My cable internet setup is: - ISP-supplied Arris 2-in-1 cable modem-router for internet and phone (port forwarding disabled, WiFi disabled) - Personal Netgear WiFi router connected to Arris modem (port forwarding disabled, port triggering disabled) Only personal Netgear router is connected to Arris modem. All other devices (mobile phones, PC's, tablets) are connected to Netgear router. When both Arris modem/router and Netgear router are in DHCP NAT modes, the result is Double NAT. With Double NAT: - Online NMAP port scanners show all ports to be either closed of filtered - ZENMAP (local PC NMAP) Intense port scanning (all TCP ports) via my PC (with the latest NPCAP driver) shows 0 opened ports When Arris modem-router is set to Bridged mode (no DHCP, no NAT) and Netgear router is the only NAT-enabled router (with port forwarding disabled and port triggering disabled): - Online NMAP port scanners show all ports to be either closed of filtered - ZENMAP (local PC NMAP) Intense port scanning (all TCP ports) via my PC (with the latest NPCAP driver) shows several opened ports Traceroute commands do show that setting Arris modem-router to Bridged mode results in Arris modem-router default IP (192.168.0.1) missing from the trace and devices cannot access Arris modem-router settings page through that IP when they are connected to Netgear router. Accessing Arris modem-router settings is now only possible via direct LAN connection to the Arris modem-router. What I am confused about is: 1. Why Arris+Netgear Double NAT setup ZENMAP scanning results in detection of 0 opened ports and Netgear-only NAT (with Arris modem-router set to Bridged mode) results in opened ports (even though Netgear router port forwarding and port triggering are disabled)? 2. Why ZENMAP (local PC NMAP) port scanning results differ from online website NMAP scanning results? All online NMAP port scanning results indicate closed or filtered ports with Netgear-only NAT (Arris modem-router in Bridges mode) while ZENMAP (local PC NMAP) port scanning shows opened ports.. 3. Why some online scanners report the same ports as closed or non-responsive, while other online scanners report the same ports as filtered. Both Firefox-based and Chrome/Chromium-based browsers report identical results. These are the online scanners I tried: - https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap - https://www.ipvoid.com/port-scan/ - https://hackertarget.com/nmap-online-port-scanner/ 4. How dangerous is it to have a setup with the mentioned ports being detected as opened by ZENMAP? The internet says Double NAT tends to only add complexity to a network and does not make it more secure. In this case though, Double NAT results in ZENMAP detecting 0 opened ports.