Avoiding Double NAT

Peplink Surf Soho MKIII
I have a question about the right way to set up this router behind a FTTH connection. Centurylink fiber service connects to a PON modem/router. The router has 4 ethernet ports. I use only port 1 connected via ethernet to the WAN input of the Surf SOHO. In the Peplink Menu “WAN Connection Settings” I have “NAT” checked. Does this setting result in double-NAT?

Trace Route Results
10.xxxx Peplink Router
63.231.xxxxx Assume to be the private PON network address
63.226…public address of the ISP’s node


can you set “passthrough” on the centurlink modem/router? do they offer an option that is not a router? i believe verizon fios has several options.

Hi. Yes, you’re probably “double-NAT’d” but your architecture is entirely logical. I’d try real hard to get that modem/router/thingie into passthrough or bridge mode. (Peplink uses the former wording; most CPE stuff seems to use the latter.)


1 Like

Caveat: I am not familiar with the specifics of Centurylink’s fiber service, so this is fairly generic.

  • I expect Centurylink provides two pieces equipment:
    An Optical Network Terminator(ONT) and a router.
    The ONT has the fiber connection to the world and a single ethernet port for the local network.
    The latter has a single WAN ethernet port and (in your case) four ethernet LAN ports and probably WiFi access point functionality.

  • Don’t mess with the ONT :slight_smile:

  • The router is just a router… Except likely to be set up for proper maintenance and provisioning for Centurylink support. They may check every time you connect a router to the ONT whether it is one of theirs or not, and in the latter case may not allow the WAN connection to be established.
    Test: Simply replace their router with yours, and see what happens. Yours should be in DHCP mode.

  • If that does not work (most likely because your ISP does not allow it) then log into their router (if you can) and configure it for “IP Passthrough” or “bridge” mode (whichever is available).
    If available as a setting, identify the MAC address of your router’s WAN port as the destination for the IP Passthrough traffic. If not, then the ISP router most likely will set up the IP passthrough to direct traffic to the first device on the LAN to ask for an IP address. If bridge mode is what they offer then you simply connect your router to a LAN port.

  • Configure your router to be given addresses by DHCP, connect it’s WAN port to an ISP modem LAN port and you should get the ISP modem’s IP address as the WAN address of your modem.

That’s pretty much it. Some ISPs require you to ask them to configure the ISP router for IP Passthrough mode.

If Centurylink provides a carrier NAT address to the ISP router then that’s what your router will get. But a least you have moved from triple NAT’ing to a double NAT :slight_smile:

Terminology nitpick:

  • “Bridge” mode is a layer 2 term. The mode converts the router into a switch (roughly speaking).
  • “IP Passthrough” is a layer 3 term. The router still routes traffic, but all traffic addressed to the WAN IP address of the router is routed to a particular device on the LAN, and there is no NAT of traffic from that device to the internet. There may still be NAT’ing, DHCP service etc. for defined LANs on the other ports (and the WiFi) of the router. That depends on the device.

@zegor_mjol Yea. You’re right, of course. I just wasn’t “goin’ there” …" :wink:

1 Like

Thanks everyone for your comments. A couple of more specifics on the ISP setup is that the fiber connects to a PON that has 4 ethernet jacks out. Their scheme is to use tagged VLANS to separate services: one tag for internet, one for TV, one for phone, etc. The standard hookup is to run the output of the PON to the WAN of an ISP supplied rental router which connects to the various home services via WIFI. No ethernet cables needed.

Centurylink won’t configure the PON to be a bridge probably because it will not work with their various home services?

I have removed their router and substituted my own using the SOHO router WAN connection via ethernet. It looks like there is nothing more I can do.

I am confused about the use of the IPV4 63.xxxx addresses which do not fall into the usual ABC scheme. It seems like at least one of them is public. The SOHO offers a choice between NAT and IP Forwarding mode. I’m guessing I should use NAT?

Thank you,