2

Fixing Double NAT

The standard setup on my eero 3 pack completed successfully.

My ISP is CenturyLink. My modem/router is an Actiontec C1000A. After setup, the network looks like this:

Internet --- <C1000A> 192.168.0.1 --- 192.168.0.110 <eero> 192.168.4.1 --- LAN 192.168.4.x

This creates a Double NAT condition. Probably not a critical problem, but one I would prefer to correct this if possible.

The Help Center suggests putting the combo device in bridge mode. Sadly, the C1000A does not have a simple bridging mode; only transparent bridging. Since the ISP Protocol is PPPoE, the eero would have to use credentials to sign in to the ISP. However, the eero has no such provision.

I've seen many tips that suggest putting the eero in the C1000A's DMZ. I can't use 192.168.4.1 since that is in a different subnet. I've tried using 192.168.0.110, but the eero never connects to the Internet.

It appears that the eero settings could be changed so that it would also be in the same subnet as the C1000A (although I'm not 100% clear on how to do that). Then, perhaps, after putting the eero in the C1000A DMZ, it would be able to connect to the internet. The network would look something like this:

Internet --- <C1000A> 192.168.0.1 --- 192.168.0.??? <eero> --- LAN 192.168.0.x

Before I take the dive and try to make this happen (and potential wreck the existing setup), does anyone have insight on whether such an approach is feasible and have guidance on how to proceed?
 

4 replies

    • jhollington
    • 4 yrs ago
    • Reported - view

    There are actually two (possibly three) ways to go about this, depending on what you want to do...

    The simplest is to put the Eero itself in "Bridge" mode. In this case, you'd still use your C1000A as your main router, which would hand out your IP addresses, and the Eero just becomes an access point system for your Wi-Fi devices. The downside to this is that you can't use features like Eero Secure, since it's not working as a router at all — the Eero becomes a "passive" system that really just connects your devices to Wi-Fi, and your C1000A router does all of the rest of the heavy lifting.

    The second option is, as you suggest, to use "Double NAT," in which case the best thing to do really is to assign the Eero to the C1000A's DMZ. This will let you use it as a router, although you might run into some problems due to double NAT depending on what you're doing. These days this mostly affects VPN services, but can also still impact some VoIP and video calling apps. It won't impact normal everyday surfing and browsing at all.

    To put the Eero into the DMZ, it needs to be on the same subnet as your C1000A's internal IP address (192.168.0.x in your example). You can either configure the Eero manually to use an address on this subnet (e.g. 192.168.0.2, as I'm guessing the C1000A is probably 192.168.0.1), or you can let the C1000A hand out the IP address to your Eero (via DHCP).

    I'm not up to speed on the specific configuration steps for the C1000A, but it's probably easiest to configure the Eero manually to something like 192.168.0.2, since you'll probably need to assign the DMZ to a specific IP address, which could change if it's being assigned automatically. Once you have the Eero's "public" IP address established (e.g. 192.168.0.2), you need to log into the C1000A and find the DMZ setting and point it to that address.

    This will have the effect of taking all inbound traffic that comes into the C1000A and sending it directly to the Eero, which at least means that it will be able to automatically open inbound ports for things like online games, VoIP services, and so forth using automated protocols like uPNP. If you don't do this, you'll likely have problems with these services.

    The potential third option is to look for a feature called "Advanced DMZ" or some such. Again, I'm not a CenturyLink customer, but I've read several reports that this is a possibility on at least some of their routers, and it's what I'm using with my ISP (Bell Fibe in Canada). The "Advanced DMZ" feature lets the router actually assign the *public* IP address to the Eero, at which point it acts just like the C1000A isn't in the loop at all. 

    Unfortunately, as I said, I'm not up on the C1000A, but if you do a bit of searching you may find some folks who have done this successfully... I know it's been discussed in the PPPoE feature request thread over in the "feature requests" section of these forums.

      • Koogsey
      • 3 yrs ago
      • Reported - view

      jhollington I live in Canada and am with Bell. I was wondering if you could explain how to setup advanced DMZ to avoid double nat. I am currently running with the eero in bridge mode but would like to restore the functionality

    • jhollington
    • 4 yrs ago
    • Reported - view

    I should also add that when configuring the static IP on the Eero (e.g. 192.168.0.110 in your example), you also have to make sure you configure the outbound gateway to be 192.168.0.1 and the DNS to whatever it's supposed to be. That's the most likely the reason the Eero isn't getting connected. 

    When the address is assigned automatically by the C1000A using DHCP, this is all handled automatically, but you'll need to make sure you punch it in manually if you're setting the IP address yourself. 

    • claytoncarney
    • 4 yrs ago
    • Reported - view

    Thank you @jhollington for your replies.

    I had tried most of your suggestions. The C1000A does not have an "Advanced DMZ" feature. Bridging the eero disabled too many of its features.

    Since posting this question, I discovered that Comcast finally offered internet only service. We switched about 6 weeks ago, which: eliminated the Double NAT, provided a 5X speed increase, and significantly increased reliability (all at the same cost).

    Turns out that in the USA, 70% of internet service is via cable. And that figure is growing every year. DSL is really showing its age and telco is not investing to improve its capabilities. It makes sense that eero is not offering PPPoE; no return on investment in a dying sector.
     

Content aside

  • 2 Likes
  • 3 yrs agoLast active
  • 4Replies
  • 8451Views
  • 4 Following