What's new

Best Merlin router settings for a double-NAT environment?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

superkrups20056

Occasional Visitor
Hey guys,

I have what I feel is an unavoidable Double-NAT setup. I am getting internet from my landlord who is considerate enough to allowing me to use his wifi, but he also uses it with his devices. I have a Merlin configured AX-88U, which is connected via ethernet to an AmpliFi node getting a mesh signal from his main AmpliFi router connected to his modem. I have my AX-88U in router mode becaise I want it to assign all my devices (Chromecast, Airplay, Hue) IPs on a different subnet as to not disturb his network and to keep my network separate. Basically, it's a double NAT setup (router behind a router). I certainly can't convince him to place a switch between our two routers as this is his internet in the first place. In this situation, is there any way to avoid a Double NAT setup? If not, what are the best settings for my AX-88U to avoid issues while gaming on Xbox One/PS5 while keeping them connected to my network? Thank you.

Obviously, I can't use access point or repeater mode because then his original router will assign my devices IPs on his subnet which will cause him to see my devices, which will cause issues.
 
Last edited:
Double nat no longer possible with current gaming and streaming standards.
 
You can't avoid double NAT and still have your own separate network. You could ask your landlord to put your AX88U in his router's DMZ (if that's possible), but you'll still have double NAT. What "issues" do you have with your current configuration?
 
I have been running my own double Nat for a couple decades and would personally not consider a single Nat scenario. It provides me with segmentation, extra security and flexibility. Maybe your use-case is different.
 
@dosborne I would be interested to learn how your network is set up and how it provides extra security and flexibility. :)
 
I am in a “triple NAT” if you can call it that. My ISP uses cgnat. The wan port on their cable modem has a cgnat ip. The ip on it’s lan is 192.168.0.1 My router’s wan ip is 192.168.0.5 and my network is a 192.168.2.0 range. I put the isp modem in bridge mode and that worked for about a week then my router lost internet access. I had to power off my router for a few minutes then power it back on. It would grab a different cgnat ip and again work for a few days and lost connectivity again. I gave up. I put the cable modem back in router/nat mode and placed the ip of my router in a dmz on the cable modem firewall. So far, no issues other than IPv6 will not work correctly on my router. Native mode does not work. If use passthrough mode, I get errors in my router’s log, so I gave up on IPv6.
 
You can't avoid double NAT and still have your own separate network. You could ask your landlord to put your AX88U in his router's DMZ (if that's possible), but you'll still have double NAT. What "issues" do you have with your current configuration?

I have no current issues at the moment, but I plan on buying a PS5 and bringing in an Xbox One and I foresee problems.
Double nat no longer possible with current gaming and streaming standards.

@CrystalLattice - are you saying that double NAT isn’t feasible to play on nowadays with current gaming standards or that it does not matter as much as it used to? Thanks.
 
Last edited:
I am in a “triple NAT” if you can call it that. My ISP uses cgnat. The wan port on their cable modem has a cgnat ip. The ip on it’s lan is 192.168.0.1 My router’s wan ip is 192.168.0.5 and my network is a 192.168.2.0 range. I put the isp modem in bridge mode and that worked for about a week then my router lost internet access. I had to power off my router for a few minutes then power it back on. It would grab a different cgnat ip and again work for a few days and lost connectivity again. I gave up. I put the cable modem back in router/nat mode and placed the ip of my router in a dmz on the cable modem firewall. So far, no issues other than IPv6 will not work correctly on my router. Native mode does not work. If use passthrough mode, I get errors in my router’s log, so I gave up on IPv6.

I disabled QoS, in fact, all TM stuff, enabled IPv6 in Passthrough mode and I no longer get errors in the system log. I guess time will tell if it continues to work.
 
I'm also running in triple NAT (ISP Router -> 4G Failover Router -> Asus RT-AX88U). It's usually double NAT but I added the 4G router due to issues with my vDSL service at the moment. Each router is in the DMZ for it's upstream partner.

My adult son is a keen gamer playing on PC and PS4 but doesn't report any issues. I am sure he would if there were problems.
 
Running in double NAT shouldn't cause any problems and no need to put the second router in the DMZ. I'm not a gamer so I can't tell you if it might cause any issues with games. It won't create any additional latency that you can measure. Without your landlord's cooperation you will not be able to run a server of any type on your LAN reachable from outside your network.

I have to agree with Dosborne that running in a double NAT setup does provide some additional flexibility and network security. I run my IoT devices on my WWW facing router and my more secure network devices on the second router. There are ways to accomplish this level of security without double NATing but probably not as easily. Your plan to double NAT will segregate your devices from your landlords thus making them more secure and your landlord doesn't need to do anything to his router to accommodate you.

The only setting you need on your router is to choose a different subnet from your landlords and set your WAN connection to automatic IP.
 
If you use VPN-service and open one port inbound, can't you reach your home router/lan then?
 
It can be made to work if the landlord is willing to set up the necessary port forward.
 
@dosborne I would be interested to learn how your network is set up and how it provides extra security and flexibility. :)
everything external to my inner Nat network (ISP supplied for the most part) can be changed (switch ISP for example) with no changes to my internal network. Devices that provide internet facing resources (web servers for example) reside in the zone between Nats. Modular design. Resource and system isolation, etc,etc,etc
 
Running in double NAT shouldn't cause any problems and no need to put the second router in the DMZ. I'm not a gamer so I can't tell you if it might cause any issues with games. It won't create any additional latency that you can measure. Without your landlord's cooperation you will not be able to run a server of any type on your LAN reachable from outside your network.

I have to agree with Dosborne that running in a double NAT setup does provide some additional flexibility and network security. I run my IoT devices on my WWW facing router and my more secure network devices on the second router. There are ways to accomplish this level of security without double NATing but probably not as easily. Your plan to double NAT will segregate your devices from your landlords thus making them more secure and your landlord doesn't need to do anything to his router to accommodate you.

The only setting you need on your router is to choose a different subnet from your landlords and set your WAN connection to automatic IP.

One other question: when my computer connects to my Amplifii Instant router (which also serves as a mesh node), I am getting speeds of 50 mbps. When I connect to the AX-88U (which is connected via Ethernet to the Amplifii) I am getting speeds of 10 mbps. What is causing this speed discrepancy? Is it the side effect of another DHCP server assigning IPs?
 
It is definitely not an issue with having another DHCP server. Once a DHCP is resolved once it doesn't have any impact on upload/ download speeds.
 
It is definitely not an issue with having another DHCP server. Once a DHCP is resolved once it doesn't have any impact on upload/ download speeds.

my Amplifii router that is grabbing my landlords signal is on the farther end of the dB range of the main router. I wonder if my computer is getting mesh packets from multiple access points when I connect to the main network vs just my router when I connect to my own network?
 
I don't use mesh so I really can't help with that issue.
 
It is definitely not an issue with having another DHCP server. Once a DHCP is resolved once it doesn't have any impact on upload/ download speeds.

Then what does this mean?

“5. If the AmpliFi router is connected to another router (or a modem/router combo provided by the ISP) there will be two routers acting as "gate keepers" and performing all router duties twice, slowing down the network.”

https://help.amplifi.com/hc/en-us/articles/360012626994-Troubleshooting-Slow-Speeds
 
Then what does this mean?

“5. If the AmpliFi router is connected to another router (or a modem/router combo provided by the ISP) there will be two routers acting as "gate keepers" and performing all router duties twice, slowing down the network.”

https://help.amplifi.com/hc/en-us/articles/360012626994-Troubleshooting-Slow-Speeds
I call B.S. on that statement. I would have expected a company like Ubiquiti to be above posting such rubbish. Apparently not.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top