change the gateway configuration and only need a specific port to work (for a game server, Plex, or a NAS), you can thread the traffic through both NAT layers manually:

1. Assign your own router a static IP or DHCP reservation on the ISP gateway’s LAN (e.g., 192.168.0.2).
2. On the ISP gateway, create a port forwarding rule that sends the target port to 192.168.0.2.
3. On your own router, create a second port forwarding rule that sends the same port to your device’s internal IP.

This works for individual ports but is tedious to maintain and does not fix gaming NAT type globally. Use it only as a temporary workaround while you arrange a proper bridge mode configuration with your ISP. For a broader understanding of how your router’s NAT settings affect gaming and streaming, see our guide on how to fix strict NAT type on WiFi.

Confirming the Fix

After applying any of the above solutions, verify the result:

• Check your router’s WAN IP — it should now be a public address (or behave as one under IP Passthrough).
• On a gaming console, run a network test. Xbox should report “Open” NAT; PlayStation should report “Type 1” or “Type 2.”
• If you set up port forwarding, test the open port using an online port checker to confirm traffic is reaching your device.
• Run another speed test to confirm throughput was not affected by the change — bridge mode and IP Passthrough do not reduce speeds.