This post helps you deal with the situation where you want to improve your home Wi-Fi network yet can't (or don't want to) get rid of your ISP-provided gateway (or any existing router.)
It's a question of Single NAT vs Double NAT.
If those "NAT" terms seem scary or strange, you're reading the right post. You'll know how to handle them as comfortably as the next guy when you're through. And there's a chance you won't have to deal with them at all.
Before going further, make sure you're comfortable handling a home Wi-Fi router and, most importantly, have mastered the differences between common home networking devices (modem, ONT, router, gateway, etc.)
Done? Let's dive in!
Dong's note: I first published this piece on December 30, 2018, and last updated it on November 16, 2022, with additional relevant information.
How to best deal with that ISP-provided gateway you can’t replace
Ideally, you should use just one router for your home network. The standard way to have any local network is to connect your router to the Internet terminal device -- generally a Cable modem or a Fiber-optic ONT.
In this popular case, you have a single NAT configuration, which is generally implied -- there's no need to even mention "NAT". But since we'll have to deal with double NAT later, let's find out what NAT is.
What is NAT?
NAT stands for network address translation and is one of the major functions that define a router.
NAT allows the router to use a single WAN (public) IP address (provided by the broadband provider) to deliver Internet access to many connected devices by creating a separate sub-set of local (private) IP addresses.
NAT is necessary because to connect, a device needs an IP address, and generally, a home gets only one single IP (the public IP) from the provider. So in a way, NAT is a method that splits one IP address into many.
A bit of analogy:
You can think of a router's NAT function as the mailroom of a big office building.
It handles packages between the building and the outside world, allowing everyone in different rooms inside the building to share the same shipping address yet be able to send/receive personal mail and packages.
In this case, the building is your local network, its mailing address is your WAN IP address, each room within the building is a local device, and the room number is the device's local IP address.
Each router has a NAT function. So when you use one router or a gateway, your local network has a single NAT setup. Again, in this case, the "NAT" notion is implied. There's no need to talk about it.
But sometimes, you have to use more than one router in a network, such as when you have to keep that ISP-provided gateway -- which is essentially a router -- and yet want to expand or upgrade your system.
No matter what your reason might be, when you use a router on top of another, you get a double NAT situation.
Continuing with the building analogy above: A double NAT is when you have a second building attached to the back of the first building. This 2nd building uses the same front door shipping address as the first, yet it has its own mailroom.
As you can imagine, all traffic of the 2nd building and the outside world has to go through the 1st building, and the mailing service for those in the 2nd building can be complicated -- they have to deal with two mailrooms.
A double NAT setup is non-standard and can be a pain for certain networking needs. But in many cases, such as when Internet access is all you care about, it'll work fine, and you might not even notice it. We'll talk more about this below.
Now that we're on the same page in single NAT vs double NAT, let's continue with how to handle that ISP-provided gateway gracefully.
The counterargument: The benefits of using an ISP-supplied gateway
While it's clear that it's best to use your equipment, there are some benefits to using a gateway provided by your Internet provider.
Here are a few examples:
- Ease of use: You don't need to do anything. The provider will set up the home network work for you and manage the hardware, including firmware updates, troubleshooting, etc.
- Less cluttering: You only have one hardware box instead of two. (A retail gateway applies, too.)
- Hassle-free hardware replacement: If the gateway dies, call the provider, and you'll get a replacement pronto -- all free of charge. The provider also upgrades the equipment when need be.
- Easy management: With some providers, you can manage certain aspects of your home network, like changing the Wi-Fi password, via your online account. (That is if you're OK with the potential privacy risks.)
- Unlimited data cap: Some providers, such as Comcast Xfinity, give you half the cost ($25 vs $50) of an unlimited monthly data cap when you use their gateway.
In short, using ISP-proved equipment is not all bad. The benefits are enough to justify the monthly "rental" fee for some.
Assuming you can't replace that gateway, I'll walk you through when to use it as a single NAT (A) and when as a double NAT (B). In each case, I'll mention different scenarios with further details.
A. Making the most of an ISP-provided gateway: The Single-NAT approach
Many modern gateways have advanced networking options -- a bit of customizing will give you a much better home network.
In this case, we have two main scenarios.
- In the first scenario, you're happy with the gateway's Wi-Fi coverage -- you don't need additional Wi-Fi hardware.
- In the second, you're not happy with your current Wi-Fi and need or want to use additional or better Wi-Fi broadcasters.
Let's tackle these two, one at a time
A1. The single-box scenario -- no extra Wi-Fi hardware is needed
If you're happy with the gateway's Wi-Fi coverage, you only need to make a few changes.
Generally, you shouldn't use the gateway with the default settings left by the ISP's technician. Further configuring it will make a much better network.
Below are three things you should do to an ISP-provided gateway.
ISP-provided gateways generally have a web user interface. You can handle them the same way you do a regular Wi-Fi router.
1. Change the default access to the gateway
All gateways come with default admin access. Anyone with that knowledge can log into its interface when being part of the network.
A Comcast Xfinity residential gateway's default password is almost always highspeed.
For security, you should change that password to something else.
To do that, log in to the gateway's web interface by pointing a browser to its IP address and log in with the default password (or access code). You can generally find this information on the side or bottom of the device.
Once you've logged in, navigate the interface to the area where you can change the password and create a new, more secure one -- make sure it's different from your Wi-Fi network's password.
2. Make a meaningful Wi-Fi network (SSID)
By default, each gateway has a default Wi-Fi network, of which both the name and password are hard to remember or type in, especially when you need to do that on a small screen or via remote control.
You can give your Wi-Fi network a personalized name and a password that you can remember.
Again, you can do this via the web interface and follow these password guidelines to keep your system secure.
3. Customize the gateway’s advanced settings
This part is optional, but most gateways have a decent set of features and settings that you can use -- the amount varies from device to device.
Examples include port-forwarding, Dynamic DNS, separating the 2.4GHz Wi-Fi network from the 5GHz, etc. Again, you can use the interface to customize these.
In short, just because you don't use a standard off-the-shelf router doesn't mean you can't make your network with specific advanced settings. Dig into your gateway's web interface; you might get surprised by how much you can get out of it.
A2. The multiple-hardware-box scenario: You need additional Wi-Fi hardware
This scenario applies when your gateway's Wi-Fi coverage is insufficient for the entire home.
In this case, you will need additional broadcasters to extend the coverage -- you want better Wi-Fi coverage or performance while keeping your home network in a single NAT configuration.
1. Getting an access point
It's best to get an access point if you can run a long network cable from the gateway to scale up the network. This is my first choice since it delivers a much better performance than an extender.
There are many options for APs, and most of them work similarly. It's best to use one of the same or better Wi-Fi standards than the existing router, but any will work.
You can also turn an old router into an access point or pick one of these -- check out their review for more.
You can make the AP's Wi-Fi network (SSID) with the same name and password as the existing router. In most cases, that'd give you somewhat of a mesh system. Some access points, such as those in the TP-Link Omada family, can work as a robust enterprise system when you add a controller.
However, note that there might be no seamless signal handoff between the existing gateway and the AP. That's the general case of using an AP with an existing Wi-Fi router.
2. Getting an extender
An extender can quickly extend your Wi-Fi without you having to run a network cable.
However, using extenders means you get convenience at the expense of performance. Sometimes, the performance gets so bad the convenience is not worth it. Also, be mindful of the virtual MAC address issue.
Generally, Wi-Fi 6 extenders, such as the Asus RP-AX56, work better than their Wi-Fi 5 counterparts. Still, if you have fast Internet or use real-time communication applications, such as Voice over IP or video conferencing, no extender will cut it.
In short, extenders are for situations where you don't have other options. The result varies but is never great.
3. Getting a new mesh system (or router)
Sometimes, you might want an entirely new mesh system or a more powerful router on top of the gateway. Specifically, you'll connect the new hardware's WAN port to the gateway's LAN port.
In this case, to maintain the single NAT configurations, you have to do one of two things, not both:
- Make the gateway pass the WAN IP to the new router, effectively making it work simply as a terminal device (a modem or an ONT). Or
- Put your new mesh system (or router) into AP mode.
Gateway-to-router WAN IP passing
Depending on the gateway you use, the configuration for this varies.
With some, like cable gateways, all you need to do is put it in the Bridge mode. In this mode, a gateway is, in effect, a terminal device (cable modem or Fiber-optic ONT) -- you'll get no other features or network settings from it, including Wi-Fi.
When working in the bridge mode, only one of the gateway's LAN ports is active -- it's equivalent to the LAN port of a modem. In most cases, you can use any of its LAN ports to connect to the router, but in some, you must use the first one.
With others, like DSL gateways, you need to configure the IP Pass-through and map that to the local IP address of the router.
Again, the objective is to make your router take over the WAN IP, not the gateway's local (private) IP, and remove the NAT function of the gateway.
When IP Pass-through or bridge mode is unavailable, another option is to use the gateway's DMZ setting to allow the upper-level router to get unfiltered Internet access.
And that's it. You now have a home network like one built with a standard terminal device and a router.
Generally, putting the gateway in the bridge mode is the best solution -- it also prevents the ISP from spying on your network.
Turning your new mesh system or router into an Access Point
Most router and Wi-Fi systems can work as an access point (AP) -- you can switch the mode via the web interface. If you use a mesh system, putting the primary router in the AP mode will turn the entire system into this mode.
The only mesh systems I'm aware of that can't work in the AP mode -- as a system -- are the variants of the Google (Nest) Wifi. But each unit can work as an independent AP.
Some vendors, such as Linksys or Google, call this AP mode "Bridge mode". Generally, if you see a router with three roles, router, bridge, and AP, pick the AP mode. If you see only the first two, the bridge mode will likely be the AP mode.
If your new router does not have an AP mode, you can manually turn it into an AP mode by connecting it to the gateway using one of its LAN ports (and not its WAN port -- leave this port alone.)
You might want to configure the router's Wi-Fi network before turning it into an access point. It's a bit hard, though not impossible, to access its web interface afterward -- you'll need to figure out its IP address via the router unit.
In the AP mode, the hardware -- your new router or mesh system -- only extends the network hosted by the gateway. You cannot take advantage of its other settings and features. Also, again, generally, the AP and the existing Wi-Fi router (gateway) might not enjoy seamless signal handoff.
B. Making the most of an ISP-provided gateway: The Double NAT approach
The double NAT approach is much easier in terms of the hardware setup.
All you have to do is connect the new router's WAN (Internet) port -- or the primary router unit of your mesh -- to a LAN port of the gateway (or the existing router).
Now configure your new router to your liking, and you're all set.
Extra note on setting up a router on top of another
A different local IP address for each router is required
This part applies when connecting the new router to the existing gateway for the first time. The two must have different local IP addresses.
This address often appears as the "Default Gateway IP," a naming convention.
It's relatively rare that you have to worry about them having the same IP -- chances are they are already different by default. Many routers are smart enough to automatically change their IP (from the default) when connected to a router (or gateway) that already uses the same one.
If the two share the same IP address -- which tends to happen if the new router and the existing one are from the same manufacturers -- you'll note that devices connected to the new router won't have Internet. There can be other issues, too.
In any case, you can always change a router's IP using the web interface. It's in the router's interface's LAN (or DHCP) area. This IP is often 192.168.x.1 or 10.0.x.1 -- change x to a different digit.
Double NAT: When it works well
Generally, if all you need is a connection to the Internet, a double NAT configuration will work well, and you'll run into no issues.
Also, a double NAT setup makes the top-level NAT network -- hosted by your new router -- isolated (and more secure) because devices in this network are behind two layers of firewalls and NATs. They are also invisible to those connecting to the lower-level NAT.
That said, double NAT is an excellent setup if you want a particular group of devices to be isolated from another group. It's better than using Guest Wi-Fi networks.
Double NAT: When it doesn’t work (well)
The primary problem with double NAT is that devices belonging to one NAT will not communicate locally with those of the other NAT because each router has its own private set of local IP addresses shielded from the outside.
Specifically, a computer connected to the gateway can't print to a network printer connected to the new router. The two don't "see" each other. You'll also have issues with local services like data sharing, media streaming, network backup, etc.
All devices can see one another via the Internet, so using Internet-based printing or communications still works in double NAT.
Another thing is that your new router's advanced network settings, such as VPN, port-forwarding, etc., will not work as expected by default.
Port-forwarding is possible in a double NAT, but it requires more work. Specifically, the forwarding entry needs to be programmed twice:
- At the first-level (lower) NAT, map the forwarded port to the IP of the router on the upper NAT.
- At the top-level (upper) NAT, map the forwarded port to the IP address of the destination device.
To access the top-level NAT router's interface over the Internet, set that up as a server port-forwarding entry at the first-level NAT.
A device of the upper-level NAT can still talk to a device belonging to the lower-level NAT if you use the latter IP address. The other way around is much harder, if possible at all.
Back to the building analogy above: A double NAT is like folks in one building can't see or hear those in the other building because they are isolated. Also, mail-forwarding from one building to another can be an issue since the first mailroom doesn't have the map of the second building.
What to do in a double NAT setup
Now that you're aware of double NAT and still want to use it, there's just one thing you need to do: make sure you know which network (which NAT, that is) you're using and connect devices accordingly.
If you want to only use the new router (the top-level NAT), then:
- Turn off Wi-Fi on the first router/gateway (you can do this via its web interface) and use only the Wi-Fi of your top-level router.
- Connect all wired devices to the top-level router (and not the gateway) for them to see one another locally.
Alternatively, you can use both networks for security or isolation purposes. For example, you can keep the gateway's Wi-Fi network as a Guest network. In this case, ensure it has a different Wi-Fi name (SSID) from the one you use for yourself.
If using a double NAT proves too much trouble -- as it can be for many homes -- you should opt for the traditional single NAT route.
No matter your Internet situation, you can still customize your home network to your liking. It just takes a bit of work.
In my experience, having to keep the ISP-provided gateway is the most popular situation, and therefore, double NAT is also commonplace.
Keep that in mind the next time you troubleshoot your home or office network.