NAT setup problems

[samv]

I am attempting to set up NAT on Mac OS X 10.3 Server. aderiumm posted similar problems 20 Feb 2004. floh also posted difficulties 23 Feb 2004. In this post I record my problems and consolidate some suggestions posted elsewhere on the AFP548 forum.

The setup
I did a clean install of Mac OS 10.3 on a G4 and immediately upgraded to 10.3.4. The G4 tower has two Ethernet interfaces: built-in Ethernet and a Sonnet 10/100/1000Mbps Ethernet card.

The built-in Ethernet (en0) is connected to the ADSL-modem (bridge, not router). IP Address: 220.245.56.138/255.255.255.252 Router: 220.245.56.137 DNS Servers: 203.12.160.35 and 203.12.160.36 (provided by my ISP). This IP address was assigned to the set up during Mac OS 10.3 installation.

The PCI card Ethernet interface (en1) is connected to my local network. I assigned it an IP address using System Preferences >> Network preference pane. IP Address: 192.168.0.1/255.255.255.0 Router: <blank> DNS Servers: <blank>.

I have one computer (an iBook) on the LAN. The IP Address on the iBook is configured manually. IP Address: 192.168.0.101/255.255.255.0 Router: 192.168.0.100 (My OS 10.3 Server) DNS Servers: 203.12.160.35 and 203.12.160.36.

I have not yet set-up DHCP on the LAN interface ñ I thought I’d set-up DHCP as soon as I get the manual configuration of LAN clients working properly. And for the moment I’ve not set up DNS Server (Bind) on my Mac OS 10.3 Server. I haven’t read anything suggesting DNS Server and DHCP needs to be running to get NAT to work. Because Firewall is not yet running I don’t expect it to interfere with any network traffic (Firewall doesn’t need to be on to enable NAT does it? I shouldn’t think so.)

The web browser on the 10.3.4 Server can see the World Wide Web ñ excellent.

The web browser on the LAN pointed to http://192.168.0.100 brings up the default web page hosted by apache on the Mac OS 10.3.4 Server computer – excellent. So far, so good.

If however I try to access an outside web page from the iBook (LAN computer) ñ no luck.

A few people have been trying to do this sharing a dial-up connection to an Ethernet LAN. Why bother? I suppose an interesting experiment.

So, where is the problem? Why isn’t NAT working?

Is the problem with NAT (natd)?
The GUI to configure NAT is very simple (nice). Select the interface you want to share (ie the interface going to the ISP/Internet). I was hoping it was just a case of selecting the interface I want to share (en0) and turning on NAT in Server Admin. NAT appears to be running (check with ‘sudo serveradmin fullstatus nat’) but the log is empty (check with ‘tail -f /var/log/alias.log’).

One thought I had was to edit the natd.conf file (actually natd.conf.apple) manually. NoahD, 10 Nov 2003, suggests the information in /etc/nat/natd.plist is use to produce /etc/natd.conf.apple every time natd starts up, so there may be issues trying to edit the NAT conf file manually. NoahD also states “the plist entries allow for port forwarding, though there is some weirdness (destination AND source address are both REQUIRED, which could make things tricky on a DHCP system). I haven’t yet attempted to edit the natd.conf.apple file manually.

Is the problem with Firewall?
Scott DeLeury, 5 Feb 2003, suggests that for NAT to work you need to create firewall rules to allow for those addresses:ports to be forwarded from one address to another. Surely it is only necessary to create a Firewall rule if Firewall is running? I am assuming NAT can run without Firewall. If Firewall is running I guess I would need to add the following rule “allow 192.168.0.0/24 to any in” Without this rule the firewall blocks the nat’d ip addresses even though the traffic (http requests) originates on the inside of the firewall.

Is the problem with DNS?
Do I need to set up DNS Server for LAN clients wanting to connect to the Internet via NAT? Even with DNS Server not running I’d still expect some NAT success by requesting http://203.111.131.67 instead of http://www.abt.com.au on my LAN computer – it doesn’t work.

One suggestion I found: “[you] need to set up an A record in DNS to go from [the] internal port to [the] ISP dns server”. I’m not sure if this is necessary and I’m not sure how to do this (time to read up on BIND I guess).
chiefgeek (12 June 2004) suggests “Configure internal DNS with PTR records (fwd/reverse) for the machines you wish to access internally by name. This is a separate issue but relates to DNS, naming and accessing computers by hostname on a LAN.

Any other ideas?
MacTroll/Joel ([email protected]), 24 Feb 2004, suggests a couple of other things need to be configured to get routing to work.
sudo sysctl ñw net.inet.ipforwarding=1

Then make sure that “IPFORWARDING=-YES-” in /etc/hostconfig so you don’t have to do this by hand when you reboot.

I am reluctant to do this as it doesn’t seem to be mentioned in any of the Apple documentation. Even when I tried this suggestion I couldn’t get NAT to work.

If anyone has any insight I’d appreciate more information. If I get this to work I will consider writing an article on this – there seems to be a few people trying to setup NAT.

Sam Venning

[Anonymous]

NAT does, in fact, require the firewall to be running. When natd starts up, it creates a firewall rule that redirects traffic to itself so it can process it. That’s the only way natd can intercept all of your network traffic.

You need to do two things, I think. First, simply turn the firewall on. If you don’t actually want firewall functionality, just create an “allow everything” rule and disable all other rules: allow any traffic from any source address on any port to the 192.168-net address group. That essentially makes the firewall invisible. Not the best security idea, but useful for getting things working.

The second thing you need to do is turn on IP forwarding. This is off by default, and I believe it’s necessary for what you’re trying to do. There’s a way to do this without rebooting, but the rebooting way is easier: edit /etc/hostconfig and change the line “IPFORWARDING=-NO-” to “IPFORWARDING=-YES-“, then reboot. (It’s possible this is not necessary. I do it out of habit, frankly. If you like, you can try just doing the firewall thing and skipping this step and reporting whether it works or not.)

I just set up NAT on a Mac OS X Server this weekend, so all of this stuff is fresh in my mind. I hope this was helpful.

[samv]

Thank you so much for the tip. Turning on the firewall fixed the problem – sharing my Internet connection on one Ethernet interface to a private network on another Ethernet interface via NAT is now working (at least for Macs on the LAN… I need to work out why the PC connection to the outside world isn’t working). I’m now well on the way to getting this working. I think all I have to do now is refine/finish setting up DHCP and firewall rules. Excellent!

[Anonymous]

I want to do exactly the same thing as described here… only difference is that I only have one NIC card in my G4.

So the setup is this:
G4 running Mac OX 10.3.4 server with one NIC card and a USB modem. I have several other machines around the house all connected up via ethernet, which I want to share the internet connection with.

Is this possible without a) buying another NIC card or b) buying an ethernet modem…?

Thanks in advance.

[Anonymous]

i used this info setting up my new lab….had funky issues and clients could not connect to internet…..now it works!…be nice if the manuals said that Firewall had to be running…..ack!

[Author]

Posts