I've got a relatively complex home office/small office network — I use two NAT (Network Address Translation) routers/firewalls to provide a DMZ (DeMilitarized Zone) for a cheap sacrificial web server. Basically, I don't want compromise (a.k.a. pwnage) of the web server to easily allow access to the PCs on the private network. Here's a simple diagram of how I have things set up:
INTERNET --- External NAT Router --- Internal NAT Router --- Private LAN
|
WWW Server
The external router allows ports 80 and 443 in, forwarded to the web server. The internal router allows nothing in. Theory: if the web server gets compromised, the private LAN PCs are still protected by the internal router.
Forward: I recently purchased an Apple Airport Extreme to replace the existing internal NAT router. When I plugged the new Airport Extreme into the external router, the Airport Utility complained during setup that I was using a "Double NAT" configuration. I was puzzled — I've never seen such a message from a router before and have never experienced a problem with a double NAT setup. I've been on a double NAT setup for years.
So, why is double NAT bad enough that my Airport Extreme wants to warn me about it and suggest using bridged mode instead? Putting the obvious performance/latency considerations aside, why would NAT on top of NAT be a bad thing? Thanks!
Best Answer
I actually had an analogous error occur in my setup recently when I reconfigured it due to a gear swap.
The double-NAT message is designed as a warning of a possible pathological network setup, but I think it's irrelevant, especially as you say you've been running this setup for a while. In fact, many ISPs are using NAT these days on their DSL or cable modems, where each customer is already "behind the router", so to speak, even with a single device connected directly to the modem. As soon as the customer adds a wireless router for their home, they are in a double-NAT situation. And that seems to be working just fine for most people, obviously.
According to my research, it seems as though there are some applications, largely industrial-grade VPNs and other applications that manipulate data at the lower layers of the OSI stack that might hiccup if they start poking around inside the packets. A particular Cisco VPN + Firewall setup is one example I came across. As another example, the reliability of certain implementations of VoIP in a double-NAT environment seemed to be a matter of some debate.
As you point out, it will almost certainly will introduce some small amount of additional latency due to the extra hop and the work being done by each router, but unless you're a competitive gamer... meh.
Edit: As Kevin points out below, UPnP is also likely to freak out in a double-NAT scenario, but the Airport Extreme which prompted the question doesn't support UPnP anyway.