Previous 1 2 3 Next 33 Replies Latest reply: Mar 28, 2012 7:26 AM by AnrDaemon
Yggdrasill Level 1 (0 points)

Hi *,



for month now, I'm using a Mac Pro with Mac Os X Server Snow Leopard as the default gateway for my "Apple" subnet.

With the Lion release, I upgrade my Mac.

First of all, I was really disappointed to see the migration totally screwed up my configuration. During the install, the Installer told me migration failed or was skipped.

Indeed, after the first boot, all my servers settings where gone. Hum.


So I made a reinstall, and configured everything from scratch.

I followed the Apple documentation for Lion Server but with this Mac Os release, I'm unable to configure DHCP or NAT with my network settings.

All the time I start Internet Sharing, NAT or simply IP forwarding, the server change his ip settings for the internal interface and use 192.168.2.x/24 address.

My whole subnet is in How can I fix it and force Os X Server to use _my_ ip settings and not default one?

Is this a way to get "advanced" configuration instead of "3click-and-make-it-run" ?

I can see in the Preferences Panel that all my IP settings are fine, but an ifconfig in cli only returns me an IP in the wrong range and there is no connectivity with my real network.


The problem is the same for DHCP.

If I configure the DHCP service with my subnets, I declare my ranges,... exactly as I did in Snow Leopard (and which was working perfectly).
But, from times to times, the configuration is erased (even if I don't use the Gateway Setup Assistant).
I often see a new range added in the subnet, which keep coming even if I remove it.

Even with all references removed to this range, service restarted, the server continues granting leases in the And nothing for the subnets I declared.

This server is also the DHCP server for Time Capsule client. Indeed, my TC is bridged on the network and there is no DHCP running except on the Server.


I also tried to let the Gateway Setup Assistant do his work and after, edit settings by hands via Server Admin, same problem.

The Server doesn't care about my settings and NAT/DNS/DHCP doesn't work.


A little quick draw to make things more obvious :



--- Internet ---- Firewall ---- DMZ ---- Mac Pro ---- Apple_Lan --- TimeCapsule


Mac Pro en0 :

Mac Pro en1 :



Does anybody has anything in mind to help me ? any tracks ? feedback ?






Mac Pro, Mac OS X (10.7), Mac Os X 10.7 Server
  • Yggdrasill Level 1 (0 points)

    Seriously ? No one was able to make NAT and dhcp run with custom IP range instead of ?


    should I really need to reinstall SL as many users seems to do ?

  • jmelaragni Level 1 (5 points)

    I have/had the same problem. Comparible setup running Lion Server GM. The natd service fires off the InternetSharing service from the prefspane instead of the regular natd service. This is verifiable by entries in the system log as well as the lack of the natd process running. Below are my findings from research/experimentation; please understand that this is what I have done to get it working, it is DEFINITELY not best practices and I'm sure not supported by Apple. I'm just conveying what I think is happening and how I dealt with it.


    Natd - Executing the binary referenced in the launchctl job directly launches the InternetSharing service on Lion server. This does NOT act this way in SL server, where it works as expected. Replacing the Lion binaries with The SL ones results in natd working as expected: nat_start and nat_stop in /usr/libexec. In short, if you replace the Lion binaries with the ones from SL, it-s a drop-in fix. Natd isn't your only problem though...


    Dns/named - It appears that Apple has limited named to binding on the loopback adapter only by default on Lion. Adding a listen-on clause to named.conf with the appropriate bindings will fix this. I'm assuming you're running natd, named and dhcpd on the same box...


    Dhcpd - Works fine. It appears broken only because the InternetSharing service is replacing natd (why?!?) and it has a built-in dhcpd server (dumbed down subnet). Once you fix natd, this runs as expected.


    Firewall/ipfw - Gotta have this running so that natd will do translation. Remember to open the dhcp ports to allow the clients to get leases...


    I hope this helps, I'm sticking with SL until these issues are worked out...

  • Yggdrasill Level 1 (0 points)

    I think your right when you say DHCP problem is linked to the NAT one.

    Indeed, DHCP add by itself ip range natd ;-)
    I'll first test your trick for the NAT and then if it works going further with DHCP.


    By the way, thank for the feedback !

  • jmelaragni Level 1 (5 points)

    Also, you can get around replacing the binaries by launching natd directly from the console and adding the divert rule into ipfw. The problem is it's not perm and if you access the firewall service in SA you'll overwrite your divert rule...


    You'll want the file from /etc/nat on your SL box. Then do the following as root:


    ipfw add 00010 divert natd ip from any to any via (ext int name here)

    /usr/sbin/natd -config /path/to/SL/


    The rule number MUST be 00010. Ext int name can be found using ifconfig...

  • basilmir Level 1 (75 points)

    Same problem here... it seems NAT has reached a new low in Lion...

  • dankind Level 1 (0 points)

    Are there any solutions to this as of yet? I need to have the internet sharing network assigned to another IP range other than Why would they do this in Lion?! Where can I find a copy of SL's NAT as I don't have another SL machine handy...

  • Moo Media Inc Level 1 (0 points)

    I have found that If you use the Server Admin Tools version 10.7 you can enable and edit NAT, Firewall, and DHCP settings just like you would on SL server. Hope this helps. You can get the Server Admin Tools 10.7 from the Appls support downloads.

  • Brettermeier Level 1 (25 points)

    Here is what i have done to solve the problem:

    The is hard coded into the file /etc/libexec/InternetSharing. You can edit the file with a standard editor. Search for and change the addres to the IP that your ethernet devices (en0) use. you have to change the IP at 2 different places in the file.

  • ivanberton Level 1 (0 points)

    ok, this resolve the problem of ip but i not able to do portforwarding working. every port i nat to an ip example port 81 doesn't work.

    how can i solve port forwarding problem?

  • ronbeltek Level 1 (0 points)

    I have been struggli ng with getting port forwarding to work under Lion (not server) for my media mac to an AVR connected by wire.

    Getting the AVR to see the internet was no problem, just configuring the net interfaces (internal must be until apple fixes that bug) and turning on InternetSharing.

    But port forwarding for the AVR's control port was not working after trying all sorts of things.

    I realized that InternetSharing sets rules to PF once it starts, under the anchors that are predefined in /etc/pf.anchors/ (BTW, InternetSharing also enables pf )


    If you probe with pfctl after starting InternetSharing, you can see the rules and new anchors that it created.

    One of the anchors was 'natpmp'.

    I used this command to set my rules and it worked!

    pfctl -a -f 910.onkyo

    (obviously rules are in 910.onkyo. man pf.conf for rule syntax)


    So, I did not set my own anchor (which didn't work). It only worked when I associated my rules with that anchor.

    This has to be done after InternetSharing is started, of course.




  • oducrot Level 1 (0 points)

    It's probably because of scopedroute.

    Edit /etc/sysctl.conf (cp the default of necessary) and add :




    And reboot the server.

  • oducrot Level 1 (0 points)

    Yes, but changes are not reliable.

    Stop or restart DHCP and you will notice the config changes.

  • oducrot Level 1 (0 points)

    If you mâle changes To the ipfilter rules using serveradmin cli, they will stay along even after SA GUI changes.

  • arcusak Level 1 (5 points)

    same issue.


    i was using a 172.16.x.x network in 10.6 ... once transferred and upgraded to 10.7... NAT will not start.


    does anyone have a working suggestion that doesn't involve using 10.6 binaries or completely redoing everything from scratch to work in stupid 192.168.x.x address space? i'd rather continue using 10.6 than do that.


    it is just getting a bit annoying not being able to run 10.7 Server as 10.6 Software Update Server won't host 10.7 updates and i am getting more and more 10.7 machines...



Previous 1 2 3 Next