Double-NAT is a scenario in which multiple routers on a network are providing network address translation (NAT) services.
A common example is a cable modem or DSL modem connected to a Wi-Fi router. Both the modem and the router have NAT enabled, and local-network computers are connected to the router. Even if port forwarding is configured on the router, the computer is not accessible from the Internet because the router doesn't have a public IP address. It only has a private IP address on the modem's local (internal) network.
There are several possible ways to resolve this, but none of them is a "silver bullet" solution. Concrete network configuration is required to determine which solution is appropriate for your particular circumstances. The following solutions assume the most common scenario: a modem (DSL, cable, fiber optic, etc.) and a wireless router connected to that modem's local (internal) network. Both the router and the modem have browser-based administration interfaces, so each can be configured using only a web browser. Consult your router and modem manuals to determine the IP address at which each device's administration interface is available.
Possible Solutions
1. Use the Router in Bridge Mode
Bridged mode disables a router's NAT and DHCP services.
Note that some routers don't include a bridged mode; instead, they simply allow you to disable NAT and DHCP services directly. Others may prevent you from disabling NAT and DHCP services at all.
If the router is to operate in bridged mode, you must configure the modem to provide port forwarding services.
Note: Some routers refer to bridge mode as Access Point Mode.
2. Configure a PPPoE Connection Between the Router and Modem
This is the most robust solution, but not all ISPs provide enough information for this to be easily configured. PPPoE can usually be configured in the router's WAN settings. There are usually multiple options for WAN configuration, including DHCP and PPPoE. DHCP will only assign a private (local network) IP address to the router. PPPoE is a better option because it bypasses the modem's network address translation service. However, PPPoE may require authentication credentials your ISP might not provide.
3. Add the Router to the Modem's DMZ
Routers commonly provide a feature called DMZ (demilitarized zone). This feature allows you to select one computer to which all network traffic is forwarded. If your modem supports DMZ, this might be the best solution for you.
- Find the router's WAN (external) address. You might find this by logging into the router's admin interface and checking the Status page.
- Log in to the modem's admin interface, find the DMZ settings, and enter the router's WAN address.
Note that this solution will still result in a double NAT warning in Screens Connect, but if the router's port forwarding is correctly configured, Screens should still connect successfully.
4. Forward the Modem's Port 5900 (or 22) to the Router
This solution is similar to Solution 3, except that instead of putting the router in the modem's DMZ, only a single port is forwarded.
- Find the router's WAN (external) address. You might find this by logging into the router's admin interface and checking the Status page.
- Log into the modem's admin interface. Specify the router's WAN address as the address to which port 5900 or port 22 (protocol TCP) should be forwarded.
Note that this solution still results in a double NAT warning in Screens Connect.
Still Doesn't Work?
If you configured the port manually, make sure the Automatic Port Mapping option in Screens Connect settings is deactivated. Should you still have problems getting remote access to work, please contact us via email at screensconnect@edovia.com. To help solve your problem as quickly as possible, please include as much information about your network as possible. This includes the following:
- Details about your network configuration, including brand and model for all connected network hardware, including modem, routers, VoIP devices, etc.
- Screenshots of relevant router configuration information, including the router's Status page and port forwarding configuration. The more screenshots, the better. Attach screenshots directly to your message or compress them all into a .zip archive; there's no need to embed them into a PDF or Microsoft Word document.
Additional Solution: Use Tailscale
If the above solutions don't work, you can use Tailscale alongside Screens Connect on your Mac or Windows PC, or you can use Tailscale directly to bypass this limitation. Tailscale is a mesh VPN solution that simplifies network connectivity.
Useful Links: