8 Replies Latest reply: Aug 20, 2012 11:38 AM by Camelot
cheers12 Level 1 Level 1 (0 points)

I bought an Apple USB to Ethernet adaptor for my Mac Mini in order to create a second connection for external access. The connection works fine but how do I dictate which services goes through where? In Server.app, it only allows configuration for one network interface. I want to let all AD authentications for profile manager to go through the local network and all other traffic such as web and APNS go through the external network.


Mac mini, Mac OS X (10.7.3)
  • 1. Re: Dual ethernet connection on OS X server
    Camelot Level 8 Level 8 (45,790 points)

    You misunderstand IP networking.

     

    The choice of interface is dictated by IP address, not port (or service).

     

    The OS knows the IP subnet assigned to each interface, and traffic for each subnet will go out the appropriate interface.

    In addition the OS has one or more routes defined that tells it where to send traffic for non-local networks. Commonly you have one default route defined, so all non-local traffic is sent to that address (typically your router).

     

    The OS doesn't care whether the traffic is HTTP, SMTP, Open Directory, or anything else. All it knows is that the connection is to a specific IP address and that IP address is reached through a specific interface/route combination.

     

    Now, there is a twist to this, in that when you're running a service you can define which interface(s) the service listens on. This means that requests for a service (e.g. HTTP, OD, etc.) only work on interfaces that are configured, and others are dropped, but the same rules of IP routing still apply.

     

    If you want to restrict services you have two options. One is to use the firewall to block connections on the interfaces you don't want. The other is to edit the services' individual configuration file to set which interface(s) are active. Unfortunately there are almost as many ways of doing this as there are services - each service can have its own option. Server Admin/Server.app only provide this kind of option for certain services.

    Apache, for example, lets you setup the IP address/port combinations in each site's configuration file and is one of the services that Server.app can configure. Other services aren't as easy.

  • 2. Re: Dual ethernet connection on OS X server
    Jonathan Melville Level 2 Level 2 (450 points)

    I want to let all AD authentications for profile manager to go through the local network and all other traffic such as web and APNS go through the external network

     

    Even though the Ethernet adaptor on the mini works for you right now, it's not supported by Apple for Minis. It's only meant for MacBook Air. It might keep working forever, but it might not... You wouldn't want your server to break because some future software update breaks the second NIC.

     

    More importantly, your proposed setup doesn't make any sense. That's not how you would take advantage of two NICs on a server.

     

    There are a few reasons you would need to take advantage of a second NIC on a server. One would be if you were using your server as the gateway for your LAN. You would need a NIC for your LAN and a NIC for your WAN. Another reason would be something like creating a link aggregate between two NICs, effectively doubling the bandwidth of your LAN client's connection to the server.

  • 3. Re: Dual ethernet connection on OS X server
    cheers12 Level 1 Level 1 (0 points)

    How would I configure it so that all AD traffic goes through my local lan? Is there a guide?

  • 4. Re: Dual ethernet connection on OS X server
    cheers12 Level 1 Level 1 (0 points)

    Jonathan Melville wrote:

     

    I want to let all AD authentications for profile manager to go through the local network and all other traffic such as web and APNS go through the external network

     

    Even though the Ethernet adaptor on the mini works for you right now, it's not supported by Apple for Minis. It's only meant for MacBook Air. It might keep working forever, but it might not... You wouldn't want your server to break because some future software update breaks the second NIC.

     

    More importantly, your proposed setup doesn't make any sense. That's not how you would take advantage of two NICs on a server.

     

    There are a few reasons you would need to take advantage of a second NIC on a server. One would be if you were using your server as the gateway for your LAN. You would need a NIC for your LAN and a NIC for your WAN. Another reason would be something like creating a link aggregate between two NICs, effectively doubling the bandwidth of your LAN client's connection to the server.

     

    What would you suggest? My AD is local access only and behind corporate firewall which dont allow incoming connections with a few exceptions. All externally accessible services are on a separate, external lan and those servers which require access to the AD have a second NIC for local lan.

  • 5. Re: Dual ethernet connection on OS X server
    Miles Fawcett Level 1 Level 1 (5 points)

    If I understand you correctly you want to use the second NIC for a network firewall application with Lion Server. This is a different application then the standard Lion Server admin and it has additional options including detailed network configuration and firewall config.

     

      http://support.apple.com/kb/HT5050

     

    You will cnfigure a different subnet on your trusted / untrusted networks and setup your firewall / NAT, etc rules accordingly.

  • 6. Re: Dual ethernet connection on OS X server
    jachess Level 1 Level 1 (0 points)

    I may be under analysing this but as @camelot said all you need to do is set up appropriate routes.  Assuming the following setup:

     

    eth0 (onboard NIC) IP address 10.0.0.10 mask 255.255.255.0 used for AD connections

    eth1 (USB NIC) IP address 192.168.0.10 mask 255.255.255.0 used for everything else

    AD server IP address 10.1.1.10 mask 255.255.255.0

     

    add a default router to your eth1 NIC of the network router on that segment (192.168.0.1 normally) in Settings->Network

     

    remove any default router on the eth0 NIC in Setting->Network

     

    add a network route using the terminal command line to 10.1.1.0/24 via the eth0 router (10.0.0.1 normally).

     

    route -n add 10.1.1.0/24 10.0.0.1

     

    If want to make this permanent there are plenty of posts on how to accomplish it.

     


  • 7. Re: Dual ethernet connection on OS X server
    John Lockwood Level 5 Level 5 (5,360 points)

    Most of the OS X Server services will automatically work on both interfaces. However the priority of which interface is used can be important and in this case you would want to use the built-in 1Gigabit port for the LAN and the USB Ethernet for the internet.

     

    This is done by setting the order they are listed in the Network preference pane. Just drag one to change the order.

     

    With regards to having this Apple USB adaptor work on models other than the MacBook Air. This can be done and even if Apple have omitted the driver (Kext file) on a particular copy of OS X you can download a generic driver that still lets it work.

     

    See http://www.sustworks.com/site/news_usb_ethernet.html

     

    It is also possible now to buy an Apple Thunderbolt to 1Gigabit Ethernet adaptor which is officially supported on all Thunderbolt compatible Macs including the new Mac mini. This will also offer better 100Mbps performance than the USB adaptor.

  • 8. Re: Dual ethernet connection on OS X server
    Camelot Level 8 Level 8 (45,790 points)

    This is done by setting the order they are listed in the Network preference pane. Just drag one to change the order.

    That's fine, but it doesn't address the original question, which is how to ensure that specific services run on specific interfaces.

     

    Changing the interface priority really only affects non-local traffic since it defines the gateway addresses to use. It doesn't affect whether a specific service (e.g. directory service) listens/responds to requests on one interface only. In this case, the OP wants specific services to use one interface while other services use a different interface. That can't be done by simple interface ordering.