Squeezing NAT Out of Panther Server
by Glenn Fleishman11/25/2003
What I wanted was very simple and very routine—so routine and simple that it's enabled with a single checkbox in Mac OS X 10.2 and 10.3.
But I wasn't working with the client versions of Mac OS X. No, I was in server land. And I wanted Panther Server (Mac OS X Server 10.3) to hand out private Network Address Translation (NAT) managed addresses over DHCP (Dynamic Host Configuration Protocol).
Instead of simply checking a box in the client-side version of Panther,
I spent hours pouring over Apple's obtuse documentation and reading
detailed configuration information about natd, ipfw, and dhcpd. I finally
mastered it with a little persistence.
But Why? (You May Be Thinking)
Part of my motivation in setting up private addresses is that even though this feature is built into the AirPort Extreme Base Station as the Distribute Addresses option, I've been unable to get it to create private addresses correctly because I use the base station on my LAN, and not as the gateway between my DSL modem and the rest of our shared office LAN. Recently, it even stopped feeding out wired DHCP addresses, for reasons that are unclear.
|
Related Reading 
Running Mac OS X Panther |
The motivation for feeding out private addresses that are non-routable from the rest of the Internet has two components:
- First, they offer firewall by obscurity. While NAT doesn't entirely prevent outside cracking, it does offer obscurity. Unless you specifically punch a port from a NAT-addressed computer through to a public, routable IP address, that computer is entirely unreachable until it initiates a connection.
- Second, if you have a small pool or just a single static IP address, or receive a dynamically assigned private or public IP address, NAT allows you to create a pool of addresses to share a connection.
In plain old Panther, you bring up the Sharing preference pane in System Preferences, click the Internet tab, and choose the interface you want to share the connection from, such as Ethernet or AirPort (see Figure 1). Apple requires you have at least one active network connection.
You then check boxes corresponding to the interfaces to which you want to serve NAT via DHCP. In a small network that has both AirPort and Ethernet users, you could send NAT back to both networks and disable Distribute Addresses in an AirPort or AirPort Extreme Base Station or disable DHCP in another wireless gateway.
Click Start and you're done. Couldn't be more straightforward.
Panther Server Set Up Is Another Animal
So, you'd think that Panther Server would have more sophisticated options, but be relatively as easy? No, no, how could that be the case.
Instead, you must configure and enable three separate services, add a duplicate network interface, and edit a configuration file manually to get what you want. Let's walk through this.
In the rest of the FreeBSD and Linux world, ifconfig, natd, dhcpd, and
ipfw (or its ipchains or iptables equivalents) work together to assign
private addresses.
You use ifconfig to create a fake address on a new network, like the
address 192.168.3.1 on the network 192.168.3.0/24. (The /24 means the
first 24 bits are significant, equivalent to a network mask of 255.255.255.0.)
|
|
natd is configured to rewrite addresses for the 192.168.3.0 network;
ipfw diverts traffic to natd for it to rewrite. Finally, dhcpd is set
up to manage a range of addresses in that network, such as 192.168.3.10
through 192.168.3.250 and hand out nice items like a router address
and DNS server addresses.
Panther Server packages all natd as NAT; dhcpd as DHCP; and ipfw as Firewall
within its nifty new Server Admin program, a portmanteau program that
replaces the horrible interface found in the previous server release with
a coherent, consistent graphical approach.
From hard experience, here's the set of steps to carry out our complicated command-line configuration, mostly through Server Admin.
1. Add a private address to a duplicate network configuration in the Network preference pane. Open System Preferences, click Network, and from the Show menu choose Network Port Configurations (see Figure 2). Select Built-in Ethernet and click Duplicate. Name the duplicate interface Private Network.
|
|
From the Show menu now choose Private Network. In the TCP/IP tab, select Manually from the Configure IPv4 menu. Enter 192.168.3.1 as the IP address and 255.255.255.0 as the subnet mask. You can enter DNS values for DNS, but leave other settings blank.
2. Open /etc/hostconfig in pico or vi. Find the line
that reads
IPFORWARDING=-NO-Change NO to YES, leaving everything else the same. Save that file and exit the text editor.
3. Run Server Admin. Click the DHCP service. Click the Settings tab. You may already see an IP network for 192.168.3.0/24. If not, click the + sign (see Figure 3). Give the Subnet Name as 192.168.3.0/24 (it's just text, but it's a good identifier). In Starting IP Address, enter 192.168.3.2; in Ending IP Address, enter 192.168.3.254. Set the subnet mask to 255.255.255.0 and the router to your private interface address: 192.168.3.1. You can choose any lease time you wish. Click Save. Click Start Service.
|
|
4. Click the Firewall service. You should see a listing under Address Group for 192.168-net. This is the superset of 192.168.0.0/16, or the full private address range reserved for uses like these (see Figure 4). I haven't yet figured out how to bypass this tedious next step. For each service you want accessible to machines on the private network, you need to check a box to allow it. If none of these machines are working as servers, you might need to check relatively few boxes. But if you need to use Timbuktu, Retrospect, and other offerings, make sure and check those pages.
|
|
You could also add an advanced rule. Click the Advanced tab. Click the + sign (see Figure 5). Under the Source area, choose Any from the Address pop-up menu (see Figure 6). From the Destination area, choose 192.168-net from the Address menu. Click OK. Drag this rule to the top of the list so it's invoked first. This is a dangerous option because it allows all traffic through, but because these are private addresses, this is probably an issue only for locally discoverable services that use Rendezvous.
|
|
|
|
Click Save and wait a while. A long while. For some reason, on the 450 MHz G4 Cube that I have Panther Server installed on, the firewall settings can take minutes to save. They often fail, requiring me to check the boxes again (the settings aren't saved when it fails) and clicking Save again, and waiting... again.
When it's finally saved, click Start.
5. Click the NAT service. NAT has, fortunately, very few options (see Figure 7). In the Settings tab, make sure Built-in Ethernet is selected. Click Start.
|
|
You should now be able to serve DHCP-fed private addresses over the LAN. I've found that when this doesn't work, if I restart NAT, DHCP, and Firewall, the trouble goes away.
Final Thought
It's quite amazing to me that such a common task isn't streamlined in the server as it is in the plain Panther system. But now that you have the secrets, you should be able to set this up with none of the hassle I faced.
Glenn Fleishman is a freelance technology journalist contributing regularly to The New York Times, The Seattle Times, Macworld magazine, and InfoWorld. He maintains a wireless weblog at wifinetnews.com.
Return to the Wireless DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 14 of 14.
-
Non-server setup?
2004-08-12 08:32:13 chesterhartin [Reply | View]
Is there a way to do this in the non-server edition of panther?
-
Sharing modem connection....
2004-01-09 02:50:18 nightbird7007 [Reply | View]
Last year when I installed OSX Server 10.2 I've setup NAT for our office without much problem.
Now we want to upgrade to 10.3. I guess it would not be to difficult to setup NAT on our machine at the office since we have a PCI card to connect to the DSL modem and we use Built-in internet to serv our inside clients.
The problem is that I would like to make test at home before I do the stuff at the office and at home I'm stuck with dial-up only.
I did some preliminary tests and up to now there is no way to share the modem connection with the others machine at home (really my G4, acting as the server, and an iMac)
When I go in Panther Server, the modem is listed as 'fw0', is that correct or do I have to set it to 'ppp0' as it say in the article.
Am I dreaming in color or is there a way to accomplish this relatively easy.
-
Exactly....
2003-12-18 11:02:06 anonymous2 [Reply | View]
This was exactly what I was looking for. You saved me many extra hours trying to find that hostconfig needed to be set manually. Very helpful....
KSwan
-
IP sequence persist to be wrong in Panther Server
2003-12-15 17:01:46 anonymous2 [Reply | View]
I have configured 2 different Macs with Panther Server (an iMac and a G5), both with a single Ethernet.
Both getting Internet IP from ISP via DHCP.
When I startup Panther Server my Internet IP must to be the first, and Local IP must to be the second. but ever I restart Panther Server my Internet IP is placed in second, and Local in first.
I must to remove manually Local IP from System Preferences, enter it again... and all works fine. Local IP appears as second again.
But every restart is a big problem!!
-
Confusion in article?
2003-12-04 11:31:42 anonymous2 [Reply | View]
In the article where it talks about adding the advanced rule in the firewall, it says "Under the Source area, choose Any from the Address pop-up menu (see Figure 6). From the Destination area, choose 192.168-net from the Address menu." But in the accompanying screen shot, it's the opposite. I have Panther server installed on a DP500 G4 with a second ethernet card hooked up to a cable modem and am not having any luck in getting NAT/firewall to work. Any suggestions?
Thanks,
Dan
-
NAT on Panther Server with PPPoE
2003-12-02 16:30:35 anonymous2 [Reply | View]
Hi,
Thanks for the article.
I have also been struggling with NAT and Firewall on Panther Server because my server uses PPPoE to connect to the Internet, and I want to set up an Airport network using the Airport card in the server.
What makes it more frustrating (as you point out) is that all (event he Airport network) of this can be done so simply in Panther Client (ie NAT with a PPPoE connection and also automatically setting up on boot an Aiport network).
The problem I have found is that when setting up NAT with a PPPoE connection to the Internet, the NAT interface must be the ppp* interface not the en* interface. Unfortunately, NAT Panther Server doesn't give this option (or deduce this requirement).
It can be done, since BrickHouse did all of this (and more) simply in Jaguar Server. Unfortunately, it hasn't been updated for Panther. Even on Panther Client, I can use the command line (ps aux, and ipfw list) to get the config, but haven't been able to make that work no Panther Server.
Also, Panther Client when doing InternetSharing seems to put Airport into a different mode than Panther Server when doing a Computer-To-Computer Network. Panther Client puts an up-arrow in he Airport status and shows signal strength on the clients (as opposed to just the little computer).
If anyone has successfully got NAT working on Panther Server with a PPPoE connection to the Internet I would be very keen to hear from them, how they did it etc.
Many thanks in advance,
Ashley Aitken
aitkena@cbs.curtin.edu.au
-
NAT on Panther Server with PPPoE
2003-12-14 06:50:10 anonymous2 [Reply | View]
Apple has detailed instructions in Appendix B of the "Getting Started With Mac OS X Server 10.3" Guide to set up a small business Panther server on a DSL internet connection with NAT. It involves using the built-in ethernet and ethernet on a PCI card. (For detailed description on this configuration and step-by-step instructions see the Appendix).
--Don't ask me for my config --it is exactly like the one described in Appendix B.
Unfortunately, NAT doesn't work with Panther Server Server when you are connected to the internet via PPoE.
So, in my case where I have a DSL connection with a fixed address but picked up via PPoE (I input the user id and password and my fixed address gets dynamically assigned to my computer) it was impossible to use NAT.
i.e. any computers on the local 192.168 addresses cannot access the internet.
After about 25 hours of trial and tribulation --and getting steered in the right direction by Dr. Ashley Aitken-- I have finally found the solution. It involves two small changes to Apple's instructions.
As Ashley intuited, the divert command that the GUI creates diverts traffic to the what Apple calls the External interface ("en0" if you are using the built-in Ethernet). The problem is that when PPoE is active the External interface is really "ppp0".
It is necessary to change this by editing the "natd.plist" file. And one must take care to NOT use the Server Admin to select an interface for NAT since this can change the setting back to "en0".
Here is what to do:
1) After installing the software and configuring the ports but before firing up the Server Admin (GUI) you need to edit the "natd.plist". You can use Terminal and Vi or Pico to do this but since I am mostly allergic to the Command Line interface I used BBEdit. You will need BBEdit 6.5 or higher to edit a hidden/invisible file.
2) Using BBEdit, use Open Hidden from the File Menu and navigate to "Macintosh HD/etc/nat/natd.plist". Look for the text:
"<key>interface</key>
"<string>en0</string>"
Change "en0" to "ppp0" and save the file.
3) If there is already a file in the "nat" folder called "natd.plist.default" you should open it too and make the same change.
4) Now fire up Server Admin and make the step by step config changes to start FireWall, DNS, DHCP and NAT.
NB. When you start NAT you will probably notice that the interface that it is sharing is the "en1" PCI Ethernet card which you are using for internal network 192.168.*.*
This is counter intuitive to say the least because you really want to share the external interface.
**Nevertheless, resist the urge to change this back. DON'T click that NAT interface pop-up!**
Just turn on NAT and it should be working even though it says it is sharing the wrong interface and it will survive a restart as long as you don't play with the NAT interface Pop-up menu in the Server Admin.
To check that the settings are correct you can go into the FireWall -> Overview and in Active Rules the first line should have:
"divert 8668 ip from any to any via ppp0"
---
What is going on?
Here is what I think happens. When you fire up NAT for the first time the interface pop-up defaults to the last item on the list "en1".
If you change this it will cause the file "natd.plist.apple" to set the interface to "en0" and your NAT will stop working.
When NAT starts up I think it is reading the natd.plist.default (which you have modified to have "ppp0") then, if you have touched the GUI at all it will read a file called "natd.plist.apple" (which the GUI creates and modifies whenever you make changes in Server Admin) to create the file "natd.plist" which NAT uses when starting up.
---
Troubleshooting
If you do mess with the NAT interface in Server Admin and NAT stops working, you can probably get NAT to work again by making sure the files "natd.plist" and "natd.plist.default" use "ppp0" as per above. Then make a small change to FireWall general rules and save it --such as enabling or disabling the Finger Port 79.
Saving can take a long time so wait for the gear to stop spinning and then Stop the FireWall and Restart it. NAT should be working again. (You may need to restart the computer).
The exact sequence of events here is something I don't exactly understand so just don't ever touch that NAT interface pop-up menu.
Good luck.
Sincerely,
Alex Narvey
-
NAT on Panther Server with PPPoE
2005-10-12 03:39:18 MikeHKG [Reply | View]
hours of trial and tribulation: you're speaking from my heart!
Thanks to you dear Alex i only "wasted" about 10 hours on this one until i found your solution. Thank you so much!
Unbelievable that even the 10.4.2 server version
still does not fix this PPPoE issue. Therefore, one sour apple goes to .... Apple for their ignorance to implement the most popular way to connect to the internet.
By the way, after completing your instructions i still had to enable "TCP outgoing" port for "any", even though that port was already open for the local LAN users, to make it work.
Thanks again & Best Wishes
Mike Koessler, Hong Kong
-
How about doing this with AirPort + Ethernet?
2003-12-02 13:17:40 anonymous2 [Reply | View]
I don't care if I use NAT or just some routing, but I would like to bridge the AirPort Extreme interface on my G5 server (connected to Internet via ethernet>Cisco router (NAT, DHCP)>T1) so that I can connect to the Internet via the AirPort Extreme card in my PowerBook.
NAT should be avoided, if possible, as it won't let me access my PowerBook from LAN machines. Ideally, the server would just act like the AirPort base station in bridging mode. If I have to use NAT, however, then I can deal.
The topic of AirPort bridging with "software base station" has been going around for ages, and I've never seen a clear solution. Any ideas?
-
NAT on Panther and https
2003-11-25 22:21:21 tom_davies [Reply | View]
I share my internet connection via an aitport extreme card in a G5. I don't have an airport base station. Http is shared fine, but https (and pop3 for that matter) isn't. Any ideas?
Thanks,
Tom -
NAT on Panther and https
2003-11-25 22:25:46 anonymous2 [Reply | View]
Is your firewall turned on? (See System Preferences, Sharing, Firewall tab.)
If so, try turning it off and see if that solves the problem. I don't know precisely how Panther client (regular Panther, not Panther Server) handles passing through data across interfaces and NAT when the firewall is enabled.
If turning the firewall off solves the problem, I suggest looking into Firewalk X2 or Intego NetBarrier as a more robust firewall that would let you specifically open up the ports you need, or leaving the firewall off altogether. -
NAT on Panther and https
2003-12-02 11:49:31 anonymous2 [Reply | View]
Or alternatively, use the OS X Firewall to open whatever ports you need. Just go to the Firewall Tab under System Preferences > Sharing, and click the "New..." button. Select "Other" from the drop down menu, fill in the appropriate values (Name: HTTPS, Port: 443) There are numerous predefined ports already available, and for granular precision, you can always use ipfw from the command line.
I read your article and all posts by other users like me. I have also searched the web high and low for answers to my problem, but thus far only partial success. Perhaps someone here can shed some light on this for me.
My OS X 10.3.9 Server is directly connected to my Cox Highspeed Cable modem via the en0 Ethernet Interface (WAN)
My OS X 10.3.9 Server has a second Ethernet Interface, en1, that handles all the LAN stuff for my local netowork.
All that seems to be working and every machine can access the internet, some have static local IP numbers, and some have dynamically assigned local IP numbers. All is well.
BUT .. Yes.. here comes the but.
I have two computers on the local network, one is running an Apache Web Server on 192.168.0.15:10080, and one is running Windows ASP.NET, ColdFusion, and Flash Communication Server on port 192.168.0.19:10081. Just for clarification, the OS X Server is running it's Apache Webserver on Port 10082.
Since cable modem users only get one dynamically assigned WAN IP number from Cox Highspeed, I am trying to use port numbers to redirect outside and inside traffic on those specific ports on my WAN IP to the LAN Network computers.
When it comes to accessing those computers/services on those ports from the outside (not from a computer on the local network), I got that covered. So http://lan.ip.number.178:10080 is forwarded to the computer on the LAN that handles those requests. I am using a special IP alias directive in the /etc/nat/nat.plist file:
<key>redirect_port</key>
<array>
<dict>
<key>proto</key>
<string>tcp</string>
<key>targetIP</key>
<string>192.168.0.15</string>
<key>targetPortRange</key>
<string>10080</string>
<key>aliasIP</key>
<string>wan.ip.number.178</string>
<key>aliasPortRange</key>
<string>10080</string>
</dict>
... and the same for the other ports/IP sets for TCP and UDP separate <dict> containers.
However, when I try accessing http://wan.ip.number.178:10080 from a computer on my LAN, I get a connection refused. Sure is strange that it would do what it's supposed to do from any computer outside my LAN, but when it comes to computers on the inside of my LAN I get a connection refused.
Sure, http://192.168.0.15:10080 works from any of the LAN computers, but that doesn't really do me any good. Why? Because let's say I assign a domain name to wan.ip.number.178, like office.domainname.com and then want to use office.domainname.com:10080 to access services on the computer on my LAN inside and outside of my network, it will only work from the outside, not from the inside.
Does anyone of you know of a way around that? I used to have a Linksys Router that did port forwarding like a charm, but I got rid of it when I got the OS X Server, only to find out that it's not all that easy on OS X Server with NAT/DHCP/Firewall.
I looked into the Firewall log and I can see that the traffic is accepted, but that's where it ends.
Can anyone give me any pointers here?
Thank you.