Case of Triple NAT, options to reduce it?

Hello,

Currently the setup from my ISP to end client is like this :

User PC <--- 192.168.10.x subnet ---> OpenWRT Routers <--- 192.168.1.x subnet ---> ISP Provider ONT Modem <--- 10.x.x.x (still private ip address, seems to be another NAT in gateway) --> ISP Gateway ? <--- public id address ---> internet

In this configuration my network seems tripled NAT'ed and try several way of reduce NAT by setting the ISP provided modem as bridge, so far and my config became :
User PC <--- 192.168.10.x subnet ---> Openwrt Routers <--- bridged ---> ISP Provider ONT Modem <--- 10.x.x.x ---> ISP Gateway ? <--- public ip address ---> internet

Can I reduce the NAT into single only? (directly to my ISP Gateway), by bypassing NAT in openwrt straight into the ISP Gateway? thank you.

If you plug your PC directly into the ONT (which I presume is the point of first entry into your home), what do you get for an IP address?

What ISP do you use?

In most cases with new ISPs, who haven't been on the market long enough to get a big chunk of IPv4 address space (mostly ftth and cable, depending on your country), cgNAT will be mandatory for IPv4 - if you're lucky, they do offer you unrestricted IPv6 access though.

Yes, putting the ONT into bridge mode (which usually needs to be (re-)provisioned that way by your ISP) will help you to get rid of one NAT layer (of the ONT acting as router as well), but you can't get rid of the ISP level cgNAT instance, which will prevent any incoming IPv4 connections immediately. I don't see how you'd be able to avoid the second level of NAT'ing on your own router, yes, in theory you could - but you'd become dependent on your ISPs network structure (and their future changes) that way (and the cgNAT layer would still be in the way).

In some cases you may be able to convince your ISP that you need an IPv4 address, in others they may offer you a dedicated IPv4 address for a reasonable monthly markup - but in many cases, there's no such option on offer (aside from either switching to a massively more expensive business contract or going to another ISP).

if I plug the PC directly to the ISP Modem (default, not bridged), then I get IP address 192.168.1.x ...

  • also testing Xbox Live Setting shows Moderate NAT
  • traceroute also shows it pass through my ISP Modem first

if I plug the PC directly to the ISP Modem (bridged mode), then I get IP address 10.x.x.x (still private though, because when I check with whatismyip it shows different)

  • Xbox live Setting shows Open NAT (better I assume)
  • traceroute also shows shorter hop, although still pass the ISP Gateway first

I use local ISP in my country (Southeast Asia), it's a fiber optic connection.

Unfortunately, They only offers IPv6 on business account (I use residential account), so no IPv6 for me, also because of non public IP address / passing through NAT I assume 6in4 is not an option.

I could also try to make the router into switch directy, so only 1 layer NAT (from the ISP Gateway)... but then again I need my LAN network to control local devices and providing Pi-Hole DNS Server.

is there a way I can keep my LAN network (192.168.10.x) but also routing to my ISP private network (10.x.x.x) without NAT?

It sounds like you're going to be stuck with NAT from the ISP. The best situation is the ISP modem in bridge mode since at least it is just passing the IP address from the ISP (which is indeed private -- it is part of the RFC1918 address space).

You should probably put the modem into bridge mode and then plug in your OpenWrt router that has the desired network definition for your LAN. Another reason you should use your own router is because your ISP may not give you multiple IP addresses (thus requiring NAT masquerading), and you should have your own firewall anyway (to prevent other users on the ISP from accessing/attacking your devices). Basically, you can look at it like this:
Internet > ISP w/ NAT > You w/ NAT + Fireawll

You will always be double-NAT to the internet because your ISP is the first NAT and your own router will be a second NAT (you're only single NAT to the ISP, this is the only part you can easily control).

All of that said, because of the NAT situation by the ISP, there is no simple way to setup a server on your network that will be reachable from the internet (i.e. listening for inbound connections to your network), but outbound stuff usually works just fine.

I'll ask you this question: other than the Xbox telling you your NAT status, are you experiencing any issues with your gameplay or any other internet connectivity problems that you believe are the result of the double or triple NAT? If not, there is no practical concern with your connectivity.

2 Likes

I see, I guess right now the best condition I can do is set the ISP Modem into bridged mode and reducintg the NAT layer into double (from Triple). Thank you for the advice.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.