NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

adonf06's avatar
adonf06
Aspirant
Dec 01, 2025

Double NAT configuration

I'm having trouble configuring my RBE971 as a router behind my modem/router, which is itself configured as a router. I want to retain some of the router functions of my modem/router, but also benefi...
orbi 970 series
FURRYe38's avatar
FURRYe38
Guru - Experienced User
Dec 04, 2025

I've had my 970 series in double NAT many times. Behind a 192.168.0.1 router leaving the 970 router at 192.168.1.1 in full router mode. If I do this kind of configuration i typically use the 192.168.0.1's DMZ for the 970 router. Have zero issues using this configuration. 

 

I've never changed the NAT Filter on either upstream or downtreamrouter, you can try this however it may not effect anything. 

 

adonf06 wrote:

The 10G hub is a Zyxel XS1930-10.

I just tried again by connecting the RBR's WAN port directly to the router. The result is the same.

I also tried changing the RBR from 192.168.16.1/20 to 192.168.0.1/24. Same result.

I also tried solution #2, without success. I finally gave up :(

 

Ultimately, since I wanted to be able to take advantage of certain RBR features not available in AP mode, I implemented the following solution:

- the box in router mode at 192.168.1.0/24, to benefit from certain features and manage my wired PCs over 10G,

- the RBR in router mode at 192.168.16.0/20 to manage my numerous Wi-Fi devices, but without using the router function,

- a PC on both networks with dnsmasq to serve everyone via DHCP and DNS, and configured as a gateway to the box.

 

StephenB's avatar
StephenB
Guru - Experienced User
Dec 04, 2025
FURRYe38 wrote:


I've never changed the NAT Filter on either upstream or downtreamrouter, you can try this however it may not effect anything. 

Not on option on the 870.  Are you seeing this on the 970?  If so, where?

 

FURRYe38 wrote:

I've had my 970 series in double NAT many times. Behind a 192.168.0.1 router leaving the 970 router at 192.168.1.1 in full router mode. If I do this kind of configuration i typically use the 192.168.0.1's DMZ for the 970 router. Have zero issues using this configuration. 

I double-route because my set top boxes only work with my ISP router, and the ISP router doesn't provide OpenVPN. 

 

Port forwarding isn't a problem.  But there are some other drawbacks.  One is that the ISP router's wifi can't reach my set top boxes (which only have wifi interfaces), so I need to set up a separate mesh for that - using an RBK50 as an AP.   So I end up with two competing meshes.  Also some features of the set box (casting being one) require connecting my phone to the RBK50 network, instead of connecting to the normal 870 network.

 

Netgear could make some fairly easy improvements to the Orbi features that would let me fully integrate the network:

  1. They could make openVPN and DDNS available in AP mode
  2. They could let me turn off NAT filtering - letting me use a subset of the ISP's router local network addresses on the 870.

There are no technical reasons why these changes couldn't be made.

 

I guess I could just deploy a VPN server, but overall I do prefer Orbi's management interface.

 

Although I suspect adonf06​ might be wanting a different set of functions than I do, I do understand his frustration.

 

 

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User
    Dec 04, 2025

    NET Filter can't be turned OFF or disabled of course, just changed. Open Or Secure. Open is the older version of Full Cone NAT. Secure is newer generation Strict Cone NAT. Though in AP mode NAT would be technically disabled since AP mode disable all routring and filtering. I presume for security reasons, NG may not want to have a disable opton while in router mode. Done lots of research and testing with NAT Filtering and NAT over past years. Especially in gaming. 

     

    Also I presume that for general use and ease of operation, some features we would like to see may not be in high demand or common place for general users. Most users just want the system to be easily setup and work. Advanced features, well, all that is up to NG. I personally would like to see power adjustments return on the BE series. Was very helpful in troubleshooting too many RBS deployed and placement in smaller homes. Ran in to a recent issue having two systems online at the same time so I had to remove one BE system and revert to a AXE system to help avoid interferences in testing. 

     

    Some features are also meant to be ran in router mode so AP mode maybe more limited and not have a need for some features that are seen in router mode and some users should look at the host features and reqirements seen there and make a good choice on what modes they should and can use. Many different configurations out there. Just have to find what works best. 

     

    My 2 cents. 

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      Dec 04, 2025
      FURRYe38 wrote:

      NAT Filter can't be turned OFF or disabled of course, just changed

      Lots of routers (including L3/L4 managed switches) don't have NAT, so there is no technical reason why it can't be disabled.  Of course it normally shouldn't be disabled when it is an edge router on a home network.  But it is a way to avoid double-NAT.

       

      donawalt wrote:

      It would not be easy to make openVPN and DDNS available in AP mode.

      Both services can be deployed on a PC behind a NAT router (as long as the openVPN ports are forwarded to that PC).  So they can work in AP mode (again as long as the TAP and TUN ports are forwarded).

       

       

      Granted these are advanced and niche features, but these are very expensive routers in the prosumer price range.  So IMO more advanced configs should be supported.

      • donawalt's avatar
        donawalt
        Mentor - Experienced User
        Dec 04, 2025

        You’re right that OpenVPN and DDNS can run on a PC behind a NAT router as long as the upstream router handles all the port-forwarding—but imho that’s exactly the reason Netgear disables them in AP mode. In AP mode the router stops being a gateway and becomes just a layer-2 bridge, so it has no WAN interface, no firewall, and no ability to automatically open or manage the ports that OpenVPN or DDNS depend on. Netgear could technically allow those services to run, but they would only work if the user manually configured the upstream router to forward all the required TUN/TAP ports to the AP’s LAN IP, and even then the AP would still be advertising a DDNS hostname for a WAN IP it doesn’t control. 

         

        Along the lines of the upstream router needing to be configured, another big issue is that even if Netgear allowed OpenVPN and DDNS to run in AP mode, supporting it would be extremely difficult because the upstream router—where all the port-forwarding must occur—could be made by literally any manufacturer, each with different interfaces, capabilities, and terminology. Some routers bury or limit port-forwarding options, some don’t expose the needed settings at all, and others behave inconsistently depending on firmware or ISP restrictions. So Netgear would be responsible for troubleshooting OpenVPN setups that depend entirely on hardware they don’t control. That’s a support nightmare; they’d have to diagnose problems on every imaginable brand of gateway just to make a feature work that the AP isn’t really designed to host in the first place.

         

        These are big reasons why vendors disable these features in AP mode, even though they’re technically possible.