Double NAT Reality Check: Why My Port Forwarding Dreams Were Crushed

Alex NyamburaAlex Nyambura
5 min read

Module 5 of my MikroTik Zero to Hero Challenge

I started Module 5 thinking I'd learn some simple NAT rules and set up port forwarding. What I discovered instead was that most home networks don't work the way networking tutorials assume. Welcome to the world of double NAT!

The Assumption vs Reality

What I Thought My Network Looked Like:

Internet (Public IP) → MikroTik → LAN devices

What It Looked Like:

Internet → ISP Router → MikroTik → LAN devices
         Public IP    Private IP   Private IP

This changes everything about how NAT and port forwarding work.

Discovering My Real Network Topology

When I investigated my actual setup, here's what I found:

  • Public IP: 102.219.209.38 (shared among ISP customers)

  • ISP Router: Giving my MikroTik 192.168.100.40

  • MikroTik WAN: 192.168.100.40 (private address!)

  • MikroTik LAN: 192.168.88.0/24 (my controlled network)

Big revelation: My MikroTik doesn't have a real public IP address. It's getting a private IP from my ISP's router.

Understanding NAT in Simple Terms

Before diving into the complexity, let me explain what NAT does:

The Problem: Private IP addresses (like 192.168.x.x) can't talk to the internet directly.

The Solution: NAT translates private addresses to public addresses when packets leave your network, then translates back when replies come in.

Two Types of NAT

Source NAT (SRCNAT/Masquerade):

  • Changes the source IP of outgoing packets

  • Enables internal devices to access the internet

  • Example: My laptop (192.168.88.200) appears as 192.168.100.40 to the ISP

Destination NAT (DSTNAT):

  • Changes the destination IP of incoming packets

  • Enables external access to internal services

  • Example: Traffic to 192.168.100.40:22 gets redirected to 192.168.88.200:22

Setting Up Internet Access (The Easy Part)

Getting my LAN devices online was straightforward:

/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=ISP action=masquerade comment="LAN to Internet"

This rule says: "When any device from my LAN (192.168.88.x) sends traffic out through the ISP interface, change the source IP to match the interface IP (192.168.100.40)."

Result: All my devices could browse the internet perfectly!

The Port Forwarding Reality Check

Here's where my dreams got crushed. I wanted to set up SSH access from the internet to my internal server.

I configured the DSTNAT rule:

/ip firewall nat add chain=dstnat dst-address=192.168.100.40 dst-port=22 protocol=tcp action=dst-nat to-addresses=192.168.88.200 comment="SSH port forwarding"

The Problem: This only works for traffic that reaches my MikroTik's WAN IP. But internet traffic hits my ISP router first, not my MikroTik!

Why True Port Forwarding Failed

The traffic flow for external access looks like this:

Internet User → ISP Router (192.168.100.1) → [STOPS HERE]

The ISP router doesn't know how to forward port 22 traffic to my MikroTik at 192.168.100.40. I'd need to configure port forwarding on the ISP router too, but I don't have access to it.

Hairpin NAT: A Clever Workaround

Even though real port forwarding didn't work, I could test the concept using "hairpin NAT" - accessing my external IP from inside my network.

From my laptop, I could SSH to 192.168.100.40:22 and get connected to 192.168.88.200:22. The NAT rule worked perfectly for internal testing!

Understanding Double NAT Impact

Most home internet connections work this way:

Your ISP does NAT: Your public IP is shared among many customers
Your router does NAT: Your devices share your router's private IP
Result: Two layers of address translation

Why This Matters

✅ What Works:

  • Internet browsing and streaming

  • Most apps and services

  • Internal network communication

❌ What Doesn't Work:

  • Hosting public services (web servers, game servers)

  • Some peer-to-peer applications

  • Direct external access to internal devices

The Difference Between Consumer and Business Internet

Consumer/Residential Internet:

  • Shared public IP addresses (CGNAT)

  • Limited or no port forwarding capability

  • Designed for consuming content, not hosting

Business Internet:

  • Dedicated public IP addresses

  • Full control over port forwarding

  • Designed for hosting services and servers

The Upgrade Path: Business internet plans if you need to host public services.

What I Accomplished

Even with double NAT limitations, I achieved:

Perfect internet access - All LAN devices are browsing normally
Clean NAT configuration - Proper masquerade rules
Internal port forwarding - Working for local testing
Network architecture understanding - Real-world vs textbook differences

Key Commands for NAT

# View current NAT rules
/ip firewall nat print

# Remove all NAT rules (clean slate)
/ip firewall nat remove [find]

# Source NAT for internet access  
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=ISP action=masquerade

# Destination NAT for port forwarding
/ip firewall nat add chain=dstnat dst-address=WAN-IP dst-port=PORT protocol=tcp action=dst-nat to-addresses=INTERNAL-IP

# Monitor active connections
/ip firewall connection print

The Reality of Home Networking

Module 5 taught me that textbook networking and real-world networking are often different.

Most networking tutorials assume you have:

  • A direct internet connection

  • A real public IP address

  • Full control over port forwarding

But most home users have:

  • Connection through ISP equipment

  • Shared/private IP addresses from ISPs

  • Limited hosting capabilities

This isn't a failure - it's just reality. Understanding these constraints helps you work within them instead of fighting against them.

What NAT Doesn't Do

Important clarification: NAT only handles IP address translation. It doesn't:

  • Block websites or content (that's firewall filtering)

  • Control application access (that's layer 7 filtering)

  • Manage bandwidth (that's Quality of Service)

  • Provide security (that's firewall rules)

Each network function has its tools and rules.

From Frustration to Understanding

Initially, I was frustrated that "simple" port forwarding didn't work. But learning about double NAT, CGNAT, and ISP network architecture gave me a much deeper understanding of how the internet really works.

This knowledge is valuable whether you're troubleshooting home networks, planning business infrastructure, or just understanding why some applications work better than others.

The journey was teaching me that good networking isn't about memorising commands - it's about understanding how traffic flows through complex, real-world infrastructures.

This is part of my MikroTik Zero to Hero challenge. Sometimes the most valuable lessons come from discovering what doesn't work and why.

Next up: Module 6 - Wireless Configuration (Building secure WiFi networks with proper isolation)

10
Subscribe to my newsletter

Read articles from Alex Nyambura directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Double NAT#Mikrotiknatport-forwardingnetworkingcgnatispRouterOStroubleshootinghome networking

Written by

Alex Nyambura
Alex Nyambura