Double NAT Help Needed

Server Version#: latest
Player Version#: latest
I am decidedly not a techie and therefore stumped by the Double NAT error I see under Remote Access, despite having only one router. Funnily enough, when I disable and re-enable remote access, it shows a green tick, but as soon as I click on another item on the page, it goes red again. I tried both automatic and manual configuration without success.

I have seen several posts in this forum dealing with this issue, all of which are too technically complex for me to follow. I have no idea how to configure my router and could not find the settings options described in some solutions. As a consumer product, I am surprised that Plex does not provide a simple-to-follow guide on this topic, especially given how common it appears to be.

My simple question is, can someone here provide a “Double NAT for Idiots” guide to resolving this issue and enabling remote access? I would be willing to pay a reasonable amount for professional help if neccessary.

That would be nice. The problem is that Double NAT can happen for several reasons.

Let’s start with the basics:

Q1: What version of Plex Media Server (PMS) are you running and on what platform (Windows/Linux/etc)? The version is displayed in the list of Authorized Devices.

Q2: Do you have any VPN software installed on the system running PMS? If so, shut it down. PMS and VPNs generally do not play nice with each other without advanced configuration.

Q3: Is your internet service provided via a wireless/satellite service such as Starlink, Verizon/ATT/T-Mobile Home Internet via 4G/5G, a WiFi HotSpot connecting to a mobile network, or some similar service?

Q4: On the PMS Remote Access settings page:

Is a public IP address listed?

If so, does it have an address of 192.168.x.x, 172.16.x.x. to 172.31.x.x, 10.x.x.x, or 100.64.x.xx (x can be anything)?

Do not need provide your IP address. Just need to know if it falls within one of the listed ranges.

Example:

Now, please describe your Internet setup.

What kind of Internet access device did your ISP provide - a cable modem, a wireless router, etc.? Also, how many physical Ethernet ports does it have to connect equipment - one, four, etc?

Example:

download1073×261 43.2 KB

Do you have any other network equipment installed - routers, mesh WiFi systems, etc? If so, how do they connect to the ISP provided equipment?

How is your Plex server connected to the network - wired Ethernet or WiFi? Also, to which piece of equipment is it connected?

Answer as much as possible, and we’ll go from there.

I had a double NAT problem but that was because I had a Google Mesh system connected to my service providers hub. I managed to set port forwarding on both hubs to pass through to Plex, it was very frustrating but worked eventually.

Q1: 1.21.1.3876 on Windows
Q2: No VPN
Q3: I am in the UK, using FTTH broadband.
Q4: 192.168.x.x range
Q5: Dual-band broadband router with 4 Ethernet ports
Q6: No other networking equipment
Q7: Laptop connected by WiFi

Thanks for the info.

Caveat: I’m in the US and not familiar with FTTH deployments in the UK. Others on the forum may have better ideas about how to resolve things…

If the public address shows as 192.168.x.x, you’re in a double NAT situation.

You have a router behind a router, both of which are performing NAT (hence the term double nat).

This prevents the standard methods of remote access from working - UPnP and manual port forwarding.

The most common way of fixing double NAT is to eliminate the second NAT. This would mean changing the WiFi router to work in “access point” mode. Doing so disables NAT on the device. You can then use UPnP or manual port forwarding on the remaining router (the one still performing NAT), for Plex remote access.

A second method to remedy the situation is what @dave_springett_gmail_com mentions. You manually port forward the first router to the second, then the second to your Plex server.

Your laptop also needs a router reserved IP address. This is so it always has the same IP address when connected to your network. This should be done no matter how Double NAT is resolved, as it will make Plex remote access more reliable. It is required if manual port forwarding is used.

The bottom line is:

• There is no easy fix.
• Detailed technical changes need to be made to your network to enable Plex remote access.
• These changes require administrative access to the network equipment.
• If this equipment is provided by your ISP, you may have to talk with them about the changes (I do not know if UK rules regarding customer access to ISP provided equipment).

Can you double check that please?
Make sure it’s the Public not the Private.

Sorry @FordGuy61, didn’t notice you responding.

No worries. The more the merrier.

My apologies, it was the private IP. The public IP is 188.214.xx.xx

I’m glad @Dan_Bev asked.

That is a public address range. Not sure why you are getting the double nat message. However, not being in a double nat situation makes things easier.

So ignore most of what I wrote above.

Let’s see what Plex log files say.

Configure Plex Media Server to gather debug, not verbose, logs. See Reporting Issues with PMS for details.

Shutdown Plex Media Server and reboot the PC.

After the PC reboots, login and start Plex Media Server. Wait 1 - 2 minutes for Plex to fully start.

Go to the Remote Access settings page and enable remote access. It is OK if/when it changes back to “not available outside your network.”

Wait 2 - 3 minutes for Plex to try to register with hosts at plex.tv, etc.

Go to Settings → Troubleshooting and download the log files.

Attach the zip file to the thread (just drag it into the window).

Hopefully the log files will provide some details on why remote access is not working.

How do I enable debug logging and how do I stop and restart PMS? The Reporting Issues page does not specify where to find these settings,

Guessing this is Hyperoptic, in which case yes they do indeed use NAT444/CGN. You can pay them an additional £5/mnth to get a static IPv4 address without CGN, and this will solve your problem.
Unless they’ve developed it recently, they do not offer a method for you to configure port forwarding through their CGN gateway, so there’s no way to forward unsolicited packets destined for port 32400 to your router.

The good news is that they do deploy IPv6 alongside your NAT444 CGN, but the bad news is that whilst Plex Media Server supports IPv6, the My Plex / Plex App (or whatever it’s called), does not. So you can’t share your PMS server with your friends the “normal way” (through the https://plex.tv webapp).

You could, however, if your friend’s ISP also supports IPv6, (Most major ISPs in the UK do), give them your PMS’ IPv6 address (or hostname if you want to setup DNS), and they can punch that in to their web browser directly, or manually configure the server in their client. You will have to open port 32400 in your CPE router’s IPv6 firewall.

Or just pay Hyperoptic the £5/mnth to get a static, non-CGN IPv4 address, and join us in trying to convince Plex that full IPv6 support is important.

That is a public address range. Not sure why you are getting the double nat message.

Not sure how PMS obtains that Public IP field, but at a guess it will probably first try to use UPnP to the CPE router, and check for the WAN address. Indeed this would normally show 100.64.0.0/10 for most CGN deployments.

However, best practice for ISPs deploying CGN, and I know is the case with Hyperoptic in the UK, is to disable UPnP to prevent the CPE router mistakenly accepting a port forwarding request, without being able to port forwarding through the CGN gateway.

So if PMS can’t use UPnP to obtain the WAN address from the router, I guess it’ll do some queries out to Internet to see what source IP they get SNATted to. This would show the public IPv4 address that’s shared on the CGN gateway.

Your assumption is spot on. I was planning to speak to them about getting the new Nokia HA-140W-B router they launched in October, so I’ll ask for a static IPv4 address. Hopefully that will resolve the issue.

I’ll be there with you storming the barricades.

@FordGuy61 I would like to thank you for your generous help. For privacy and safety reasons, I am a little apprehensive about posting log files with personally identifiable information in the forum. I shall try the solution that @detonate suggested first and will report here whether that works. There is still time to get under the hood should it not solve the problem. Many thanks to both of you for your support, which is very much appreciated!

Just an additional note, once you’ve got Hyperoptic to give you a static IPv4 address (or more importantly, disable CGN), you’ll still have to log in to your router and either:

1. Enable UPnP to allow PMS to dynamically request the port forward; or
2. Manually create a port forward entry and open up the firewall for TCP 32400 to your PMS host.

Thank you. Suddenly, I get the feeling that I will be back here before long to ask for more help.

No problem. I don’t browse these forums regularly, but I’ll get a notification for responses to this thread.

@MaxHQ Good luck getting things working. Understand not wanting to post logs. They do show your e-mail address and public IP address.

@detonate Thanks for jumping in with the details on Hyperoptic and how they deploy CGN.