Currently Being ModeratedJul 25, 2011 2:22 PM (in response to Yggdrasill)
I have/had the same problem. Comparible setup running Lion Server GM. The natd service fires off the InternetSharing service from the prefspane instead of the regular natd service. This is verifiable by entries in the system log as well as the lack of the natd process running. Below are my findings from research/experimentation; please understand that this is what I have done to get it working, it is DEFINITELY not best practices and I'm sure not supported by Apple. I'm just conveying what I think is happening and how I dealt with it.
Natd - Executing the binary referenced in the launchctl job directly launches the InternetSharing service on Lion server. This does NOT act this way in SL server, where it works as expected. Replacing the Lion binaries with The SL ones results in natd working as expected: nat_start and nat_stop in /usr/libexec. In short, if you replace the Lion binaries with the ones from SL, it-s a drop-in fix. Natd isn't your only problem though...
Dns/named - It appears that Apple has limited named to binding on the loopback adapter only by default on Lion. Adding a listen-on clause to named.conf with the appropriate bindings will fix this. I'm assuming you're running natd, named and dhcpd on the same box...
Dhcpd - Works fine. It appears broken only because the InternetSharing service is replacing natd (why?!?) and it has a built-in dhcpd server (dumbed down 192.168.2.0 subnet). Once you fix natd, this runs as expected.
Firewall/ipfw - Gotta have this running so that natd will do translation. Remember to open the dhcp ports to allow the clients to get leases...
I hope this helps, I'm sticking with SL until these issues are worked out...
Currently Being ModeratedJul 25, 2011 2:29 PM (in response to jmelaragni)
I think your right when you say DHCP problem is linked to the NAT one.
Indeed, DHCP add by itself ip range used...by natd ;-)
I'll first test your trick for the NAT and then if it works going further with DHCP.
By the way, thank for the feedback !
Currently Being ModeratedJul 25, 2011 2:41 PM (in response to Yggdrasill)
Also, you can get around replacing the binaries by launching natd directly from the console and adding the divert rule into ipfw. The problem is it's not perm and if you access the firewall service in SA you'll overwrite your divert rule...
You'll want the natd.conf.apple file from /etc/nat on your SL box. Then do the following as root:
ipfw add 00010 divert natd ip from any to any via (ext int name here)
/usr/sbin/natd -config /path/to/SL/natd.conf.apple
The rule number MUST be 00010. Ext int name can be found using ifconfig...
Currently Being ModeratedAug 11, 2011 7:33 AM (in response to Yggdrasill)
Are there any solutions to this as of yet? I need to have the internet sharing network assigned to another IP range other than 192.168.2.xxx... Why would they do this in Lion?! Where can I find a copy of SL's NAT as I don't have another SL machine handy...
Currently Being ModeratedAug 16, 2011 9:28 PM (in response to Yggdrasill)
I have found that If you use the Server Admin Tools version 10.7 you can enable and edit NAT, Firewall, and DHCP settings just like you would on SL server. Hope this helps. You can get the Server Admin Tools 10.7 from the Appls support downloads.
Currently Being ModeratedAug 24, 2011 3:55 AM (in response to Yggdrasill)
Here is what i have done to solve the problem:
The 192.168.2.1 is hard coded into the file /etc/libexec/InternetSharing. You can edit the file with a standard editor. Search for 192.168.2.1 and change the addres to the IP that your ethernet devices (en0) use. you have to change the IP at 2 different places in the file.
Currently Being ModeratedOct 30, 2011 7:28 PM (in response to ivanberton)
I have been struggli ng with getting port forwarding to work under Lion (not server) for my media mac to an AVR connected by wire.
Getting the AVR to see the internet was no problem, just configuring the net interfaces (internal must be 192.168.2.0 until apple fixes that bug) and turning on InternetSharing.
But port forwarding for the AVR's control port was not working after trying all sorts of things.
I realized that InternetSharing sets rules to PF once it starts, under the anchors that are predefined in /etc/pf.anchors/com.apple. (BTW, InternetSharing also enables pf )
If you probe with pfctl after starting InternetSharing, you can see the rules and new anchors that it created.
One of the anchors was 'natpmp'.
I used this command to set my rules and it worked!
pfctl -a com.apple/100.InternetSharing/natpmp -f 910.onkyo
(obviously rules are in 910.onkyo. man pf.conf for rule syntax)
So, I did not set my own anchor (which didn't work). It only worked when I associated my rules with that anchor.
This has to be done after InternetSharing is started, of course.
Currently Being ModeratedDec 14, 2011 9:31 PM (in response to Yggdrasill)
i was using a 172.16.x.x network in 10.6 ... once transferred and upgraded to 10.7... NAT will not start.
does anyone have a working suggestion that doesn't involve using 10.6 binaries or completely redoing everything from scratch to work in stupid 192.168.x.x address space? i'd rather continue using 10.6 than do that.
it is just getting a bit annoying not being able to run 10.7 Server as 10.6 Software Update Server won't host 10.7 updates and i am getting more and more 10.7 machines...
More Like This
- Retrieving data ...
- This solved my question - 10 points
- This helped me - 5 points