You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jfaughnan
jfaughnan Author
User level: Level 3
886 points

Google OAUTH failure with double NAT configuration

I recently discovered that I could not refresh my Blogger blogs with MarsEdit. In particular the Google OAUTH service failed showing a blank page. After a few days debugging I narrowed the problem down to my Apple AirPort Extreme 802.11ac (SN C86QV7EFFJ1R) with firmware 7.9.1. With NAT enabled (Router DHCP and NAT) Google OAUTH fails. In Bridge mode (connected to xfinity cable modem) OAUTH works.


OAUTH also works if I VPN from my Mac.


Because of the way I discovered this it's possible that the 7.9.1 update broke Google OAUTH for DHCP/NAT mode.


Anyone see anything like this?

Posted on Dec 6, 2019 6:28 PM

Reply
Question marked as Top-ranking reply
User profile for user: Tesserax
Tesserax
User level: Level 10
152,230 points

Posted on Dec 7, 2019 9:28 AM

FYI ... the OAUTH protocol is not specific to Google. Regardless, it appears, from your post, that the MarsEdit app uses the OAUTH protocol over HTTP to authenticate with Blogger that also appears to be hosted on Google servers. To gain access, there are at least six communications that must occur between your Mac and Blogger to be successful. As the others have mentioned, with your Extreme in a "Double NAT" condition with your upstream Xfinity gateway, one of more of these communications is/are not occurring. Only by taking a data capture can you actually verify this. When you connected directly to either the gateway or used a VPN, you in effect, removed the Double NAT condition. As the others have mentioned, reconfiguring the Extreme as a bridge will do the same.

View in context

Similar questions

7 replies
Question marked as Top-ranking reply
User profile for user: Tesserax
Tesserax
User level: Level 10
152,230 points

Dec 7, 2019 9:28 AM in response to jfaughnan

FYI ... the OAUTH protocol is not specific to Google. Regardless, it appears, from your post, that the MarsEdit app uses the OAUTH protocol over HTTP to authenticate with Blogger that also appears to be hosted on Google servers. To gain access, there are at least six communications that must occur between your Mac and Blogger to be successful. As the others have mentioned, with your Extreme in a "Double NAT" condition with your upstream Xfinity gateway, one of more of these communications is/are not occurring. Only by taking a data capture can you actually verify this. When you connected directly to either the gateway or used a VPN, you in effect, removed the Double NAT condition. As the others have mentioned, reconfiguring the Extreme as a bridge will do the same.

Reply
User profile for user: Bob Timmons
Bob Timmons
Community+ 2024
User level: Level 10
168,572 points

Dec 6, 2019 8:48 PM in response to jfaughnan

Because of the way I discovered this it's possible that the 7.9.1 update broke Google OAUTH for DHCP/NAT mode.


Nothing good will happen with a Double NAT condition on a network.


If you are saying that things were working fine before you updated the AirPort to 7.9.1 and broke immediately after you updated to 7.9.1, then there might be some value in looking at the firmware update as a suspect.

Reply
User profile for user: jfaughnan
jfaughnan Author
User level: Level 3
886 points

Dec 7, 2019 7:54 PM in response to Bob Timmons

Sadly, I found out today what double NAT is good for.


It's necessary for the guest network unless the comcast devices has a VLAN capability: https://lucatnt.com/2016/05/enable-guest-network-on-airport-basestations-in-bridge-mode/


Bridge mode let OAUTH work, but it turned off my Guest network -- without warning. I use that network for all my IOT devices -- TV, garage opener, etc.


So now I'm back to Double NAT. I'm going to try reverting to the old firmware using "click the base station in AirPort Utility, then Option-click the firmware version number."

Reply
User profile for user: jfaughnan
jfaughnan Author
User level: Level 3
886 points

Dec 8, 2019 7:49 AM in response to jfaughnan

... and I switched back to firmware 7.7.9 (elegant interface) and .... it's still broken!


So, by long process of elimination, I'm leaning toward Google having changed something that broke compatibility with AirPort Extreme DHCP (Double NAT). I need the guest network so my solution for now is to run in Double NAT and use my VPN (TunnelBear) when I need to authenticate with Google. Fortunately that's not often. I'll test periodically to see if things change.

Reply

Google OAUTH failure with double NAT configuration

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up