Bear in mind that "NAT" as usually discussed is actually also Port Address Translation (PAT).
Strict, Moderate and Open are names Microsoft popularised. Strict has the most aggressive aggressive port assignment approach, Moderate is a half-way house, Open is basically a full uPnP implementation permitting arbitrary inbound and outbound port mappings.
The best generic equivalent names for Strict, Moderate and Open are probably 'Port Restricted Cone NAT', 'Restricted Cone NAT' and 'Full Cone NAT'.
Some further reading:
https://en.wikipedia.org/wiki/Network_address_translation
https://techdifferences.com/difference-between-nat-and-pat.html
https://badmodems.com/Forum/viewtopic.php?t=21
Symmetric NAT also changes all traffic's source port at the router, which is not Double NAT but is more secure. Essentially, each request to a new destination receives a new NAT mapping, irrespective of whether the source IP and port is the same. The Wikipedia article diagrams help explain the difference.
Double NAT is where your machine is sat behind a router (e.g. ISP provided router), and the ISP router's gateway is another router handing out private range IP addresses. It's that second router which actually has the direct route to the Internet. This means all traffic has to go through two address translation steps which causes problems for inbound traffic which is not being sent in response to your own outbound traffic.
In the past this was most common when someone had an ISP router, but also wanted to use their own router. They would connect their own router's WAN to a LAN port on the ISP router, but not disabling the routing features on the second router, so both devices end up handing out DHCP IP addresses and performing NAT on devices connected to them.
Traffic from a PC on their 'inner' router (router1) routes to the 'outer' router (router2) which has the WAN link.
Any traffic from devices on the inner router was considered a single machine's traffic by the outer router, because how would it know any different?
That's fine for going out to the Internet, and also for returning packets for that connection in most cases because of how port forwards (listening ports for responses) are dynamically set up. However for arbitrary incoming data, how does the 'outer' router know who the intended recipient is? It will not, unless the outer 'router2' already has a static route (aka port forward) created, pointing to 'router1' (inner) -- and then the inner router also has a port forward going to the IP of the actual computer.
Appropriating Netgear's diagram:
https://kb.netgear.com/30186/What-is-Double-NAT
You can see how the traffic has to navigate two private networks to reach the Internet.
Using dumb switches to extend a network works differently, because they use MAC addressing at Layer 2 to direct packets. That's why you can hang an 8 port switch off a 4 port router and effectively gain 7 extra sockets with no added NAT complications. The requirement is that all switches are physically connected to the same network segment as the router, Layer 2 routing doesn't go through routers.
The lines blur a bit when you get 'smart' or Layer 3 switches which can do all manner of clever things, they can almost behave like routers. Out of scope for this response though.
Some scenarios actually benefit from Double NAT - it's useful for higher security setups, and some people just prefer being able to run an isolated network within a network. It can be a more pragmatic approach than implementing something like VLANs or port isolation. It's different to how things like isolated 'guest networks' function on WiFi routers though, that can be accomplished with routing tables and a separate DHCP range.
ISPs are essentially doing double NATting more frequently as they run out of IPv4 blocks, it's called Carrier Grade NAT (CG-NAT). It's been commonplace on mobile networks for years.
Last edited:
