Is double NAT bad, and do I need to fix it?

For everyday browsing and streaming, double NAT is harmless and you may never notice it. It becomes a problem when you game online, run a VPN, host a server, or try to forward a port, because inbound connections cannot get through cleanly. If none of that applies to you, you can leave it alone.

How do I know if I have double NAT or CGNAT?

Log into your router and read its WAN IP. A private address (10.x, 172.16 to 172.31.x, or 192.168.x) usually means double NAT inside your home, which you can fix yourself. An address in the 100.64.x to 100.127.x range is carrier-grade NAT on the ISP side, and bridging your own kit will not clear it; you have to contact the ISP.

Does double NAT slow down my internet?

Not your raw line speed. A 500 Mbps package still delivers 500 Mbps through two routers. What double NAT hurts is inbound connections and latency-sensitive features like multiplayer matchmaking and party chat, not your download and upload figures.

Will modem mode or bridge mode fix double NAT?

Yes, that is the cleanest fix. Putting the ISP hub into modem, bridge, or passthrough mode stops it routing, so only your own router does NAT. Consoles then show Open or Type 2 NAT and port forwarding starts working. If your hub has no reliable modem mode, the DMZ or exposed-host setting is the fallback.

Can I fix double NAT without putting the ISP hub in modem mode?

Yes, as a workaround. Use the ISP hub's DMZ or exposed-host feature to send all inbound traffic to your router's WAN address, and reserve that address so it does not change. It is not as tidy as true bridge mode, but it clears most gaming and port-forwarding problems caused by double NAT.

Disclosure: This post contains affiliate links. As an Amazon Associate, ITBlogPros earns from qualifying purchases. It never changes the price you pay; it just keeps the lights on here.

What Is Double NAT and How to Fix It

Double NAT is one of those phrases your console flashes up, or a forum throws at you, with no real explanation. It sounds like a fault. Most of the time it is not; it is just two routers in a row both doing the same job, and it stays invisible until you try to game online or host something.

We have untangled this on Virgin, Sky, BT and EE lines, so here is the plain-English version: what NAT actually is, how a second layer sneaks in, the symptoms that give it away, how to read your WAN IP to tell true double NAT apart from CGNAT, and the cleanest fix for each.

Key Takeaways

Double NAT means two devices on your line both act as routers, so your traffic gets translated twice before it reaches the internet.
The usual cause is an ISP hub left in router mode with your own router plugged in behind it, both handing out addresses.
Symptoms are strict or Type 3 NAT on consoles, broken party chat, port forwarding that never opens, and some VPN or smart-home features failing.
You detect it by reading your router's WAN IP; a private 10.x, 172.16 to 172.31.x or 192.168.x address means something upstream is doing NAT too.
A WAN IP in the 100.64.x to 100.127.x range is CGNAT, an ISP-side problem you cannot bridge away yourself, so you have to ring the ISP.

NAT in plain English, and what makes it double

NAT, network address translation, is the quiet bit of plumbing every home router does. Your ISP gives you one public IP address, and all your devices share it. The router keeps a list of which device asked for what, swaps your private home address (something like 192.168.0.42) for the public one on the way out, and swaps it back on the way in. One layer of this is completely normal and invisible. Every router does it, and games, apps and websites all expect it.

Double NAT is simply that same trick happening twice in a row. Your traffic leaves your device, gets translated by your router, then gets translated again by a second router sitting upstream, and only then reaches the internet. Two wrappers instead of one.

A letter analogy helps. Single NAT is posting a letter in one sealed, addressed envelope; the reply finds its way back fine. Double NAT is sealing that envelope inside a second envelope before posting. It still gets there, but a reply trying to reach the original sender has two layers to peel back, and it often gets confused about who actually sent it. That confusion is the whole problem. Most people never notice it until the day they game online or try to host or forward a port.

How double NAT actually happens on a UK line

The classic setup is the one a lot of people build without realising. The ISP hub (Virgin, Sky, BT, EE, Vodafone) is left in its normal router mode, and you plug your own router's WAN port into one of the hub's LAN ports for better WiFi or more control. Now both boxes route, and both run their own DHCP server handing out addresses, often both on 192.168.x. That is two NAT layers stacked on top of each other.

A few other things trigger it. A mesh node left in router mode instead of access-point or bridge mode does the same. So does a 4G or 5G home broadband box sitting in front of a second router. The pattern is always the same: two devices in your home both insisting on being the router.

There is one important lookalike to flag now, because it changes the fix entirely. CGNAT, carrier-grade NAT, is a second layer of NAT done by the ISP inside their own network, not by a second box in your house. It produces identical symptoms but it is not yours to fix; we come back to telling them apart below.

One last reassurance. Double NAT is not dangerous, and it does not slow your raw line speed. A 500 Mbps line still delivers 500 Mbps through two routers. All it breaks is inbound connections and the handful of apps that depend on them.

The real-world symptoms double NAT causes

The first place it usually shows up is a games console. Xbox reports a "strict" NAT and PlayStation calls it NAT Type 3, the worst tier on either, and the console may flag double NAT directly. That tier limits who you can match with and chat to. Party chat, voice and matchmaking drop out, or only work reliably with people who happen to be on an Open NAT themselves.

Port forwarding is the next clue. You set up a forwarding rule on your own router, everything looks right, and nothing opens from outside. That is because the upstream hub still blocks the inbound traffic before it ever reaches your router's rule. The rule is correct; it is simply in the wrong box.

Self-hosting fails for the same reason. A game server, a security camera you want to view away from home, remote desktop, a NAS you need to reach from outside; all of them sit unreachable from the internet. And a scattering of other things misbehave too: some VPN setups, certain IoT and smart-home devices, and SIP or VoIP calling, all because inbound connections cannot find a clear path back home.

How to detect double NAT by reading your WAN IP

Here is the test that tells you exactly what you are dealing with, and it takes two minutes. Log into your own router and find its WAN, internet or status page; it shows the IP address the router was handed by whatever sits upstream.

Read that WAN IP and check which range it falls in:

A private address (10.0.0.0 to 10.255.255.255, 172.16.x to 172.31.x, or 192.168.x.x) means a device upstream is also doing NAT. If that upstream device is a second router in your home, it is double NAT and it is yours to fix. A handful of UK ISPs run private addressing on their own edge, so confirm there really is a second box in the chain before assuming it is.
An address from 100.64.0.0 to 100.127.255.255 is the carrier-grade NAT shared range. That is the ISP doing a second NAT on their side, and no amount of bridging your own kit will clear it.
A normal public IP means there is no second layer; your router is talking straight to the internet and double NAT is not your issue.

Cross-check it to be sure. Compare your router's WAN IP with the public IP shown on any "what is my IP" site. If the two differ, something between you and the internet is translating again.

The rule of thumb is worth memorising. A private WAN IP plus a confirmed second router in your home equals fixable double NAT. A private WAN IP with only the single ISP hub in the chain may still be ISP-side NAT, so check there genuinely is a second box first. A 100.64 WAN IP equals a phone call to the ISP. Knowing which one you have before you start saves you an evening of applying the wrong fix.

How to fix double NAT, best fix first

The cleanest fix is to remove a routing layer, and the best way to do that is to put the ISP hub into modem mode, also called bridge or passthrough mode. The hub stops routing and hands the public connection straight to your router. You are back to a single NAT layer; consoles flip to Open or Type 2, and port forwarding on your router finally does what it says. We have the exact Virgin steps in our guide to put the Virgin Media Hub 5 into modem mode, and a separate walkthrough to set your Sky Hub to bridge mode. For the wider per-ISP picture, our hub on how to use your own router with any UK ISP covers BT, EE and the rest, and full-fibre users can often skip the hub by reading how to connect your own router to an Openreach ONT.

When modem mode is not available or is unreliable (the Virgin Hub 5x is the well-known case), use the hub's DMZ or exposed-host feature as a fallback. It points all inbound traffic at your router's WAN IP, which clears most gaming and port-forwarding pain. Treat it as a workaround rather than a clean fix; it is not as tidy as a true bridge. Reserve your router's address on the hub first (a DHCP reservation) so the DMZ target does not quietly drift to a different IP and stop working.

If a mesh node is the culprit, the fix is simpler still. Set that node to access-point or bridge mode instead of router mode, so only one box in the house does NAT.

And if your WAN IP turned out to be 100.64.x, none of the above applies. CGNAT lives on the ISP side, so your only real options are to ask the ISP to move you off it or sell you a static public IPv4 address, or to lean on IPv6 where the service you need supports it.

Picking a router that plays nicely once you have bridged

The whole point of bridging is to let one capable router do all the routing, so the router you choose actually matters now. Keep it proportionate, though; you do not need to overspend.

On a gigabit UK line, such as Virgin Gig1 or Gig2, favour a router with a true 2.5G WAN port so the link itself is not the bottleneck. The ASUS RT-AX86U is the popular all-rounder here, and the RT-AX86U Pro is the step up with the same 2.5G WAN and a faster CPU for heavier gaming and busier households.

Check the ASUS RT-AX86U price on Amazon UK →

On a sub-gigabit package a 2.5G WAN buys you nothing, so a value WiFi 6 router like the TP-Link Archer AX73 is plenty for a normal house.

If the real problem is dead zones rather than a weak router, do not over-buy a single box; coverage is a different job, and our comparison of WiFi extender vs mesh: which fixes dead zones lays out the choice. And if you landed here from a strict-NAT console headache, our roundup of the best router for gaming in the UK is the natural next stop, alongside the best routers to replace your Virgin Media Hub.

Amazon Affiliate Disclosure: ITBlogPros is a participant in the Amazon Services LLC Associates Program. We only recommend kit we'd genuinely use ourselves.