Menu
What's new
By:
Filters Better Search

Double NAT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

keef

keef

Senior Member
Hello. How do I turn off Double NAT using Merlin 386.5.2 on an Asus 3100 router? I got a warning from Ad Guardian. I'm not even sure how it got turned on.

thanks
 
Last edited:
You can't "turn off" double NAT on the Asus. Double NAT is where you have another router between your Asus and your internet connection.
 
ColinTaylor said:
You can't "turn off" double NAT on the Asus. Double NAT is where you have another router between your Asus and your internet connection.
Click to expand...
Well, that is why after 2 hours I could not find the setting. I only have my cable modem and Asus router, so I'm not sure why AG sees it as a double NAT setup. Weird.

thanks for the reply.
 
Your ISP device is perhaps a modem/router or you are getting a CGNAT address from your ISP.
 
Tech9 said:
Your ISP device is perhaps a modem/router or you are getting a CGNAT address from your ISP.
Click to expand...
I was thinking CGNAT too.
 
keef said:
Well, that is why after 2 hours I could not find the setting. I only have my cable modem and Asus router, so I'm not sure why AG sees it as a double NAT setup. Weird.

thanks for the reply.
Click to expand...
Is the Cable modem one of those dual function router / modem combos?
 
Ranger802004 said:
Is the Cable modem one of those dual function router / modem combos?
Click to expand...

Not sure what problem we are solving here. It doesn't matter for DNS filtering.
 
This is just dumb. I'm effectively running triple NAT and it works just fine for blocking things. While I'm not using AG I'm filtering by pihole. Also, connected to VPN and getting I would say "line speeds" but, it's 5G FWA now which fluctuate a bit based on time of day / tower use.

ISP <> gateway <> DIY router / VPN <> LAN
x.x.x.x <> 192.168.12.x <> 10.5.0.x 192.168.0.x
 
Ranger802004 said:
Is the Cable modem one of those dual function router / modem combos?
Click to expand...

Good idea. I thought of that as well. It is just a modem.

The really weird bit now is AG no longer gives me the Double-Nat error. I did nothing at all. I still cannot get AG working but at least no dead in the water error!
 
dave14305 said:
Why would an Ad blocker care about double NAT?
Click to expand...

All I can offer is the screen capture from running AG at the from the beautiful amtm. And the error is no longer there. Since I cannot get AG working with double-nat gone, it was not the error that caused it to fail. I must have missed another setup function.

As a test, I am trying to block all ads on speedtest.net. Should AG block those successfully? The stats home screen for AG updates and says it has blocked tens of thousands of ads. I have deleted the browser cache and tried a different browser.
 

Attachments

  • double nat screen.jpg
    double nat screen.jpg
    66.5 KB · Views: 77
dave14305 said:
Why would an Ad blocker care about double NAT?
Click to expand...
Now that I think about it, if it is doing session tracking or marking traffic with mangle rules, the functionality could get lost in translation from Double NAT.
 
Ranger802004 said:
Now that I think about it, if it is doing session tracking or marking traffic with mangle rules, the functionality could get lost in translation from Double NAT.
Click to expand...

If you're suggesting that the upstream router is stripping marks ...

The marking of packets remains local to the router doing the marking. It does NOT modify the packet itself. It's tracked and managed independently by the kernel. That's why if you want to make your marks persistent within a connection, you need to use the SAVE and RESTORE options in the mangle table. That effectively keeps remarking the packets as they come and go within the same connection.

So I still don't see how being double NAT'd would affect anything related to marking, or by extension, session tracking if we assume it's dependent on the use of marking.

Then again, maybe you meant something different entirely.
 
The warning about double NAT was added in this commit. It roughly coincides with this post.

I can't find anything on the internet to suggest that AdGuardHome has any issues with multiple NAT levels. The only thing I did find was from someone using pfsence who was trying to use NAT loopback in a double NAT situation in an attempt to create a form of DNSFilter. I do wonder whether the post I linked to above was also attempting something similar. In which case it would really be a user error rather than a problem with AdGuardHome.

So I suspect the NAT warning message was just added as a general disclaimer rather than indicating an actual identified problem.
 
Well NAT loopback in a double NAT situation can be problematic. It assumes the upstream router supports it, since you have to reference the upstream router's public IP, NOT your own router's private IP. But I have no idea if AdGuard is somehow dependent on NAT loopback (or perhaps in some very specific and uncommon situation). To the extent it is, then yeah, I could see the problem.
 
eibgrad said:
But I have no idea if AdGuard is somehow dependent on NAT loopback (or perhaps in some very specific and uncommon situation).
Click to expand...
I don't believe there are any dependencies on NAT loopback. That's why I think it's a user error, e.g. attempting to access AdGuardHome via the WAN interface without first modifying the firewall.
 
eibgrad said:
If you're suggesting that the upstream router is stripping marks ...

The marking of packets remains local to the router doing the marking. It does NOT modify the packet itself. It's tracked and managed independently by the kernel. That's why if you want to make your marks persistent within a connection, you need to use the SAVE and RESTORE options in the mangle table. That effectively keeps remarking the packets as they come and go within the same connection.

So I still don't see how being double NAT'd would affect anything related to marking, or by extension, session tracking if we assume it's dependent on the use of marking.

Then again, maybe you meant something different entirely.
Click to expand...
Not always the case, if the upstream router is maintaining the sessions instead of the first hop router you are connected to, then that router (first hop) is acting as a passthrough so it can potentially cause some issues.
 
You must log in or register to reply here.

Similar threads

S
Double NAT detected with BGW320 and RT-AX86U Pro
Replies
4
Views
261
ColinTaylor
C
K
Using Asus XT8 with DS-Lite internet provider
Replies
0
Views
168
keleko
K
H
Any way around double NAT?
Replies
15
Views
635
Tech9
Tech9
garycnew
[SOLUTION] WAN_Connection: ISP's DHCP did not function properly
Replies
2
Views
247
garycnew
garycnew
K
Double NAT?
Replies
1
Views
479
krl69
K
Similar threads
Thread starter Title Forum Replies Date
K Double NAT? Asuswrt-Merlin 1
Nas.CloudBusinessPortal Double nat & dhcp Asuswrt-Merlin 10
C Solved Need help with nat-start scripts Asuswrt-Merlin 3
Mr Solis Enabling NAT Acceleration (CTF) breaks Port Forwarding? (RT-AC68U w/ 386.12_4) Asuswrt-Merlin 17
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
H WireGuard Server "Enable NAT - IPv6" Setting Question Asuswrt-Merlin 0
M NAT over VPN? Asuswrt-Merlin 1
N Asus AC66U and full cone NAT Asuswrt-Merlin 11
Y ASUS AC86U Firmware merlin 386.11 - NAT Loopback not working please help ! Asuswrt-Merlin 6
Mogsy Solved Need help with NAT fix. Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 627 (members: 26, guests: 601)
Top