Reliable Router to Avoid Double NAT — Roon, ARC, HQPlayer, sMS-200 Ultra

Hi all,

I’m looking for a reliable router recommendation that can run my Roon system cleanly without the hassles of double NAT. My setup is struggling in a shared building internet scenario, and I want a solid networking foundation before troubleshooting further.

Current Setup

  • Internet: Shared building connection (Ethernet jack in wall)
  • Roon Core: ASUS Vivobook S14 (Ryzen 9 8945H, Radeon 780M), wired via USB-A Ethernet adapter
  • Endpoint: sMS-200 Ultra (wired)
  • HQPlayer: Installed, but does not see sMS-200 Ultra in the backend device list
  • Roon ARC: Not working — tried Tailscale, which configured fine on Android and PC, but Roon still reports errors
  • Current Router: TP-Link AX3000
    – My hardware version does not support bridge or AP mode
    – Tried workarounds, but none are reliable
    – Looking to replace it with something better

What does work:

  • Roon to sMS-200 Ultra/DAC over Ethernet through audiophile switch is working fine
  • Roon sees HQplayer (but HQ doesn’t see sMS-200)

What I’m looking for:

I want to reliably run:

  • Roon Core to sMS-200 Ultra
  • HQPlayer to sMS-200 Ultra, inside Roon and standalone
  • Roon ARC to phone over Wi-Fi within same network

To get there, I need a router that:

  • Can operate fluently in true bridge or AP mode to avoid double NAT (since I don’t control the building’s main router)
  • Also has great UPnP or port forwarding in case I don’t run in bridge mode.
  • Has reliable and stable wired networking
  • Good Wi-Fi for ARC access on mobile
  • Non-exotic budget

If anyone has a setup similar to this that just works, especially in a shared-building internet environment, would be great to hear what router or access point has worked well for you. ( if you have any networking tips i.e. alternative ideas how to wire it all up, what order, etc that would be welcomed). I imagine there will be more problems to solve but I feel that getting a solid router will be a good start.

Thanks in advance!

1 Like

I’m confused. Where is the double NAT coming from? I’m no network guy, but my understanding is that double NAT usually occurs when you have two devices functioning as DHCP servers (two devices assigning IP addresses in your network whose segments overlap) or you manually assign an IP address that was already assigned by your DHCP server. I only see one device (router) that looks like it functions as a DHCP server.

If the building Internet has it’s own DHCP server then your best bet might be to find out if whomever is administering the service for the building has set aside a subnet for assigning IPs to devices that need static IPs. If so, then provide them with the MAC addresses for your devices that need static addresses and let them give you the IPs that you need.

If there is a second DHCP server there is no specific router that will save you if you have DHCP turned on inside that router. The only exception that I know of for using two DHCP servers/routers is when you (second DHCP server) are using a network segment not covered by the primary DHCP server. Then you are stepping on each others toes, so to speak.

Like I said, I’m not a network guy, but I do believe that what I have said is factually correct. Maybe someone with more knowledge than I can provide more insight and correct any errors in what I have said. Like I also said, I’m not sure where the double NAT is coming from, so I have made some assumptions that may be incorrect.

Good luck.

1 Like

You got it! Unfortunately my AX3000 (AX55) has no easy way to configure into bridge mode where it does not function as DHCP (from my understanding and efforts so far).

Thanks I’ll check with building management, but they may have set and forget and probably want to leave it that way. There is not much ‘administration’ here at the moment, but I might get lucky.

Still, even if I have a friendly primary modem/router in the main building, there must be some consumer routers that are better than others for my use case.., Some people are able to basically plug things in and it all works. Others struggle with network issues and often router choice can contribute to that difference.

I really do wish you luck, but from what I know, any time you have two DHCP servers (routers) operating on the same segment you will have the potential for double assignment of NAT addresses. I don’t think there is a router that can work around that.

1 Like

Don’t buy a router if you don’t need one. If you want an AP instead then simply buy one. Use a switch where your current router is, connect the AP and all other devices to the switch.

NOTE: You share your network with all other parties in the house.

If you needed some sort of privacy / security in your part of the network you need to talk to the network admin. He should be able to set your router as DMZ in the setup of the main router. In this case you can keep your current router and setup.

2 Likes

If you have a community router in a shared building, you should check to find out whether you have been granted a single IP address (as you would normally be granted with a direct ISP connection) or a subnet.

If you have been granted a single IP address you must install a router in order to be able to connect more than one device to your internet connection. In this case you will have a double NAT situation and there is nothing that can be done within the confines of your own local network that can solve this.

However, if you have been allocated a subnet - say 192.168.1.0/24 (meaning that you can connect up to 253 devices) - then you do not need a router at all. Simply connect a switch (to allow multiple Ethernet devices to be connected to the single Ethernet port) and a WiFi access point.

Note: It is possible for a community router to allocate a subnet because each flat within the shared building can receive a different subnet - e.g. one flat may be allocated 192.168.0.0/24 and the next flat can be allocated 192.168.1.0/24 etc all the way up to 192.168.255.0/24.

Unfortunately, I suspect that you will only have been issued as single IP address as, from a network administration point of view, this is by far the easiest to setup and maintain as it requires nothing more than an ordinary consumer or ISP supplied router can accommodate. Allocating a different subnet for each flat/appartment requires more from a router and, generally speaking, it requires a higher level of knowledge from the administrator of the router - both during setup and for ongoing administration.

Edit (paragraph added): If you are lucky enough to be allocated a subnet rather than just a single ip address, and you use the switch/access point combination rather than a router to connect your devices, then your Roon Server may be able to configure a port forwarding rule using uPnP (if uPNP is enabled on the community router). However, if you can’t, your only option will be to get the community administrator to add a port forwarding rule for you (assuming you have no admin rights on this router). If that possibility is not offered, then you will not be able to get Port Forwarding to work and you will have to resort to using Tailscale (or similar). The community router (and it’s administrator) may restrict the port that you can use for Roon ARC. No two appartments can for connections on the same port - for example, if two appartments both use Roon, then it will not be possible for both appartments to use the default port 55000.

For the sake of clarity, it is not multiple DCHP servers that cause MultipleNatFound issues. It is, as the error implies, the presence of two or more layers of NAT (Network Address Translation).

NAT is the mechanism that allows you to connect multiple devices to a network when you have only been allocated a single IP address. In general, NAT works transparently for outgoing connections (Because the router doing the NAT has all the information required about how to route the outgoing messages and the incoming replies), but it does not work for incoming connections without the help of a port forwarding rule. The reason for this is simple - when the incoming connection is made, the connection specifies the WAN side ip address of the router, the protocol and the port number but the router does not know which of the devices on your local network (if any) should be used to handle the incoming connection - so the port forwarding rule tells it.

DHCP is, for IPv4, the mechanism by which devices on the local network are automatically allocated ip addresses within the subnet. It does not, itself, create the subnet - that is the purpose of NAT.

It is possible to set up a local network behind a router with no DHCP present at all. The Router would still perform NAT and, if there is another router upstrteam (including the gateway servers of an ISP performing CG-NAT [Carrier Grade Network Address Translation]), then you will still have a MultipleNatFound issue even though only one of the routers (the upstream one) is providing DHCP.

For IPv4, although not particularly sensible, this can be done by using static ip addresses for every device and disabling the DHCP service on the router (assuming your router allows it - some do - many don’t).

For IPv6, the equivalent DHCPv6 is not required (but can be used if desired). There are alternative methods of allocating ipv6 addresses using the facilities built into ICMPv6.

7 Likes

Thanks. I’ll need a router for wireless.

Either you need a router or you don’t. Wireless has nothing to do with it. An AP ({wireless} Access Point) is all you need to provide you with WiFi. Yes, the AP functionality can be built-in into modern all-in-one routers, together with a switch and some other stuff. But why buy an all-in-one router (and pay for it) when you then have to configure it as simple Access Point anyway?
I didn’t make good experiences with consumer networking products in the past, especially with such alternative operating modes. I no longer use consumer products because of that. But using professional products is not only a question of price but also of knowledge – so not for everyone.

Thanks for your generous post, Wade_Oram\

I spoke to the building Administrator and their is actually one router for the entire campus, not just individual buildings, and the good news is that it will make unique IP addresses for every device plugged in even if it’s into the same LAN. I tried this and it works so I have roon going into sotm making music through a plain switch out of my single Lan socket without wireless router or anything.

Now I still don’t have RoonARC or HQ Player Recognising Sotm_200, so I’ll troubleshoot them from scratch with the new network situation. I found your other comments interesting. IPV 6 is meant to save the day connecting HQ Player to SOtM_200, So hopefully that’ll be a workaround.

Then I’ll just have RoonARC to sort out. The building administrator wrinkled his at the thought of port forwarding, So if he’s not willing to do that Tailscale will be my only option. Hopefully that will work better outside of double NAT, where I had no success connecting up to my rooncore.

You probably have some good points. I think it’s good to have a router for situations where I need a router and the all in ones are quite cheap. I picked it up for $80 and it arrives Friday. So cheap and convenient and quick to arrive and get going.

I’m all ears if you would like to recommend some professional replacement products that just run an AP and why/if they of benefit sonically.

Just to share from my original post I ordered the Asus AX3000 AX58U as an upgrade from AX3000 AX55. It’s meant to have a very simple effective AP option and also it has a Faster Gigabit Internet. I’ll probably just use for wireless convenience in the suite in bridge (AP) mode.

It is not hard to use a search engine to find offers for Access Points (TP-Link TL-WA3001 for example). Simple devices shouldn’t provide an issue. As I wrote, my bad experiences stem from trying to use alternative operating modes from all-in-one / multi-purpose devices. A simple Access Point isn’t one of those. Think about if you need Multi-SSID capability or not and make sure to read (independent / user) reviews of a product before you buy – this should allow you to avoid especially problematic devices.

PS: I use network products from MikroTik now and as I already wrote above, using non consumer products mostly requires knowledge about networking to some degree to configure them properly and securely.

1 Like

You should still find out whether a single subnet is employed for all flats/appartments within the campus or whether each flat/appartment is given a different subnet from which ip addresses are allocated for devices in that appartment. Both setup’s are possible. In the former case, your devices will actually be on the same network as one or more devices in the other flat/appartments - although that may just be another router in each appartment.

I can’t speak for HQPlayer - I have never used it and don’t know what, if any, specific network features are required.

However, for ARC, you will still need a port forwarding rule on the Campus router. If this is not possible, then you will need to use Tailscale or similar. If you are going to use Tailscale, then you would probably better using a router in full router mode since then you can be sure of the security of your local network (which will then be just your flat/appartment).

IPv6 makes things easier in some ways. There is no NAT. Every device has it’s own v6 ip address. Thus you don’t need a port forwarding rule. However, a gateway device (router) usually has an ipv6 firewall. In order to allow an ipv6 ARC connection to a Roon Server, a firewall pinhole (a firewall exception) must be configured. The information required for the firewall pinhole configuration is similar to that required for the IPv4 port forwarding rule (port number, protocol and destination ip address) and can thus look very similar to a port forwarding rule in the router configuration.

I use NETGEAR Orbi in access point mode with additional Orbi satellites providing mesh coverage. It works fine with ROON .

1 Like

Ok, that’s good to know there are options if I still can’t get things going with my second router.

Thanks for the suggestion.

Probably overkill for me in the US but might work well in my 4-bedder back home.

Thanks. I don’t think it’s by flat or apartment. It’s a subnet so I can see other devices on campus. But many I cannot see, (probably because they are hidden behind a router). A bit odd but there we go.

Thanks for that tip. I’ll have to read up more about that. Certainly security is
important in the longer term.

That’s interesting and I think that’s getting to the nub of why HQ player may not be working. It seems to better configured in IPV 6. and the manual for SoTM_200 even says to turn on IP6 capabilities if you have issues connecting to HQ player. I discovered that there were some settings for my network they were not even switched on in Windows 11 for IPV 6 - and it looks like there’s more things to do firewall related. Although all my testing has been with firewall off…

I don’t have much technical advice to share, but I would like to plug the Unifi Dream Router that I have been running for the last two years. Ever since I introduced the Unifi router, switches and access points my Roon experience has been flawless. And yes, even with Arc. Tailscale is no longer needed. The Teleport feature through the Wifiman app creates a VPN that allows Arc to work wonderfully and even allows the user to connect to their Roon Server using their normal Roon Remote app. I am able to use Roon at the office and it is as if I am sitting in my living room.

Unifi seems to do a great job at the networking tasks it is designed to do, while also offering some very friendly Roon features.

1 Like

Still can’t connect HQplayer to sms_200 ultra. It just can’t see it. Trying everything.

Roon working well to sms and Dac