Skip navigation

Dual ethernet connection on OS X server

3558 Views 8 Replies Latest reply: Aug 20, 2012 11:38 AM by Camelot RSS
cheers12 Calculating status...
Currently Being Moderated
Feb 29, 2012 2:45 PM

I bought an Apple USB to Ethernet adaptor for my Mac Mini in order to create a second connection for external access. The connection works fine but how do I dictate which services goes through where? In Server.app, it only allows configuration for one network interface. I want to let all AD authentications for profile manager to go through the local network and all other traffic such as web and APNS go through the external network.

Mac mini, Mac OS X (10.7.3)
  • Camelot Level 8 Level 8 (45,670 points)
    Currently Being Moderated
    Feb 29, 2012 3:31 PM (in response to cheers12)

    You misunderstand IP networking.

     

    The choice of interface is dictated by IP address, not port (or service).

     

    The OS knows the IP subnet assigned to each interface, and traffic for each subnet will go out the appropriate interface.

    In addition the OS has one or more routes defined that tells it where to send traffic for non-local networks. Commonly you have one default route defined, so all non-local traffic is sent to that address (typically your router).

     

    The OS doesn't care whether the traffic is HTTP, SMTP, Open Directory, or anything else. All it knows is that the connection is to a specific IP address and that IP address is reached through a specific interface/route combination.

     

    Now, there is a twist to this, in that when you're running a service you can define which interface(s) the service listens on. This means that requests for a service (e.g. HTTP, OD, etc.) only work on interfaces that are configured, and others are dropped, but the same rules of IP routing still apply.

     

    If you want to restrict services you have two options. One is to use the firewall to block connections on the interfaces you don't want. The other is to edit the services' individual configuration file to set which interface(s) are active. Unfortunately there are almost as many ways of doing this as there are services - each service can have its own option. Server Admin/Server.app only provide this kind of option for certain services.

    Apache, for example, lets you setup the IP address/port combinations in each site's configuration file and is one of the services that Server.app can configure. Other services aren't as easy.

  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Feb 29, 2012 3:39 PM (in response to cheers12)

    I want to let all AD authentications for profile manager to go through the local network and all other traffic such as web and APNS go through the external network

     

    Even though the Ethernet adaptor on the mini works for you right now, it's not supported by Apple for Minis. It's only meant for MacBook Air. It might keep working forever, but it might not... You wouldn't want your server to break because some future software update breaks the second NIC.

     

    More importantly, your proposed setup doesn't make any sense. That's not how you would take advantage of two NICs on a server.

     

    There are a few reasons you would need to take advantage of a second NIC on a server. One would be if you were using your server as the gateway for your LAN. You would need a NIC for your LAN and a NIC for your WAN. Another reason would be something like creating a link aggregate between two NICs, effectively doubling the bandwidth of your LAN client's connection to the server.

  • Miles Fawcett Calculating status...
    Currently Being Moderated
    Mar 31, 2012 8:52 PM (in response to cheers12)

    If I understand you correctly you want to use the second NIC for a network firewall application with Lion Server. This is a different application then the standard Lion Server admin and it has additional options including detailed network configuration and firewall config.

     

      http://support.apple.com/kb/HT5050

     

    You will cnfigure a different subnet on your trusted / untrusted networks and setup your firewall / NAT, etc rules accordingly.

  • jachess Calculating status...
    Currently Being Moderated
    Aug 19, 2012 9:50 PM (in response to cheers12)

    I may be under analysing this but as @camelot said all you need to do is set up appropriate routes.  Assuming the following setup:

     

    eth0 (onboard NIC) IP address 10.0.0.10 mask 255.255.255.0 used for AD connections

    eth1 (USB NIC) IP address 192.168.0.10 mask 255.255.255.0 used for everything else

    AD server IP address 10.1.1.10 mask 255.255.255.0

     

    add a default router to your eth1 NIC of the network router on that segment (192.168.0.1 normally) in Settings->Network

     

    remove any default router on the eth0 NIC in Setting->Network

     

    add a network route using the terminal command line to 10.1.1.0/24 via the eth0 router (10.0.0.1 normally).

     

    route -n add 10.1.1.0/24 10.0.0.1

     

    If want to make this permanent there are plenty of posts on how to accomplish it.

     


  • John Lockwood Level 5 Level 5 (5,075 points)
    Currently Being Moderated
    Aug 20, 2012 1:51 AM (in response to cheers12)

    Most of the OS X Server services will automatically work on both interfaces. However the priority of which interface is used can be important and in this case you would want to use the built-in 1Gigabit port for the LAN and the USB Ethernet for the internet.

     

    This is done by setting the order they are listed in the Network preference pane. Just drag one to change the order.

     

    With regards to having this Apple USB adaptor work on models other than the MacBook Air. This can be done and even if Apple have omitted the driver (Kext file) on a particular copy of OS X you can download a generic driver that still lets it work.

     

    See http://www.sustworks.com/site/news_usb_ethernet.html

     

    It is also possible now to buy an Apple Thunderbolt to 1Gigabit Ethernet adaptor which is officially supported on all Thunderbolt compatible Macs including the new Mac mini. This will also offer better 100Mbps performance than the USB adaptor.

  • Camelot Level 8 Level 8 (45,670 points)
    Currently Being Moderated
    Aug 20, 2012 11:38 AM (in response to John Lockwood)

    This is done by setting the order they are listed in the Network preference pane. Just drag one to change the order.

    That's fine, but it doesn't address the original question, which is how to ensure that specific services run on specific interfaces.

     

    Changing the interface priority really only affects non-local traffic since it defines the gateway addresses to use. It doesn't affect whether a specific service (e.g. directory service) listens/responds to requests on one interface only. In this case, the OP wants specific services to use one interface while other services use a different interface. That can't be done by simple interface ordering.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.