CCTV Articles, Digital Video Recorders, How to connect the DVR over the Internet, HowTo Articles, Knowledgebase, Security Systems, Surveillance Cameras, Surveillance Systems

NAT and Port Forwarding Part 2

How do I know if I have Double NAT or Triple NAT?

In my last article we talked about NAT and what it does, and Port Forwarding and what that is. This article is the second in that series.
It should be easy enough to get your DVR/NVR up and accessible on the LAN (Local Area Network) by inputting a valid LAN address in the DVR/NVR setup. Now the question is – how do we make it accessible from off site. I mentioned in the previous article – while we were in the router, we should check for it’s ‘External IP Address’ to see what is showing there. This is usually in the ‘Status’ section or ‘WAN’ setup. Now you will need to know what you found there. The WAN or Internet status will tell us a couple of things.

1. Is it a static or dynamic address? If you see something like ‘DHCP’ / ‘Obtain Automatically’ / or you just can’t find an address anywhere, then most likely the address is dynamic. For Port Forwarding purposes, we don’t want anything to be dynamic unless it absolutely has to be. In a dynamic address scenario, your IP address can change, and then your Port Forwarding is broken. If your router shows ‘DHCP’ or ‘Obtain Address Automatically’ it may not show the address it has. This then, becomes a little tricky to figure out.

A good way to test for Double/Triple NAT, if you are comfortable working in the DOS Command prompt – run a ‘tracert’ command. (Trace Route) Trace route shows every node , or device that you pass through on your way to a certain web site. (Try it on your favorite web site sometime – you might be amazed at how far your signal travels to get to a site that is physically hosted only a few miles away) The first ‘hops’ it shows may reveal Internal Addresses replying. This is a clear indication of how many routers you are passing through on your way to the Internet. To run a trace route command – open the Command prompt and type “tracert www.yahoo.com” without the quotes, and be sure to leave a space between tracert and the www (you can use any site you want, I just always use Yahoo or Google). To open a command prompt – Press and hold the Windows ‘Flying Flag’ key between Ctrl and Alt on your keyboard – this will pop up a ‘Run’ dialog. Type “cmd” (without quotes) and click Enter. This will open your Command Prompt. Then just type in “tracert www.yahoo.com” (without quotes) Make sure to leave a space after ‘tracert’. That will return a series of IP Addresses similar to this =

tracert

As you can see, the first hop shows 192.168.2.1 (Class C Internal Address) The second hop shows an address of 96.88.74.138 (NOT an Internal Address) and it also shows Comcast information as well, confirming that it is an External Address. This shows me that I have only one router in line before I get to the Internet, so only single NAT on my system. If you see two or three hops showing an Internal Address, then you have Double or Triple NAT or Quadruple NAT or…? The point being, if you see more than one Internal Address, your task just became a little more difficult.

Another method, if you can do it without taking the customers business offline, unplug the Cat-5 cable coming in to the ‘WAN’ or ‘Internet’ port on your router, and plug directly in to your PC. Restart your PC, then run an ‘ipconfig /all’ command from a DOS prompt and check the IP Address you find there. (Try to connect to the Internet with a browser to verify you are getting a valid address when you test this way.) Hopefully you will see an ‘Internet Address’, then you know there is nothing else in line to worry about. If, however you see an ‘Internal Address’ Make a quick note of the IP Address, Subnet Mask, Gateway, and DNS Servers you see there – we can use them in the router you are connected to. As soon as you have the information you need, pull that cable and disconnect from the Internet. (It is risky to connect directly to the Internet so keep your test as brief as possible)

2. If you see the IP address is set to ‘Static’ in your router, you WILL be seeing an IP address. Check to see if that IP address is a ‘Private Range’ address =
Class A = 10.0.0.0 through 10.255.255.255
Class B = 172.16.0.0 through 172.31.255.255
Class C = 192.168.0.0 through 192.168.255.255
When you see this on your WAN status (or WAN Address or Internet Address) –There is another device in line between you and the Internet that is performing NAT and you will have to Port Forward that device to the device you are looking at. To accomplish this you will need to set the router to a ‘Static’ address. The quick and dirty way is to take the IP address , Subnet mask, and Gateway that you discovered in the test above (connecting the routers’ WAN cable directly to your PC) and use them in the router you are working on. For DNS servers, use the ‘Gateway IP address’ or whatever you saw in the ipconfig test. (If you ran ‘ipconfig /all’ you will see DNS servers listed)
It is important to know that a modem with only a single LAN connection can also be a router. Even if it has only one port to connect to, it can be performing NAT and you’ll need to Port Forward it as well. (This is not usually the case on a cable connection – cable modems are generally set to ‘Bridge Mode’ so they are transparent on the network) This is where the ‘Status’ page of a router helps, if its WAN address is a private IP address, then your modem is also a router and it is supplying that address. Or , even more common, you will find another router in line between you and the Internet.

The easiest test here is to look for the ‘Gateway’ address showing on the WAN status. The gateway you see there will be the next router in line. Put in that address and see if you get a logon prompt. If you see another router, log into it and then run the same tests to see if it is directly connected to the Internet or not. Keep going until you no longer see private addresses on the router’s WAN connection. Start making a diagram of what you find and the different ranges of IP addresses you see on each one. You will need this information to map out your port forwarding. If you find only one router, you are golden – port forward it and call it done. If you find two or three routers in line – you are going to have to port forward every one of them.

Ports are forwarded directionally from the Internet toward your device.
The important thing to remember in Port Forwarding is that you must forward in ‘Daisy Chain’ fashion through all devices in your path.
Port Forward your ports from the modem to your first router – from your first  router to the next router – and so on until you get to the router where your device is connected. That last router will then be forwarded to your device.
**The most common mistake in port forwarding is to try to forward the first device in line directly to the camera or DVR IP Address instead of porting through the chain of devices.

Double NAT or Triple NAT can be tedious to set up because it takes extra time and you need to be sure of the connection sequence of your devices, and in some cases, you may find the customers network is not set up correctly. In my next article I will show you what to look for and how to fix it, as well as a detailed example of how to ‘Port Forward’ through a series of routers.
Happy Networking!

Previous Article in this series NAT and Port Forwarding Part 1