Using Mac Mac OS X Server as a Router Providing NAT
Updated 28 June 2002
 |
NAT RouterThe information in this article is designed for Mac OS X Server 10.1. Please see Aaron’s updated article for additional directions and information to use Mac OS X Server 10.2 as a NAT router. |
I spent about a week going through the painstaking process of getting my Mac OS X Server box to run as a router and server. The setup I desired was having two NIC cards (built-in and a PCI add-on) installed on the computer. The built-in ethernet card would access the Web and serve out external data for things such as Web, e-mail, FTP, SSH, AFS, etc. The PCI NIC card would serve out DHCP, AFS, and other services to an internal network. And then the whole system would be configured to route any outgoing traffic from the internal network to the external network using NAT. After much frustration I finally figured out how the whole thing works and now have a server/router that runs flawlessly. In this article, I will outline the details on how to configure each card, DHCP, NAT (with included text files) and do it without using any third party software. That’s the true strength of Mac OS X, to be able to use the Unix underpinnings to run network services without having to add on any stand alone applications that could take up more processing power or memory and allow more to be dedicated to processing network traffic. So here’s the info on how to do it, enjoy:
First off, you need to make sure you have a NIC card that works in Mac OS X. I bought five of them and the best one I found (also most expensive) was a Farallon card. These cards carry a chip set that supports Mac OS X without any drivers, because it uses the same chips that Apple has in their cards. It was an Fast EtherTX. This is the first problematic area to check, the OS might not be fully supporting your card, even if it shows up in the Network Panel, it still might not work.
Second, make sure no firewall management software is installed. I had NetBarrier running while trying to setup the network and later discovered that it wouldn’t work with two NIC cards, it kept blocking out DHCP. I have found this to be true with most third party software (NetBarrier, Firewalk X, Brickhouse, Impasse). It would be my advice to learn to program the firewall built into Mac OS X (ipfw) or pay someone to do it, because with Mac OS X Server running as a router, the firewall just seems to get in the way (and truthfully were probably never intended to run on Mac OS X Server using NAT, more for Mac OS X Clients). So again, make sure all third-party firewall management software is removed.
Third, make sure your server and client software is fully up to date. At the writing of this article, that would be Mac OS X 10.1.3 and Mac OS X Server 10.1.3. Sometimes, if your Server software is only set to 10.1 and all your clients are up to date, then the communication between the two can be flaky if not completely inhibited. So please make sure your software is up to date.
Once you have that taken care of the firewalls, software updates and getting the NIC card installed, you will set up your Network Preferences (System Preferences > Network). In Network you configure your built-in card for your router information (whether that be using a static IP address or DHCP), just like you would configure it to access the network as if it were a normal computer. Second, you configure your PCI NIC card as follows:
|
IP address: |
10.0.0.1 |
|
Subnet mask: |
255.255.255.0 |
|
Router address: |
leave blank |
|
Domain Name Servers: |
same as built-in ethernet |
|
Search Domains: |
same as built-in ethernet |
Once you do this, you open your Server Admin software and click on the Network tab. Under “DHCP/Netboot” turn DHCP on if it isn’t already, then choose “Configure DHCP". When the window comes up you should see one subnet already created from when you filled in your Network info when Server Setup Assistant guided you through that process the first time you booted up. Click on the “New” button. Configure as follows:
|
Subnet Name: |
whatever you want, e.g., Internal Net |
|
Port: |
choose the PCI card from the list |
|
Start: |
10.0.0.2 |
|
End: |
10.0.0.253 |
|
Subnet Mask: |
255.255.255.0 |
|
Router: |
10.0.0.1 |
Make sure “Enable DHCP' is checked and set the lease time to whatever you want (I have it at 1 hour).
Under DNS:
|
Default Domain: |
same as Search Domains in Network Control Panel |
|
DNS Servers: |
same as in Network Control Panel |
Under NetInfo:
|
NetInfo Tag: |
whatever you want, I have “boywonderdesign” (for my business name), I am not sure if this matters |
|
NetInfo Parents: |
leave this alone, NetInfo is one of the MOST important aspects of Mac OS X, and the easiest way to mess it up, don’t mess with anything Netinfo unless you know exactly what you are doing, or you could find your computer not wanting to start up |
Then you click the Save button and your new subnet should be created. (If your Server Admin application crashes when you try and access the Configure DHCP window, you have an incompatible NIC card. I had this happen a couple of times with certain cards I had installed)
Now it should be serving DHCP. (Again, make sure you are not using any firewall programs at this time, especially NetBarrier, because it won’t allow the DHCP to work properly. I suggest you try and program the built in firewall because the third party firewalls just weren’t built with Mac OS X Server in mind.)
One important network aspect that I figured out after a little while of testing and forum posts was that you should have the ethernet cable coming out of the PCI NIC card going into a normal port on your hub or switch, Don’t plug it into the uplink port, this will not work and no signal will be received from the serving computer.
You can try to see if DHCP is working by setting your internal machines to using DHCP, restarting both them and the server and seeing if an address like 10.0.0.x shows up in the Network Panel of the Client Machine, with subnet of 255.255.255.0. If it doesn't, there is a problem. (bad NIC card, bad cord, bad switch).
So now onto NAT: I have included some documents I got off of a website a couple years ago, and they work flawlessly, it’s awesome! I am going to put the coding into this article to show you where the changes need to be made, you will need to make the changes in the command line using pico as super user. If you don’t have root enabled and don’t know how to do that, look around the web for that info, or email me at (see below), and I will fill you in on how that works.
The info is from three different files, one that you will create, and two that come in the NAT.tar that is included with this article. This is the location of these files:
/etc/rc.natd /System/Library/StartupItems/nat/nat /System/Library/StartupItems/nat/StartupParameters.plist
So here’s the info from the “nat” file:
#!/bin/sh # # # NAT enables internet connection to be shared. # # . /etc/rc.common ConsoleMessage “Starting natd" ConsoleMessage “Comfiguring natd parameters" sysctl -w net.inet.ip.forwarding=1 ifconfig en1 10.0.0.1 netmask 255.255.255.0 natd -config /etc/rc.natd /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via en0 /sbin/ipfw add pass all from any to any
Notice the ifconfig line setting your interface “en1” to the address 10.0.0.1 on the subnet 255.255.255.0. This line sets up that interface as your router, and then the ipfw commands forward that information through a “divert” command. So if you make sure the “nat” file that got installed looks just like this, then you are set.
The info on the StartupParameters.plist file looks like this:
{
Description = “Network address translation";
Provides = ("NAT");
Requires = ("Network");
OrderPreference = “Late";
Messages = {
start = “Starting network address translation services";
stop = “Stopping network address translation services";
};
}
You don’t need to change anything here, it’s already setup for you.
Here’s the info on the file that you will create from the command line using pico, make sure it’s in the /etc/ directory and called rc.natd. You can find more info on that in the nat.rtf document included with this article, it gives you full instructions on how to set it up.
# Config File used by natd startup script in /System/Library/StartupItems/NAT # Logging parameters log yes log_denied yes # Networking parameters use_sockets yes same_ports yes interface en0
Again, if you follow the nat.rtf (included), it will give you more in-depth info about these three files, how to create them, where to put them, and how to set it all up. And again, this file: rc.natd, you create it, but don’t change it, it’s already set up. (just copy from the nat.rtf file and paste into a document in pico)
After that, restart and things should be working. If there are any problems, go through this document once more to make sure everything is set up right. Check your hardware (cables, NIC card, switch), and double check. If there are still problems, feel free to send me questions (*note: due to spam attacks from the Internet, we have removed Aaron’s e-mail address. If you need to reach him, please contact us through the feedback form) and I will try my best to answer them. Good luck, and happy networking!