9 Replies Latest reply: Dec 11, 2009 5:07 AM by UKenGB
UKenGB Level 2 Level 2 (270 points)
Finally attempting to set up an XServe with Snow Leopard Server as the gateway, but noticed a small problem that may just be me missing something.

I want to set up NAT and Firewall service and THEN connect that ethernet port (en0) to the broadband line to my ISP. IOW, I want to get it set up and functioning BEFORE opening up the network to the Internet. Almost the only setting in the NAT service in Server Admin is to pick the External network interface, but it only lists Ethernet 2 (i.e. en1). This is presumably because en0 is disconnected, but this precludes any possibility of setting up firewall etc unless already connected (and vulnerable) which seems totally daft to me.

I'm thinking of just connecting to a simple ethernet switch just so en0 can be enabled and NAT configured, but since it all seems so elementarily stupid I'm wondering if I'm missing something here. IS there a way to get the desired port listed in NAT configuration without having to go to these lengths?

MacPro, MacBook Pro, XServe, iPhone 3G, Mac OS X (10.6), 30" HD display
  • Paul Kleeberg Level 1 Level 1 (40 points)
    It is my understanding that only a handful of ports are allowed until you configure the firewall. I read somewhere that only port 22 and a few other critical ports for Server Admin are default open. So that means you would be safe to have your server connected as you set it up as a router.

    I set mine up as a router and discovered blocked ports before I configured the firewall. That is how I discovered this. I will also say I did not have it connected to my LAN at the time.

    Paul
  • Leif Carlsson Level 5 Level 5 (4,950 points)
    If you don't have a static public IP you will have trouble with your setup.

    Even worse if your ISP connection is via PPPoE (but NAT interface settings are easily "hackable").

    If "above" is true you would be better off using a broadband NAT router/firewall in between server and Internet.

    You can force an interface up temporarily : sudo ifconfig en0 <IP> up

    Don't know if it will show up correctly though.
  • UKenGB Level 2 Level 2 (270 points)
    For various reasons I have decided to NOT use OSX Server for routing duties. But I am interested in your comment:

    Leif Carlsson wrote:
    Even worse if your ISP connection is via PPPoE (but NAT interface settings are easily "hackable").


    How easy is it to hack through NAT? I've never actually heard of it being done and it is the ONLY form of protection when using an AirPort BaseStation as the router. Is this a problem?
  • Marshall Merritt Level 1 Level 1 (75 points)
    Can you suggest a good broadband NAT router/firewall? You have helped me before and I don't mean to hijack this thread but since it has the same information I need I figured I would add on to it. I have FTTH and have to use a PPPoE to get my static IP. Obviously my airport extreme won't work as a pass through for my PPPoE connection to my mac mini server with snow leopard. This is the first time I've ever had to experience PPPoE as I normally have straight fiber without a login. So any help would be appreciated. The MMS is going to be running mail services, dns, websites, digital content, etc so what is the ideal setup? I have an ethernet port to the house that uses a PPPoE and I need a passthrough of the "login handshake" to my dns server can use my static IP so it can be used. Hope that makes sense. This is the only reason I would use the MMS as a NAT instead of the Airport Extreme since it can't be used as a passthrough rather it assigns a internal IP to my MMS which then screws up my DNS settings for my static IP to my house.

    Right now I have my PPPoE going to my MMS, NAT setup on my MMS, my Airport Extreme is in bridge mode, then I manually changed the natd.plist config file to use ppp0 instead of en0 as the interface and it works great, however whenever I try to access my MMS via it's domain name it's painfully slow for all internal network computers but not for anyone else. Any & all help is appreciated.

    Message was edited by: Marshall Merritt
  • UKenGB Level 2 Level 2 (270 points)
    From how I understand what you say about your setup, it doesn't sound good. SInce your Internet feed is PPPoE, you could use the AirPort as the router (but no Firewall), but you say that screws up your DNS. Which DNS, the one you're running on the MMS or an external one that handles your static IP address?

    Mind you, if the Internet feed is PPPoE you could run that straight to the MMS with Apple's ethernet-USB adapter. OSX Server then routes to the real ethernet port via NAT and Firewall etc. Everything else just sits on that internal network. There are arguments as to why this is not ideal, but if the server's load is light and the Firewall is well configured it should be OK.
  • Marshall Merritt Level 1 Level 1 (75 points)
    It screws up the DNS running on my MMS. I have it behind my Airport Extreme right now and the website and DNS it is hosting is not accessible. As soon as I put it outside the router, setup the NAT and manually change the natd.plist file to use ppp0 interface instead of en0 it works. Meaning the website is now accessible to the outside world, the DNS server works, the internal network has access to the outside world, everything is great except for 2 things. The first is the domain that is being hosted is painfully slow but only for the internal network not anyone else. The second is that because I had to manually configure the natd.plist file that any future updates may break this "hack" and therefore is not a good implementation for clients. I am trying this setup out before deploying it for my clients and so far it's not looking like it's a solid option.

    I have a USB Ethernet adapter for the MMS so it has 2 ports. The thing about PPPoE on server is this, once you set it up you can actually disable the built in ethernet (en0) and it will work fine because you are no longer using en0 rather ppp0 and my USB Ethernet (en1) will serve the DHCP & Nat just fine. Does that make sense?

    Message was edited by: Marshall Merritt
  • UKenGB Level 2 Level 2 (270 points)
    No, not really:-(

    I am not clear about what you are trying to achieve here. Are you trying to host a publicly accessible domain, running DNS for that domain and also a webserver within that domain? Thing is, if you are trying to run DNS in that way it is somewhat different to simply wanting a website that is accessible from the Internet. Don't worry about DHCP as that's obviously just for internal use:-)

    As far as I can understand you, you want the website to be available from the 'Net, but what are you trying to do with DNS. Surely you're not running DNS for that domain? I would expect the domain hosting company is actually running DNS for the domain.
  • Marshall Merritt Level 1 Level 1 (75 points)
    I am running the DNS for that domain as well. I run a small website/webhosting company now that uses XServe's & XServe RAIDs but this is my pet project to host my iPhone App's at my house and another personal domain. I could for now just have my domain registar host my DNS and then use the NAT passthrough to my server but I was looking at this for clients that I have that will want to run a similar setup and it was the PPPoE that was throwing me off. I have never had to use PPPoE before now and I'm quite shocked you have to use it with FTTH & a static IP address.
  • UKenGB Level 2 Level 2 (270 points)
    I think I personally wouldn't try and run my own DNS, but I don't think that really makes any difference to your problems. I'm surprised you had to manually modify the NAT settings to make it use the PPPoE interface. I was under the impression that with Apple's USB/ethernet adapter, you plug it in and it appears as another ethernet interface which you select for NAT. Then set up the PPP login details for that interface. But I've never actually done it myself so maybe what you've done is correct.

    However, it seems to me that what you're trying to do is not unusual. Your host (MMS) is visible to the internal network and the 'Net and routes between the 2, but you need to make DNS and HTTP visible to both sides. At the moment trying to access these services internally I think the packets are having to go out onto the 'Net and then back to your public static IP address. I think this is a common problem in these setups, until you make some setup changes on the server so it responds to those services locally and externally.

    As you can tell, I'm not 100% about what actually needs to be done however:-( IIRC you tell BIND from where it can respond to queries and it may be you just need to add another interface into the DNS configuration. By default I bet it's only setup to listen on one of them. I think Apache has the same sort of configuration options in this regard.

    Have you looked into these?